Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

tems.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.937698830916027
Filename:	tems.exe
Filesize:	1038336
MD5:	6b3fa7db5c683ef540f54032a6e66969
SHA1:	7f67b47a196163d7c4a5827c944fb8b45e30aef0
SHA256:	71aebecb72a2f1da69501437a4f77de95eac842a4439df68e66bf2a792c0d5d6
SHA512:	cefcd47718bfba0ab57d7c50900704da19ae2433afdfe662269cc8b60f5ca170be737594a21c3f40aaa59b978f3a25c48bd5e8e25e9e21d8f46df386b5a859ee
SSDEEP:	24576:WAHnh+eWsN3skA4RV1Hom2KXMmHaxtIq2mAbVfMA+Xw5:xh+ZkldoPK8Yax6mEfMVG
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection	Exploitation for Privilege Escalation
Multi AV Scanner detection for submitted file	AV Detection
Binary is likely a compiled AutoIt script file	System Summary	Security Software Discovery
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Masquerading
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion
Contains functionality to launch a process as a different user	System Summary	Valid Accounts Native API Access Token Manipulation
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Process Discovery Clipboard Data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Contains functionality to shutdown / reboot the system	System Summary	System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion	Masquerading
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Process Discovery Encrypted Channel
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found evasive API chain (date check)	Malware Analysis System Evasion
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information	System Shutdown/Reboot
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Sample file is different than original file name gathered from version info	System Summary	System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
Contains functionality for error logging	System Summary
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary
Contains functionality to check free disk space	System Summary
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to download additional files from the internet	Networking
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery System Information Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\newfile.exe.log

ASCII text, with CRLF line terminators

modified

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\newfile.exe.log
Category:	modified
Dump:	newfile.exe.log.2.dr
ID:	dr_6
Target ID:	2
Process:	C:\Users\user\AppData\Roaming\newfile\newfile.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.090621108356562
Encrypted:	false
Ssdeep:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
Size:	142
Whitelisted:	false
Reputation:	high

C:\Users\user\AppData\Local\Temp\autA2F3.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\autA2F3.tmp
Category:	dropped
Dump:	autA2F3.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\tems.exe
Type:	data
Entropy:	7.927153672917626
Encrypted:	false
Ssdeep:	3072:cvPt+A7aT+kBDk8Xo0E2bIsa8W4Gsv6gyVQmhIT4ctWe+G:QPt+3bxks1W4Jijd+4GOG
Size:	153546
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\autA352.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\autA352.tmp
Category:	dropped
Dump:	autA352.tmp.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\tems.exe
Type:	data
Entropy:	7.594160761497105
Encrypted:	false
Ssdeep:	192:yS5jnkklrTefgLGckXr+msAeRFyF7d8ionhQ0qu+Ur94tD8mhMa6DYfzFNIT:xnI0a+moyF7C1hQPu+Ur6tthyENg
Size:	9920
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\isochronally

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\isochronally
Category:	dropped
Dump:	isochronally.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\tems.exe
Type:	data
Entropy:	6.654557029361414
Encrypted:	false
Ssdeep:	6144:P84+DRNlHf0ddf26LFP5Kll0pP8nS+SmAnZit8JeABBvlMP+26Upf26tSjrmI3UN:k4+DRNlHf0ddf26LZ5Kll0pPx+SmR8Js
Size:	244736
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\unhelpable

ASCII text, with very long lines (29738), with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\unhelpable
Category:	dropped
Dump:	unhelpable.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\tems.exe
Type:	ASCII text, with very long lines (29738), with no line terminators
Entropy:	3.5491527073872167
Encrypted:	false
Ssdeep:	768:DiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNb2E+Ip6Cr4vfF3if6gy0:DiTZ+2QoioGRk6ZklputwjpjBkCiw2R7
Size:	29738
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Roaming\newfile\newfile.exe

PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\newfile\newfile.exe
Category:	dropped
Dump:	newfile.exe.1.dr
ID:	dr_4
Target ID:	1
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	6.16795797263964
Encrypted:	false
Ssdeep:	768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
Size:	45984
Whitelisted:	true
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses Microsoft Silverlight	System Summary

\Device\ConDrv

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.5.dr
ID:	dr_7
Target ID:	5
Process:	C:\Users\user\AppData\Roaming\newfile\newfile.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.442398121585593
Encrypted:	false
Ssdeep:	24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
Size:	1141
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\tems.exe

"C:\Users\user\Desktop\tems.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7320
Target ID:	0
Parent PID:	2580
Name:	tems.exe
Path:	C:\Users\user\Desktop\tems.exe
Commandline:	"C:\Users\user\Desktop\tems.exe"
Size:	1038336
MD5:	6B3FA7DB5C683EF540F54032A6E66969
Time:	17:21:59
Date:	19/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xd00000
Modulesize:	1064960
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Binary is likely a compiled AutoIt script file	System Summary
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\tems.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7336
Target ID:	1
Parent PID:	7320
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\tems.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	17:22:00
Date:	19/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x5a0000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\newfile\newfile.exe

"C:\Users\user\AppData\Roaming\newfile\newfile.exe"

Details

Is windows:	false
Is dropped:	true
PID:	7508
Target ID:	2
Parent PID:	2580
Name:	newfile.exe
Path:	C:\Users\user\AppData\Roaming\newfile\newfile.exe
Commandline:	"C:\Users\user\AppData\Roaming\newfile\newfile.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	17:22:13
Date:	19/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x250000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Users\user\AppData\Roaming\newfile\newfile.exe

"C:\Users\user\AppData\Roaming\newfile\newfile.exe"

Details

Is windows:	false
Is dropped:	true
PID:	7860
Target ID:	5
Parent PID:	2580
Name:	newfile.exe
Path:	C:\Users\user\AppData\Roaming\newfile\newfile.exe
Commandline:	"C:\Users\user\AppData\Roaming\newfile\newfile.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	17:22:21
Date:	19/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x800000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7524
Target ID:	3
Parent PID:	7508
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	17:22:14
Date:	19/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7868
Target ID:	6
Parent PID:	7860
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	17:22:21
Date:	19/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://mail.cash4cars.nz

unknown

http://ip-api.com/line/?fields=hostinggv

unknown

Details

Name:	http://ip-api.com/line/?fields=hostinggv
TargetID:	1
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000001.00000002.2936705010.0000000000C6E000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://account.dyn.com/

unknown

Details

Name:	https://account.dyn.com/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\tems.exe
Source:	tems.exe, 00000000.00000002.1689610512.0000000001690000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2936459456.0000000000402000.00000040.80000000.00040000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	1
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000001.00000002.2937483921.0000000002891000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://ip-api.com/line/?fields=hosting

208.95.112.1

Details

Name:	http://ip-api.com/line/?fields=hosting
IP:	208.95.112.1
TargetID:	1
From Memory:	false
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking

http://ip-api.com

unknown

Details

Name:	http://ip-api.com
TargetID:	1
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000001.00000002.2937483921.0000000002891000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

mail.cash4cars.nz

114.142.162.17

Details

Name:	mail.cash4cars.nz
IP:	114.142.162.17
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
URLs found in memory or binary data	Networking

ip-api.com

208.95.112.1

Details

Name:	ip-api.com
IP:	208.95.112.1
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Check if machine is in data center or colocation facility	Malware Analysis System Evasion	Security Software Discovery
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

114.142.162.17

mail.cash4cars.nz

Australia

Details

IP:	114.142.162.17
TargetID:	1
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	Australia
Countrycode:	AUS
ASN number:	133525
ASN name:	SERVERMULE-AS-APNimbus2PtyLtdAU
Private:	false
Domain:	mail.cash4cars.nz

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

208.95.112.1

ip-api.com

United States

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileDirectory

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

newfile

There are 6 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

28C1000

trusted library allocation

page read and write

402000

system

page execute and read and write

1690000

direct allocation

page read and write

28EC000

trusted library allocation

page read and write

4F53000

heap

page read and write

89C000

stack

page read and write

DC0000

trusted library allocation

page read and write

715000

heap

page read and write

4B5E000

stack

page read and write

5BC0000

heap

page read and write

38B9000

trusted library allocation

page read and write

4D91000

trusted library allocation

page read and write

3F40000

direct allocation

page read and write

3BA1000

trusted library allocation

page read and write

6140000

trusted library allocation

page read and write

4209000

direct allocation

page read and write

1680000

direct allocation

page execute and read and write

FFF000

stack

page read and write

4F40000

heap

page read and write

80B000

heap

page read and write

1120000

trusted library allocation

page read and write

15DB000

stack

page read and write

CB1000

heap

page read and write

5BE9000

heap

page read and write

34E1000

trusted library allocation

page read and write

6F0000

trusted library allocation

page read and write

4F50000

heap

page read and write

420D000

direct allocation

page read and write

400000

system

page execute and read and write

1772000

heap

page read and write

15CE000

stack

page read and write

E36000

heap

page read and write

2891000

trusted library allocation

page read and write

3F40000

direct allocation

page read and write

243E000

stack

page read and write

4063000

direct allocation

page read and write

28FE000

trusted library allocation

page read and write

6260000

trusted library allocation

page read and write

C6E000

heap

page read and write

2A90000

heap

page execute and read and write

1717000

heap

page read and write

4E20000

heap

page read and write

420D000

direct allocation

page read and write

72D000

trusted library allocation

page execute and read and write

1778000

heap

page read and write

1743000

heap

page read and write

DC3000

unkown

page write copy

4B9E000

stack

page read and write

1743000

heap

page read and write

1772000

heap

page read and write

D8F000

unkown

page readonly

2EC000

stack

page read and write

747000

trusted library allocation

page execute and read and write

CF0000

heap

page read and write

51FE000

stack

page read and write

4209000

direct allocation

page read and write

118E000

stack

page read and write

52DE000

stack

page read and write

DBF000

unkown

page write copy

4A1F000

stack

page read and write

6020000

trusted library allocation

page read and write

4D7E000

trusted library allocation

page read and write

C50000

heap

page read and write

D01000

unkown

page execute read

2850000

trusted library allocation

page read and write

E24000

heap

page read and write

C7A000

heap

page read and write

15FC000

stack

page read and write

174D000

heap

page read and write

FE0000

heap

page read and write

16F0000

heap

page read and write

69E000

stack

page read and write

4A2D000

stack

page read and write

112B000

trusted library allocation

page execute and read and write

174D000

heap

page read and write

54BE000

stack

page read and write

CF0000

heap

page read and write

40E0000

direct allocation

page read and write

6007000

trusted library allocation

page read and write

17D1000

heap

page read and write

1772000

heap

page read and write

3F40000

direct allocation

page read and write

B80000

trusted library allocation

page execute and read and write

7B0000

trusted library allocation

page execute and read and write

427E000

direct allocation

page read and write

505C000

stack

page read and write

D01000

unkown

page execute read

174D000

heap

page read and write

D8D000

trusted library allocation

page execute and read and write

174D000

heap

page read and write

DAB000

trusted library allocation

page execute and read and write

26EE000

stack

page read and write

29FE000

trusted library allocation

page read and write

609D000

stack

page read and write

620F000

stack

page read and write

D70000

trusted library allocation

page read and write

1723000

heap

page read and write

E00000

heap

page read and write

4D96000

trusted library allocation

page read and write

5010000

trusted library allocation

page execute and read and write

4063000

direct allocation

page read and write

F00000

heap

page read and write

849000

heap

page read and write

1786000

heap

page read and write

1733000

heap

page read and write

DD0000

trusted library allocation

page read and write

4D8E000

trusted library allocation

page read and write

CAF000

heap

page read and write

24E1000

trusted library allocation

page read and write

247C000

stack

page read and write

4063000

direct allocation

page read and write

4209000

direct allocation

page read and write

420D000

direct allocation

page read and write

DA0000

heap

page read and write

83A000

stack

page read and write

1772000

heap

page read and write

4DFC000

stack

page read and write

252000

unkown

page readonly

9A0000

heap

page read and write

1772000

heap

page read and write

D7D000

trusted library allocation

page execute and read and write

24D0000

heap

page execute and read and write

AAF000

stack

page read and write

CAD000

heap

page read and write

C00000

heap

page read and write

17C1000

heap

page read and write

1717000

heap

page read and write

1104000

trusted library allocation

page read and write

D2A000

heap

page read and write

4209000

direct allocation

page read and write

6000000

trusted library allocation

page read and write

420D000

direct allocation

page read and write

427E000

direct allocation

page read and write

40E0000

direct allocation

page read and write

6A0000

heap

page read and write

603D000

trusted library allocation

page read and write

22EF000

stack

page read and write

D92000

trusted library allocation

page read and write

7C0000

heap

page read and write

4DA2000

trusted library allocation

page read and write

B60000

trusted library allocation

page read and write

2870000

trusted library allocation

page read and write

2BA1000

trusted library allocation

page read and write

1778000

heap

page read and write

C85000

heap

page read and write

AE5000

heap

page read and write

D8F000

unkown

page readonly

D00000

unkown

page readonly

40E0000

direct allocation

page read and write

4D8A000

trusted library allocation

page read and write

4D0E000

stack

page read and write

4C9E000

stack

page read and write

1789000

heap

page read and write

531E000

stack

page read and write

174E000

heap

page read and write

4063000

direct allocation

page read and write

710000

heap

page read and write

D9A000

trusted library allocation

page execute and read and write

DED000

trusted library allocation

page execute and read and write

4D82000

trusted library allocation

page read and write

3F40000

direct allocation

page read and write

AD0000

heap

page read and write

AE0000

heap

page read and write

4209000

direct allocation

page read and write

D00000

unkown

page readonly

45DE000

stack

page read and write

E06000

heap

page read and write

4D70000

trusted library allocation

page read and write

27EF000

stack

page read and write

4D7B000

trusted library allocation

page read and write

1100000

trusted library allocation

page read and write

7E0000

heap

page read and write

52FF000

stack

page read and write

DB5000

unkown

page readonly

6170000

trusted library allocation

page execute and read and write

40E0000

direct allocation

page read and write

4C00000

heap

page execute and read and write

1EEE000

stack

page read and write

2880000

heap

page read and write

C88000

heap

page read and write

427E000

direct allocation

page read and write

17D1000

heap

page read and write

D90000

trusted library allocation

page read and write

6D0000

heap

page read and write

DC8000

unkown

page readonly

5C32000

heap

page read and write

AC0000

heap

page read and write

6250000

heap

page read and write

40E0000

direct allocation

page read and write

16F8000

heap

page read and write

CBB000

heap

page read and write

D73000

trusted library allocation

page execute and read and write

99A000

stack

page read and write

D1E000

stack

page read and write

B50000

heap

page read and write

3F40000

direct allocation

page read and write

1140000

trusted library allocation

page read and write

17D1000

heap

page read and write

D55000

heap

page read and write

DA2000

trusted library allocation

page read and write

804000

heap

page read and write

509E000

stack

page read and write

DB5000

unkown

page readonly

1772000

heap

page read and write

298C000

stack

page read and write

519F000

stack

page read and write

54FE000

stack

page read and write

427E000

direct allocation

page read and write

4E10000

heap

page execute and read and write

1772000

heap

page read and write

4063000

direct allocation

page read and write

2450000

heap

page read and write

541E000

stack

page read and write

70D000

trusted library allocation

page execute and read and write

7F150000

trusted library allocation

page execute and read and write

17B8000

heap

page read and write

6050000

trusted library allocation

page execute and read and write

5500000

trusted library allocation

page read and write

1772000

heap

page read and write

28F4000

trusted library allocation

page read and write

17C1000

heap

page read and write

2830000

trusted library allocation

page read and write

66F0000

trusted library allocation

page execute and read and write

1724000

heap

page read and write

4209000

direct allocation

page read and write

D60000

trusted library allocation

page read and write

939000

stack

page read and write

6023000

trusted library allocation

page read and write

4898000

trusted library allocation

page read and write

7AE000

stack

page read and write

1722000

heap

page read and write

74B000

trusted library allocation

page execute and read and write

6770000

heap

page read and write

1748000

heap

page read and write

29A0000

trusted library allocation

page read and write

1732000

heap

page read and write

1732000

heap

page read and write

533E000

stack

page read and write

1778000

heap

page read and write

FD0000

heap

page read and write

DA5000

trusted library allocation

page execute and read and write

2840000

trusted library allocation

page read and write

25A000

unkown

page readonly

E52000

heap

page read and write

420D000

direct allocation

page read and write

40E0000

direct allocation

page read and write

174D000

heap

page read and write

D80000

trusted library allocation

page read and write

724000

trusted library allocation

page read and write

5FFE000

stack

page read and write

17C8000

heap

page read and write

E66000

heap

page read and write

1772000

heap

page read and write

17A2000

heap

page read and write

B70000

trusted library allocation

page read and write

174D000

heap

page read and write

DBF000

unkown

page read and write

282C000

stack

page read and write

DF0000

heap

page read and write

50BE000

stack

page read and write

4B1E000

stack

page read and write

10FF000

stack

page read and write

2860000

heap

page execute and read and write

650000

heap

page read and write

51DE000

stack

page read and write

427E000

direct allocation

page read and write

6010000

trusted library allocation

page read and write

1733000

heap

page read and write

5EFF000

stack

page read and write

5C1C000

heap

page read and write

543F000

stack

page read and write

5000000

heap

page execute and read and write

6033000

trusted library allocation

page read and write

4F0E000

stack

page read and write

28EA000

trusted library allocation

page read and write

4D76000

trusted library allocation

page read and write

51BE000

stack

page read and write

DF0000

trusted library allocation

page execute and read and write

D96000

trusted library allocation

page execute and read and write

1190000

trusted library allocation

page execute and read and write

2990000

trusted library allocation

page read and write

703000

trusted library allocation

page execute and read and write

C58000

heap

page read and write

24BE000

stack

page read and write

E2A000

heap

page read and write

427E000

direct allocation

page read and write

17A8000

heap

page read and write

D50000

heap

page read and write

DE3000

trusted library allocation

page execute and read and write

4E0E000

stack

page read and write

29B0000

heap

page read and write

C79000

stack

page read and write

704000

trusted library allocation

page read and write

E1F000

heap

page read and write

84B000

heap

page read and write

11A0000

heap

page read and write

817000

heap

page read and write

D36000

heap

page read and write

D20000

heap

page read and write

1713000

heap

page read and write

15BF000

stack

page read and write

720000

trusted library allocation

page read and write

CE0000

heap

page read and write

3891000

trusted library allocation

page read and write

174D000

heap

page read and write

1743000

heap

page read and write

1772000

heap

page read and write

250000

unkown

page readonly

FD4000

heap

page read and write

1778000

heap

page read and write

1723000

heap

page read and write

3E9000

stack

page read and write

1723000

heap

page read and write

B90000

heap

page read and write

4D9D000

trusted library allocation

page read and write

E00000

heap

page read and write

4063000

direct allocation

page read and write

1127000

trusted library allocation

page execute and read and write

D32000

heap

page read and write

174D000

heap

page read and write

3F40000

direct allocation

page read and write

420D000

direct allocation

page read and write

D9E000

stack

page read and write

DC8000

unkown

page readonly

DE4000

trusted library allocation

page read and write

6040000

trusted library allocation

page read and write

110D000

trusted library allocation

page execute and read and write

F4E000

stack

page read and write

E08000

heap

page read and write

D74000

trusted library allocation

page read and write

DA7000

trusted library allocation

page execute and read and write

38FC000

trusted library allocation

page read and write

E78000

heap

page read and write

F8E000

stack

page read and write

2B9E000

stack

page read and write

1735000

heap

page read and write

7E8000

heap

page read and write

DD0000

heap

page read and write

There are 328 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
tems.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporttems.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
tems.exe