Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Stealer.exe

"C:\Users\user\Desktop\Stealer.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2308
Target ID:	0
Parent PID:	1244
Name:	Stealer.exe
Path:	C:\Users\user\Desktop\Stealer.exe
Commandline:	"C:\Users\user\Desktop\Stealer.exe"
Size:	344064
MD5:	495F88115EABED181E30727F2D2363D3
Time:	10:30:44
Date:	29/03/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xad0000
Modulesize:	368640
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Sigma detected: Capture Wi-Fi password	Stealing of Sensitive Information
Yara detected Eternity Stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	File Deletion
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\System32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

Details

Is windows:	true
Is dropped:	false
PID:	2436
Target ID:	2
Parent PID:	2308
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Size:	345088
MD5:	5746BD7E255DD6A8AFA06F7C42C1BA41
Time:	10:30:46
Date:	29/03/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x4a570000
Modulesize:	364544
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Capture Wi-Fi password	Stealing of Sensitive Information
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	File Deletion
Tries to harvest and steal WLAN passwords	Stealing of Sensitive Information
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\netsh.exe

netsh wlan show profile

Details

Is windows:	true
Is dropped:	false
PID:	2300
Target ID:	5
Parent PID:	2436
Name:	netsh.exe
Path:	C:\Windows\System32\netsh.exe
Commandline:	netsh wlan show profile
Size:	87040
MD5:	637982A421D0133DCEAA0D1490D1DC9C
Time:	10:30:46
Date:	29/03/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x1720000
Modulesize:	131072
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to harvest and steal WLAN passwords	Stealing of Sensitive Information
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\user\Desktop\Stealer.exe"

Details

Is windows:	true
Is dropped:	false
PID:	1948
Target ID:	7
Parent PID:	2308
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\user\Desktop\Stealer.exe"
Size:	345088
MD5:	5746BD7E255DD6A8AFA06F7C42C1BA41
Time:	10:31:46
Date:	29/03/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x4a0b0000
Modulesize:	364544
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Capture Wi-Fi password	Stealing of Sensitive Information
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	File Deletion
Tries to harvest and steal WLAN passwords	Stealing of Sensitive Information
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\PING.EXE

ping 127.0.0.1

Details

Is windows:	true
Is dropped:	false
PID:	2636
Target ID:	10
Parent PID:	1948
Name:	PING.EXE
Class:	system-tools
Path:	C:\Windows\System32\PING.EXE
Commandline:	ping 127.0.0.1
Size:	16896
MD5:	5FB30FE90736C7FC77DE637021B1CE7C
Time:	10:31:46
Date:	29/03/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xff1e0000
Modulesize:	36864
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Uses ping.exe to check the status of other devices and networks	Networking	System Network Configuration Discovery Remote System Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\chcp.com

chcp 65001

Details

Is windows:	true
Is dropped:	false
PID:	628
Target ID:	4
Parent PID:	2436
Name:	chcp.com
Path:	C:\Windows\System32\chcp.com
Commandline:	chcp 65001
Size:	12800
MD5:	0C8C209151A45A4D7774E89C2F4079AA
Time:	10:30:46
Date:	29/03/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xff240000
Modulesize:	28672
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\findstr.exe

findstr All

Details

Is windows:	true
Is dropped:	false
PID:	2496
Target ID:	6
Parent PID:	2436
Name:	findstr.exe
Class:	system-tools
Path:	C:\Windows\System32\findstr.exe
Commandline:	findstr All
Size:	71168
MD5:	6A2E9BBD516D064C925A9634A5632854
Time:	10:30:46
Date:	29/03/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xffad0000
Modulesize:	90112
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\chcp.com

chcp 65001

Details

Is windows:	true
Is dropped:	false
PID:	1912
Target ID:	9
Parent PID:	1948
Name:	chcp.com
Path:	C:\Windows\System32\chcp.com
Commandline:	chcp 65001
Size:	12800
MD5:	0C8C209151A45A4D7774E89C2F4079AA
Time:	10:31:46
Date:	29/03/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xff780000
Modulesize:	28672
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onion/stld/4c9395d28d054ddebee26b2aa

unknown

https://duckduckgo.com/chrome_newtab

unknown

https://duckduckgo.com/ac/?q=

unknown

http://crl.entrust.net/server1.crl0

unknown

https://web.telegram.org

unknown

http://pastebin.comp

unknown

http://ocsp.entrust.net03

unknown

http://ip-api.com/json

208.95.112.1

https://pastebin.com/raw/X2Ddjiv0p

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

https://support.google.com/chrome/?p=plugin_flash

unknown

http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0

unknown

http://www.diginotar.nl/cps/pkioverheid0

unknown

https://pastebin.com/raw/X2Ddjiv0

172.67.34.170

https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search

unknown

https://t.me/tor_proxiesp

unknown

https://github.com/L1ghtM4n/TorProxy/blob/main/LIB/Tor.zip?raw=true

unknown

https://www.google.com/favicon.ico

unknown

https://cdn5.cdn-telegram.org/file/urI_EKpgc2j3bnVEG7hJPiftbxwqp29Csge9PUwai_V9SyHDH8vYkc30DN237hWwA

unknown

https://pastebin.com/raw/cription

unknown

https://ac.ecosia.org/autocomplete?q=

unknown

http://crl.pkioverheid.nl/DomOvLatestCRL.crl0

unknown

http://ip-api.com

unknown

https://pastebin.com/raw/

unknown

https://t.me

unknown

http://t.mep

unknown

https://t.me/tor_proxies

149.154.167.99

http://ocsp.entrust.net0D

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://secure.comodo.com/CPS0

unknown

http://pastebin.com

unknown

http://t.me

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

https://pastebin.com

unknown

http://crl.entrust.net/2048ca.crl0

unknown

https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

There are 26 hidden URLs, click here to show them.

Domains

Name

Malicious

t.me

149.154.167.99

Details

Name:	t.me
IP:	149.154.167.99
TargetID:	0
Current Path:	C:\Users\user\Desktop\Stealer.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

ip-api.com

208.95.112.1

Details

Name:	ip-api.com
IP:	208.95.112.1
TargetID:	0
Current Path:	C:\Users\user\Desktop\Stealer.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs	System Summary
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

pastebin.com

172.67.34.170

Details

Name:	pastebin.com
IP:	172.67.34.170
TargetID:	0
Current Path:	C:\Users\user\Desktop\Stealer.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Connects to a pastebin service (likely for C&C)	Networking	Web Service
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

127.0.0.1

unknown

Details

IP:	127.0.0.1
TargetID:	10
Current Path:	C:\Windows\System32\PING.EXE
Private:	true

Signature Hits	Behavior Group	Mitre Attack
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	File Deletion
Uses ping.exe to check the status of other devices and networks	Networking	System Network Configuration Discovery Remote System Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

208.95.112.1

ip-api.com

United States

172.67.34.170

pastebin.com

United States

Details

IP:	172.67.34.170
TargetID:	0
Current Path:	C:\Users\user\Desktop\Stealer.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	pastebin.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

149.154.167.99

t.me

United Kingdom

Details

IP:	149.154.167.99
TargetID:	0
Current Path:	C:\Users\user\Desktop\Stealer.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	62041
ASN name:	TELEGRAMRU
Private:	false
Domain:	t.me

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

188.166.166.142

unknown

Netherlands

Details

IP:	188.166.166.142
TargetID:	0
Current Path:	C:\Users\user\Desktop\Stealer.exe
Country:	Netherlands
Countrycode:	NLD
ASN number:	14061
ASN name:	DIGITALOCEAN-ASNUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C

Blob

HKEY_CURRENT_USER\Software\axgibcedgg

jiywzd

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stealer_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stealer_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stealer_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stealer_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stealer_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stealer_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stealer_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stealer_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stealer_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stealer_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stealer_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stealer_RASMANCS

FileDirectory

There are 10 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

AD2000

unkown

page execute read

395000

heap

page read and write

1B6CE000

stack

page read and write

2253000

trusted library allocation

page read and write

1A8AA000

stack

page read and write

AD0000

unkown

page readonly

1A79F000

stack

page read and write

38D000

heap

page read and write

21AF000

stack

page read and write

2256000

trusted library allocation

page read and write

23B5000

trusted library allocation

page read and write

23AD000

trusted library allocation

page read and write

5B6000

heap

page read and write

22C6000

trusted library allocation

page read and write

7FE93D80000

trusted library allocation

page execute and read and write

1C670000

heap

page read and write

B26000

unkown

page readonly

200000

heap

page read and write

7FE93E60000

trusted library allocation

page read and write

1FC000

stack

page read and write

230000

trusted library allocation

page read and write

A4000

heap

page read and write

23CA000

trusted library allocation

page read and write

1BFDF000

heap

page read and write

227A000

trusted library allocation

page read and write

244A000

trusted library allocation

page read and write

12225000

trusted library allocation

page read and write

3C0000

heap

page read and write

1C67E000

heap

page read and write

22D1000

trusted library allocation

page read and write

2F0000

heap

page read and write

1CA5E000

stack

page read and write

2241000

trusted library allocation

page read and write

7FE93C8B000

trusted library allocation

page execute and read and write

350000

heap

page read and write

1225C000

trusted library allocation

page read and write

22CD000

trusted library allocation

page read and write

10000

heap

page read and write

7FE93D10000

trusted library allocation

page read and write

300000

trusted library section

page read and write

336000

heap

page read and write

7FE93C63000

trusted library allocation

page execute and read and write

7FFFFF00000

trusted library allocation

page execute and read and write

22C8000

trusted library allocation

page read and write

AF000

heap

page read and write

20000

heap

page read and write

7FE93C64000

trusted library allocation

page read and write

7FE93E00000

trusted library allocation

page read and write

7FE93E70000

trusted library allocation

page read and write

3D6000

heap

page read and write

357000

heap

page read and write

3C4000

heap

page read and write

2277000

trusted library allocation

page read and write

2439000

trusted library allocation

page read and write

7FE93E50000

trusted library allocation

page execute and read and write

A0000

heap

page read and write

7FE93D46000

trusted library allocation

page execute and read and write

7FE93E19000

trusted library allocation

page read and write

1C220000

heap

page read and write

327000

heap

page read and write

22D3000

trusted library allocation

page read and write

222A000

trusted library allocation

page read and write

207000

heap

page read and write

320000

heap

page read and write

12205000

trusted library allocation

page read and write

7FE93C60000

trusted library allocation

page read and write

23F9000

trusted library allocation

page read and write

2F4000

heap

page read and write

1B54E000

stack

page read and write

7FE93E10000

trusted library allocation

page read and write

1A5C8000

heap

page read and write

1BFBB000

heap

page read and write

7FE93E40000

trusted library allocation

page read and write

1B88E000

stack

page read and write

1A554000

heap

page read and write

1BF1B000

heap

page read and write

23E000

heap

page read and write

121ED000

trusted library allocation

page read and write

224D000

trusted library allocation

page read and write

2466000

trusted library allocation

page read and write

1A6A0000

heap

page read and write

1B9FF000

stack

page read and write

1F50000

heap

page execute and read and write

7FE93C73000

trusted library allocation

page read and write

22C4000

trusted library allocation

page read and write

245A000

trusted library allocation

page read and write

1A1E0000

trusted library allocation

page read and write

7FE93C6D000

trusted library allocation

page execute and read and write

2250000

trusted library allocation

page read and write

38E000

heap

page read and write

1C225000

heap

page read and write

1BF59000

heap

page read and write

2435000

trusted library allocation

page read and write

121B1000

trusted library allocation

page read and write

247000

heap

page read and write

314000

heap

page read and write

1AD8F000

stack

page read and write

1C59F000

stack

page read and write

7FE93E1D000

trusted library allocation

page read and write

10000

heap

page read and write

223B000

trusted library allocation

page read and write

374000

heap

page read and write

1BFEA000

heap

page read and write

2262000

trusted library allocation

page read and write

7FE93C7D000

trusted library allocation

page execute and read and write

20000

heap

page read and write

1A5E3000

heap

page read and write

1BFD2000

heap

page read and write

3D0000

heap

page read and write

1ADDF000

stack

page read and write

1BFA6000

heap

page read and write

7FE93D20000

trusted library allocation

page execute and read and write

2270000

trusted library allocation

page read and write

121BD000

trusted library allocation

page read and write

2468000

trusted library allocation

page read and write

1BF10000

heap

page read and write

7FE93D16000

trusted library allocation

page read and write

1C90E000

stack

page read and write

22CA000

trusted library allocation

page read and write

1234D000

trusted library allocation

page read and write

7FE93C84000

trusted library allocation

page read and write

23BB000

trusted library allocation

page read and write

20000

heap

page read and write

7FE93E20000

trusted library allocation

page execute and read and write

4A0000

heap

page read and write

240000

heap

page execute and read and write

1BF43000

heap

page read and write

23BD000

trusted library allocation

page read and write

236000

heap

page read and write

227C000

trusted library allocation

page read and write

398000

heap

page read and write

1D0000

heap

page read and write

1C7EE000

stack

page read and write

7FE93D1C000

trusted library allocation

page execute and read and write

1A530000

heap

page read and write

1BFE5000

heap

page read and write

1B30D000

stack

page read and write

35D000

heap

page read and write

23CE000

trusted library allocation

page read and write

38F000

heap

page read and write

3A2000

heap

page read and write

121E3000

trusted library allocation

page read and write

580000

heap

page read and write

10000

heap

page read and write

1BC30000

heap

page read and write

3A0000

heap

page read and write

23C6000

trusted library allocation

page read and write

1A3000

stack

page read and write

406000

heap

page read and write

1A5EC000

heap

page read and write

1B360000

heap

page read and write

AD0000

unkown

page readonly

1BF33000

heap

page read and write

1C3ED000

stack

page read and write

1C25B000

heap

page read and write

20E000

heap

page read and write

1AF2F000

stack

page read and write

1A5D7000

heap

page read and write

1FF0000

heap

page read and write

7FE93E30000

trusted library allocation

page read and write

90000

trusted library allocation

page read and write

10000

heap

page read and write

200000

heap

page read and write

39D000

heap

page read and write

7FE93C8D000

trusted library allocation

page execute and read and write

EC000

stack

page read and write

1D7000

heap

page read and write

23F7000

trusted library allocation

page read and write

7FE93C80000

trusted library allocation

page read and write

1BF31000

heap

page read and write

300000

heap

page read and write

1BB2D000

stack

page read and write

1BFA8000

heap

page read and write

310000

heap

page read and write

7FE93C62000

trusted library allocation

page read and write

21B1000

trusted library allocation

page read and write

4A4000

heap

page read and write

222D000

trusted library allocation

page read and write

7FE93CBC000

trusted library allocation

page execute and read and write

BC000

stack

page read and write

There are 170 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Stealer.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportStealer.exe

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
Stealer.exe