Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

ekstre_pdf.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.104096350388749
Filename:	ekstre_pdf.exe
Filesize:	1231872
MD5:	3ca1479d77a23d47a2f01e8ef30a6365
SHA1:	3850b7445cbf81387f910ebe710d0dbdad33a91e
SHA256:	074170a0febc20013e9c8cade256a031be328cefc2838f8f6ed394b4caf05b5f
SHA512:	e0a6704d19c6afa7e77030d15ad731cb6711988a2814a8f8e9f65e9847d760df071b3d348dba1eb853fa4ec1cf53361a86507ad9b843271b25543ff0d17a60f8
SSDEEP:	24576:WAHnh+eWsN3skA4RV1Hom2KXMmHa+rttp28yuTdWJdV5:xh+ZkldoPK8YaIHQ8yKdCh
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection	Disable or Modify Tools
Binary is likely a compiled AutoIt script file	System Summary	Security Software Discovery
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools Security Software Discovery
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging	Disable or Modify Tools
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Security Software Discovery Application Window Discovery
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Contains functionality to launch a process as a different user	System Summary	Valid Accounts Native API Access Token Manipulation
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Process Discovery
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	Disable or Modify Tools
Contains functionality to read the PEB	Anti Debugging	Security Software Discovery
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Disable or Modify Tools
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to shutdown / reboot the system	System Summary	System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection Disable or Modify Tools
Detected potential crypto function	System Summary	System Time Discovery Process Discovery Archive Collected Data
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection	Security Software Discovery
Found large amount of non-executed APIs	Malware Analysis System Evasion	System Time Discovery
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information	Disable or Modify Tools System Shutdown/Reboot
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Disable or Modify Tools
Sample file is different than original file name gathered from version info	System Summary	Security Software Discovery System Shutdown/Reboot
Tries to load missing DLLs	System Summary	DLL Side-Loading Disable or Modify Tools
Uses 32bit PE files	Compliance, System Summary	Disable or Modify Tools
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information Security Software Discovery
Contains functionality for error logging	System Summary	Disable or Modify Tools
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary
Contains functionality to check free disk space	System Summary
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Contains functionality to instantiate COM classes	System Summary	Security Software Discovery
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery Security Software Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
Creates temporary files	System Summary	Security Software Discovery
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Disable or Modify Tools
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion	Disable or Modify Tools
Reads software policies	System Summary
Sample is known by Antivirus	System Summary	Disable or Modify Tools
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary	Disable or Modify Tools

C:\Users\user\AppData\Local\Temp\aut46DF.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut46DF.tmp
Category:	dropped
Dump:	aut46DF.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\ekstre_pdf.exe
Type:	data
Entropy:	7.859545735138241
Encrypted:	false
Ssdeep:	6144:Dvv83GFN62h4GeQk7absfrE2/rLYnecxuqBV9HA2beC:DsikGeoOrd/nNcxVHAgeC
Size:	272384
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\aut471E.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut471E.tmp
Category:	dropped
Dump:	aut471E.tmp.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\ekstre_pdf.exe
Type:	data
Entropy:	7.754551036884044
Encrypted:	false
Ssdeep:	192:jq8gxVivjhoBzzUUzhQ/IEixKjIpMNRDGHqpdPwEZBAK+GujbNaPfmkAshY4ElER:jYivlmzgUzhQ/IEiRpeSsdPr3SGujbN0
Size:	12130
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\aut5110.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut5110.tmp
Category:	dropped
Dump:	aut5110.tmp.3.dr
ID:	dr_4
Target ID:	3
Process:	C:\Users\user\Desktop\ekstre_pdf.exe
Type:	data
Entropy:	7.859545735138241
Encrypted:	false
Ssdeep:	6144:Dvv83GFN62h4GeQk7absfrE2/rLYnecxuqBV9HA2beC:DsikGeoOrd/nNcxVHAgeC
Size:	272384
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\aut5150.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut5150.tmp
Category:	dropped
Dump:	aut5150.tmp.3.dr
ID:	dr_5
Target ID:	3
Process:	C:\Users\user\Desktop\ekstre_pdf.exe
Type:	data
Entropy:	7.754551036884044
Encrypted:	false
Ssdeep:	192:jq8gxVivjhoBzzUUzhQ/IEixKjIpMNRDGHqpdPwEZBAK+GujbNaPfmkAshY4ElER:jYivlmzgUzhQ/IEiRpeSsdPr3SGujbN0
Size:	12130
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\extrorsal

Unicode text, UTF-8 text, with very long lines (29698), with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\extrorsal
Category:	dropped
Dump:	extrorsal.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\ekstre_pdf.exe
Type:	Unicode text, UTF-8 text, with very long lines (29698), with no line terminators
Entropy:	3.6790327326553753
Encrypted:	false
Ssdeep:	384:6nwQP4ZpI8iw6i8E12K+tMUj4Nze7H3/j65eiSB+um27LJVNx+cr1cicWa02QOr7:1iw601T+V4uPj659SBA27j91ktt4pDQ
Size:	64526
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\shrugged

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\shrugged
Category:	dropped
Dump:	shrugged.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\ekstre_pdf.exe
Type:	data
Entropy:	7.859545735138241
Encrypted:	false
Ssdeep:	6144:Dvv83GFN62h4GeQk7absfrE2/rLYnecxuqBV9HA2beC:DsikGeoOrd/nNcxVHAgeC
Size:	272384
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\ekstre_pdf.exe

Details

Is windows:	false
Is dropped:	false
PID:	7720
Target ID:	0
Parent PID:	3968
Name:	ekstre_pdf.exe
Path:	C:\Users\user\Desktop\ekstre_pdf.exe
Commandline:	C:\Users\user\Desktop\ekstre_pdf.exe
Size:	1231872
MD5:	3CA1479D77A23D47A2F01E8EF30A6365
Time:	14:38:09
Date:	18/03/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x1d0000
Modulesize:	1257472
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Binary is likely a compiled AutoIt script file	System Summary
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

C:\Users\user\Desktop\ekstre_pdf.exe

Details

Is windows:	true
Is dropped:	false
PID:	7800
Target ID:	2
Parent PID:	7720
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	C:\Users\user\Desktop\ekstre_pdf.exe
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	14:38:11
Date:	18/03/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x3c0000
Modulesize:	57344
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Users\user\Desktop\ekstre_pdf.exe

Details

Is windows:	false
Is dropped:	false
PID:	7808
Target ID:	3
Parent PID:	7720
Name:	ekstre_pdf.exe
Path:	C:\Users\user\Desktop\ekstre_pdf.exe
Commandline:	C:\Users\user\Desktop\ekstre_pdf.exe
Size:	1231872
MD5:	3CA1479D77A23D47A2F01E8EF30A6365
Time:	14:38:11
Date:	18/03/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x1d0000
Modulesize:	1257472
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Binary is likely a compiled AutoIt script file	System Summary
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

C:\Users\user\Desktop\ekstre_pdf.exe

Details

Is windows:	true
Is dropped:	false
PID:	7876
Target ID:	6
Parent PID:	7808
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	C:\Users\user\Desktop\ekstre_pdf.exe
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	14:38:14
Date:	18/03/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x710000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

URLs

Name

Malicious

https://api.ipify.org/

104.26.13.205

https://api.ipify.org

unknown

http://crl.pki.goog/gsr1/gsr1.crl0;

unknown

https://account.dyn.com/

unknown

http://crl.pki.goog/gtsr1/gtsr1.crl0W

unknown

http://pki.goog/gsr1/gsr1.crt02

unknown

https://pki.goog/repository/0

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://smtp.gmail.com

unknown

smtp.gmail.com

http://crls.pki.goog/gts1c3/fVJxbV-Ktmk.crl0

unknown

http://pki.goog/repo/certs/gts1c3.der0

unknown

http://pki.goog/repo/certs/gtsr1.der04

unknown

There are 3 hidden URLs, click here to show them.

Domains

Name

Malicious

api.ipify.org

104.26.13.205

Details

Name:	api.ipify.org
IP:	104.26.13.205
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

smtp.gmail.com

142.251.16.108

Details

Name:	smtp.gmail.com
IP:	142.251.16.108
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

104.26.13.205

api.ipify.org

United States

Details

IP:	104.26.13.205
TargetID:	6
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

142.251.16.108

smtp.gmail.com

United States

Details

IP:	142.251.16.108
TargetID:	6
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	United States
Countrycode:	USA
ASN number:	15169
ASN name:	GOOGLEUS
Private:	false
Domain:	smtp.gmail.com

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

2770000

heap

page read and write

5310000

trusted library section

page read and write

1990000

direct allocation

page read and write

17B0000

direct allocation

page read and write

5170000

trusted library section

page read and write

400000

system

page execute and read and write

2C7C000

trusted library allocation

page read and write

DE0000

heap

page read and write

58AE000

stack

page read and write

114E000

heap

page read and write

576C000

stack

page read and write

8AF9000

trusted library allocation

page read and write

691F000

stack

page read and write

C10000

heap

page read and write

3109000

trusted library allocation

page read and write

380E000

direct allocation

page read and write

19E0000

heap

page read and write

2CD5000

trusted library allocation

page read and write

285000

unkown

page readonly

BB6000

heap

page read and write

25F000

unkown

page readonly

E5F000

heap

page read and write

3670000

direct allocation

page read and write

28F000

unkown

page write copy

2C74000

trusted library allocation

page read and write

9B1E000

stack

page read and write

10DA000

heap

page read and write

C15000

heap

page read and write

701A000

heap

page read and write

379D000

direct allocation

page read and write

3670000

direct allocation

page read and write

2AF2000

trusted library allocation

page read and write

695E000

stack

page read and write

114E000

heap

page read and write

11BB000

heap

page read and write

379D000

direct allocation

page read and write

2880000

heap

page read and write

1258000

heap

page read and write

125A000

heap

page read and write

3670000

direct allocation

page read and write

2AD0000

trusted library allocation

page read and write

114E000

heap

page read and write

3202000

trusted library allocation

page read and write

10DD000

heap

page read and write

1249000

heap

page read and write

3E9E000

trusted library allocation

page read and write

2867000

heap

page read and write

6A00000

trusted library allocation

page read and write

3D39000

direct allocation

page read and write

64F0000

trusted library allocation

page read and write

1090000

heap

page read and write

2DD2000

trusted library allocation

page read and write

179000

stack

page read and write

3E5E000

trusted library allocation

page read and write

35F3000

direct allocation

page read and write

3D5D000

trusted library allocation

page read and write

3CF8000

trusted library allocation

page read and write

2F3E000

trusted library allocation

page read and write

3134000

trusted library allocation

page read and write

2ACE000

stack

page read and write

2C63000

trusted library allocation

page read and write

3CD000

stack

page read and write

25F000

unkown

page readonly

35F3000

direct allocation

page read and write

65DE000

stack

page read and write

9DB000

stack

page read and write

28BA000

trusted library allocation

page execute and read and write

BD6000

heap

page read and write

6F50000

trusted library allocation

page read and write

5216000

heap

page read and write

28AD000

trusted library allocation

page execute and read and write

2C68000

trusted library allocation

page read and write

3F1E000

trusted library allocation

page read and write

60AC000

stack

page read and write

2894000

trusted library allocation

page read and write

3CB5000

trusted library allocation

page read and write

711E000

stack

page read and write

3DFE000

trusted library allocation

page read and write

3136000

trusted library allocation

page read and write

363E000

stack

page read and write

69F0000

trusted library allocation

page execute and read and write

1269000

heap

page read and write

ADE000

heap

page read and write

379D000

direct allocation

page read and write

6620000

trusted library allocation

page execute and read and write

35F3000

direct allocation

page read and write

5370000

trusted library allocation

page read and write

1D1000

unkown

page execute read

103E000

stack

page read and write

315A000

trusted library allocation

page read and write

3D7D000

trusted library allocation

page read and write

2C70000

trusted library allocation

page read and write

3C10000

direct allocation

page read and write

5390000

heap

page read and write

2AE0000

trusted library allocation

page read and write

10EB000

heap

page read and write

2CE9000

trusted library allocation

page read and write

25F000

unkown

page readonly

1279000

heap

page read and write

34D0000

direct allocation

page read and write

648E000

stack

page read and write

16DF000

stack

page read and write

1780000

heap

page read and write

2A00000

heap

page read and write

3F83000

trusted library allocation

page read and write

A18000

heap

page read and write

2FE3000

trusted library allocation

page read and write

6B5C000

heap

page read and write

285000

unkown

page readonly

293000

unkown

page write copy

320C000

trusted library allocation

page read and write

8030000

heap

page read and write

34D0000

direct allocation

page read and write

320000

heap

page read and write

2B20000

heap

page execute and read and write

380E000

direct allocation

page read and write

69A0000

trusted library allocation

page read and write

298000

unkown

page readonly

3E1E000

trusted library allocation

page read and write

1D0000

unkown

page readonly

5200000

heap

page execute and read and write

3184000

heap

page read and write

35F3000

direct allocation

page read and write

3799000

direct allocation

page read and write

380E000

direct allocation

page read and write

5286000

heap

page read and write

BE7000

heap

page read and write

A4E000

heap

page read and write

34D0000

direct allocation

page read and write

285000

unkown

page readonly

3799000

direct allocation

page read and write

320A000

trusted library allocation

page read and write

3D3D000

trusted library allocation

page read and write

380E000

direct allocation

page read and write

293000

unkown

page write copy

4D2D000

stack

page read and write

C5C000

stack

page read and write

58B0000

trusted library allocation

page read and write

A9D000

heap

page read and write

64E0000

trusted library allocation

page execute and read and write

51D0000

trusted library allocation

page read and write

BB6000

heap

page read and write

31B1000

trusted library allocation

page read and write

29F0000

trusted library allocation

page read and write

1A90000

heap

page read and write

2FB8000

trusted library allocation

page read and write

17A0000

direct allocation

page execute and read and write

6A20000

heap

page read and write

5212000

heap

page read and write

5230000

heap

page read and write

E0D000

heap

page read and write

380E000

direct allocation

page read and write

B10000

heap

page read and write

379D000

direct allocation

page read and write

2CE5000

trusted library allocation

page read and write

3C95000

trusted library allocation

page read and write

6F0D000

stack

page read and write

64C0000

trusted library allocation

page read and write

679C000

unkown

page read and write

55CC000

stack

page read and write

28B2000

trusted library allocation

page read and write

379D000

direct allocation

page read and write

521E000

heap

page read and write

64F7000

trusted library allocation

page read and write

DB8000

heap

page read and write

127A000

heap

page read and write

2F13000

trusted library allocation

page read and write

572E000

stack

page read and write

7AA000

stack

page read and write

1800000

heap

page read and write

3799000

direct allocation

page read and write

28C2000

trusted library allocation

page read and write

3799000

direct allocation

page read and write

BE6000

heap

page read and write

ABE000

heap

page read and write

3D3D000

direct allocation

page read and write

28B6000

trusted library allocation

page execute and read and write

9DE000

stack

page read and write

3011000

trusted library allocation

page read and write

5273000

heap

page read and write

A10000

heap

page read and write

3009000

trusted library allocation

page read and write

634F000

stack

page read and write

1980000

direct allocation

page execute and read and write

A4E000

heap

page read and write

51E0000

trusted library allocation

page read and write

28B0000

trusted library allocation

page read and write

114E000

heap

page read and write

990000

heap

page read and write

114F000

heap

page read and write

1D0000

unkown

page readonly

D5C000

stack

page read and write

3FC3000

trusted library allocation

page read and write

8AF6000

trusted library allocation

page read and write

379D000

direct allocation

page read and write

28CB000

trusted library allocation

page execute and read and write

3D3D000

direct allocation

page read and write

3A70000

direct allocation

page read and write

2B01000

trusted library allocation

page read and write

2948000

trusted library allocation

page read and write

9FC000

stack

page read and write

3DAE000

direct allocation

page read and write

6B1F000

heap

page read and write

2930000

heap

page read and write

298000

unkown

page readonly

6F4B000

stack

page read and write

3F3E000

trusted library allocation

page read and write

285000

unkown

page readonly

638E000

stack

page read and write

64C4000

trusted library allocation

page read and write

6BA7000

heap

page read and write

7010000

heap

page read and write

3F63000

trusted library allocation

page read and write

289D000

trusted library allocation

page execute and read and write

2CE1000

trusted library allocation

page read and write

3670000

direct allocation

page read and write

2E1F000

trusted library allocation

page read and write

3799000

direct allocation

page read and write

ABE000

heap

page read and write

116E000

heap

page read and write

2B06000

trusted library allocation

page read and write

BF0000

heap

page read and write

BC6000

heap

page read and write

30B6000

trusted library allocation

page read and write

19E4000

heap

page read and write

2CAC000

trusted library allocation

page read and write

28C0000

trusted library allocation

page read and write

10D2000

heap

page read and write

69E0000

heap

page read and write

54CC000

stack

page read and write

35F3000

direct allocation

page read and write

1D1000

unkown

page execute read

29E0000

trusted library allocation

page execute and read and write

28A0000

trusted library allocation

page read and write

10DD000

heap

page read and write

3EFE000

trusted library allocation

page read and write

3C10000

direct allocation

page read and write

10A0000

heap

page read and write

FAC000

stack

page read and write

28F000

unkown

page read and write

653D000

stack

page read and write

2A04000

heap

page read and write

DA0000

trusted library section

page read and write

3EDE000

trusted library allocation

page read and write

3CCD000

trusted library allocation

page read and write

5210000

heap

page read and write

6AE0000

heap

page read and write

60C0000

trusted library allocation

page execute and read and write

689C000

stack

page read and write

3EBE000

trusted library allocation

page read and write

25F000

unkown

page readonly

9BF000

stack

page read and write

2AEE000

trusted library allocation

page read and write

6F60000

heap

page read and write

950000

heap

page read and write

2F64000

trusted library allocation

page read and write

ABE000

heap

page read and write

31DC000

trusted library allocation

page read and write

7EEC0000

trusted library allocation

page execute and read and write

3B93000

direct allocation

page read and write

DB0000

heap

page read and write

2893000

trusted library allocation

page execute and read and write

2EC6000

trusted library allocation

page read and write

2A7C000

stack

page read and write

2860000

heap

page read and write

3FE3000

trusted library allocation

page read and write

38E000

stack

page read and write

1D1000

unkown

page execute read

A41000

heap

page read and write

114E000

heap

page read and write

1259000

heap

page read and write

3065000

trusted library allocation

page read and write

2CF1000

trusted library allocation

page read and write

3A70000

direct allocation

page read and write

624E000

stack

page read and write

112C000

heap

page read and write

3E7E000

trusted library allocation

page read and write

298000

unkown

page readonly

313A000

trusted library allocation

page read and write

5FAC000

stack

page read and write

DEC000

heap

page read and write

D9C000

stack

page read and write

8020000

heap

page read and write

292E000

stack

page read and write

2B0D000

trusted library allocation

page read and write

2F6C000

trusted library allocation

page read and write

5F6C000

stack

page read and write

9E0000

heap

page read and write

2850000

trusted library section

page read and write

1D0000

unkown

page readonly

3017000

trusted library allocation

page read and write

3180000

heap

page read and write

3E62000

trusted library allocation

page read and write

BC5000

heap

page read and write

6540000

trusted library allocation

page read and write

A4E000

heap

page read and write

2FF0000

trusted library allocation

page read and write

562E000

stack

page read and write

28F000

unkown

page write copy

446000

system

page execute and read and write

ABE000

heap

page read and write

BC7000

heap

page read and write

FFC000

stack

page read and write

10D3000

heap

page read and write

3DDE000

trusted library allocation

page read and write

2A30000

heap

page read and write

2A10000

heap

page read and write

3E3E000

trusted library allocation

page read and write

34D0000

direct allocation

page read and write

35F3000

direct allocation

page read and write

1D0000

unkown

page readonly

12DD000

stack

page read and write

3670000

direct allocation

page read and write

8AFE000

trusted library allocation

page read and write

2C78000

trusted library allocation

page read and write

3FA3000

trusted library allocation

page read and write

28C7000

trusted library allocation

page execute and read and write

2FE5000

trusted library allocation

page read and write

AF8000

stack

page read and write

FCF000

stack

page read and write

6546000

trusted library allocation

page read and write

1249000

heap

page read and write

2890000

trusted library allocation

page read and write

34D0000

direct allocation

page read and write

3799000

direct allocation

page read and write

60B0000

heap

page read and write

3670000

direct allocation

page read and write

6E0C000

stack

page read and write

330000

heap

page read and write

2AEB000

trusted library allocation

page read and write

114E000

heap

page read and write

28A3000

trusted library allocation

page read and write

3B93000

direct allocation

page read and write

6B63000

heap

page read and write

57AE000

unkown

page read and write

DE9000

heap

page read and write

34D0000

direct allocation

page read and write

3C75000

trusted library allocation

page read and write

68DE000

stack

page read and write

919000

stack

page read and write

5302000

heap

page read and write

2C2F000

stack

page read and write

3DAE000

direct allocation

page read and write

10DA000

heap

page read and write

7120000

trusted library allocation

page read and write

3C55000

trusted library allocation

page read and write

58BD000

trusted library allocation

page read and write

10A8000

heap

page read and write

196F000

stack

page read and write

ABF000

heap

page read and write

BC6000

heap

page read and write

3090000

trusted library allocation

page read and write

28C5000

trusted library allocation

page execute and read and write

BE7000

heap

page read and write

28E0000

trusted library allocation

page read and write

9CE000

stack

page read and write

1D1000

unkown

page execute read

2CED000

trusted library allocation

page read and write

64D0000

trusted library allocation

page read and write

2DB1000

trusted library allocation

page read and write

BE7000

heap

page read and write

28F000

unkown

page read and write

2AFE000

trusted library allocation

page read and write

ABE000

heap

page read and write

FBF000

stack

page read and write

120D000

heap

page read and write

516E000

stack

page read and write

FDB000

stack

page read and write

E26000

heap

page read and write

3DBD000

trusted library allocation

page read and write

298000

unkown

page readonly

3D9D000

trusted library allocation

page read and write

6F70000

trusted library allocation

page read and write

2870000

trusted library allocation

page read and write

E17000

heap

page read and write

340000

heap

page read and write

2E6B000

trusted library allocation

page read and write

127A000

heap

page read and write

B2B000

heap

page read and write

3C31000

trusted library allocation

page read and write

2C31000

trusted library allocation

page read and write

69B0000

trusted library allocation

page read and write

521A000

heap

page read and write

3D39000

direct allocation

page read and write

380E000

direct allocation

page read and write

BE7000

heap

page read and write

2A36000

heap

page read and write

There are 377 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
ekstre_pdf.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportekstre_pdf.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
ekstre_pdf.exe