Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

FAR.N_2430-240009934.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.948433903107132
Filename:	FAR.N_2430-240009934.exe
Filesize:	1104896
MD5:	fc9c091daa95c1cab2b0fe8f5d355a71
SHA1:	b8162cfcf19d65735dadc64a928e755de6515141
SHA256:	fc83bfec2d58dfb71be0fec0c02f69996c5349845dd39c8048b520696003e1fc
SHA512:	692bc80b2f5c444d451a87c7c4f56945c15f8ab693ccb074d415d17d89001c333ae0b4f76f1829be60643c826e54ad0613b08fa561b824f6cfa8fef77b0f8d82
SSDEEP:	24576:GqDEvCTbMWu7rQYlBQcBiT6rprG8a9sRjvV:GTvC/MTQYxsWR7a98jv
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection	Disable or Modify Tools
Binary is likely a compiled AutoIt script file	System Summary
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Found API chain indicative of sandbox detection	Malware Analysis System Evasion	Disable or Modify Tools Virtualization/Sandbox Evasion
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging	Disable or Modify Tools
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Masquerading
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Contains functionality to launch a process as a different user	System Summary	Valid Accounts Native API Access Token Manipulation
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Process Discovery
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	Disable or Modify Tools
Contains functionality to read the PEB	Anti Debugging
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Disable or Modify Tools Clipboard Data
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to shutdown / reboot the system	System Summary	System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion	Masquerading
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection Disable or Modify Tools
Detected potential crypto function	System Summary	Process Discovery Encrypted Channel
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Security Software Discovery
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information	Disable or Modify Tools System Shutdown/Reboot
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Disable or Modify Tools
Sample file is different than original file name gathered from version info	System Summary	System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary	Disable or Modify Tools Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary	Disable or Modify Tools
.NET source code contains calls to encryption/decryption functions	System Summary	Deobfuscate/Decode Files or Information Archive Collected Data
Binary contains paths to development resources	System Summary
Contains functionality for error logging	System Summary	Disable or Modify Tools
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary
Contains functionality to check free disk space	System Summary
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery System Information Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Disable or Modify Tools
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary	Disable or Modify Tools
Tries to load missing DLLs	System Summary	DLL Side-Loading Disable or Modify Tools
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary	Disable or Modify Tools

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\newfile.exe.log

ASCII text, with CRLF line terminators

modified

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\newfile.exe.log
Category:	modified
Dump:	newfile.exe.log.12.dr
ID:	dr_6
Target ID:	12
Process:	C:\Users\user\AppData\Roaming\newfile\newfile.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.090621108356562
Encrypted:	false
Ssdeep:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
Size:	142
Whitelisted:	false
Reputation:	high

C:\Users\user\AppData\Local\Temp\Idonna

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Idonna
Category:	dropped
Dump:	Idonna.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\FAR.N_2430-240009934.exe
Type:	data
Entropy:	6.560452042035801
Encrypted:	false
Ssdeep:	3072:ioC/cubecqgR03DhBKtLQpEWLcjyh2XnWTnj5ILCFOXH35+EffQZZrAJy:iow63LWcNiyh2XnW6WFkkvZryy
Size:	244736
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\aut100A.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut100A.tmp
Category:	dropped
Dump:	aut100A.tmp.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\FAR.N_2430-240009934.exe
Type:	data
Entropy:	7.697209947807859
Encrypted:	false
Ssdeep:	192:25L1fjxqLCHVkDJtj/wsLwtO8/C7TGC5z3nyy9iCSfHdxnN03Yy:25LVELCHVE7wHGz3nJ9iCSf9Q
Size:	9924
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\autFBB.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\autFBB.tmp
Category:	dropped
Dump:	autFBB.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\FAR.N_2430-240009934.exe
Type:	data
Entropy:	7.8911786111220295
Encrypted:	false
Ssdeep:	3072:qoTved4v9RkGEzFWYmG/sW6JD8kSBkQowBh5G4N++BHmOvE0cS8:VxmzYYPl6JD8k7Gv++BdvE0cS8
Size:	143114
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\preconform

ASCII text, with very long lines (28674), with no line terminators

modified

Details

File:	C:\Users\user\AppData\Local\Temp\preconform
Category:	modified
Dump:	preconform.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\FAR.N_2430-240009934.exe
Type:	ASCII text, with very long lines (28674), with no line terminators
Entropy:	4.528031056072201
Encrypted:	false
Ssdeep:	768:QmlIc4RZ8fcM4GiNgu1ISfUcNxmaWzPFk:dac4RZ8fcM4ZDmaWzPO
Size:	28674
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Roaming\newfile\newfile.exe

PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\newfile\newfile.exe
Category:	dropped
Dump:	newfile.exe.2.dr
ID:	dr_4
Target ID:	2
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	6.16795797263964
Encrypted:	false
Ssdeep:	768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
Size:	45984
Whitelisted:	true
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses Microsoft Silverlight	System Summary

\Device\ConDrv

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.15.dr
ID:	dr_7
Target ID:	15
Process:	C:\Users\user\AppData\Roaming\newfile\newfile.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.442398121585593
Encrypted:	false
Ssdeep:	24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
Size:	1141
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\FAR.N_2430-240009934.exe

"C:\Users\user\Desktop\FAR.N_2430-240009934.exe"

Details

Is windows:	false
Is dropped:	false
PID:	1356
Target ID:	0
Parent PID:	4056
Name:	FAR.N_2430-240009934.exe
Path:	C:\Users\user\Desktop\FAR.N_2430-240009934.exe
Commandline:	"C:\Users\user\Desktop\FAR.N_2430-240009934.exe"
Size:	1104896
MD5:	FC9C091DAA95C1CAB2B0FE8F5D355A71
Time:	17:23:01
Date:	19/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x810000
Modulesize:	1130496
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Binary is likely a compiled AutoIt script file	System Summary
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\FAR.N_2430-240009934.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6004
Target ID:	2
Parent PID:	1356
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\FAR.N_2430-240009934.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	17:23:02
Date:	19/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xe30000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\newfile\newfile.exe

"C:\Users\user\AppData\Roaming\newfile\newfile.exe"

Details

Is windows:	false
Is dropped:	true
PID:	6216
Target ID:	12
Parent PID:	4056
Name:	newfile.exe
Path:	C:\Users\user\AppData\Roaming\newfile\newfile.exe
Commandline:	"C:\Users\user\AppData\Roaming\newfile\newfile.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	17:23:11
Date:	19/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0xec0000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Users\user\AppData\Roaming\newfile\newfile.exe

"C:\Users\user\AppData\Roaming\newfile\newfile.exe"

Details

Is windows:	false
Is dropped:	true
PID:	1196
Target ID:	15
Parent PID:	4056
Name:	newfile.exe
Path:	C:\Users\user\AppData\Roaming\newfile\newfile.exe
Commandline:	"C:\Users\user\AppData\Roaming\newfile\newfile.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	17:23:20
Date:	19/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0xe40000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6424
Target ID:	13
Parent PID:	6216
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	17:23:11
Date:	19/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff75da10000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6988
Target ID:	16
Parent PID:	1196
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	17:23:20
Date:	19/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff75da10000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://r3.o.lencr.org0

unknown

http://mail.jmfresh.sg

unknown

https://account.dyn.com/

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://x1.c.lencr.org/0

unknown

http://x1.i.

unknown

http://x1.i.lencr.org/0

unknown

http://r3.i.lencr.org/0#

unknown

http://ip-api.com/line/?fields=hosting

208.95.112.1

http://ip-api.com

unknown

http://r3.i.lencr.org

unknown

There are 1 hidden URLs, click here to show them.

Domains

Name

Malicious

mail.jmfresh.sg

101.100.239.36

Details

Name:	mail.jmfresh.sg
IP:	101.100.239.36
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
URLs found in memory or binary data	Networking

ip-api.com

208.95.112.1

Details

Name:	ip-api.com
IP:	208.95.112.1
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Check if machine is in data center or colocation facility	Malware Analysis System Evasion	Security Software Discovery
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

101.100.239.36

mail.jmfresh.sg

Singapore

Details

IP:	101.100.239.36
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	Singapore
Countrycode:	SGP
ASN number:	58621
ASN name:	VODIEN-AS-AP-LOC2VodienInternetSolutionsPteLtdSG
Private:	false
Domain:	mail.jmfresh.sg

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

208.95.112.1

ip-api.com

United States

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileDirectory

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

newfile

There are 6 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

302E000

trusted library allocation

page read and write

3EE0000

direct allocation

page read and write

402000

system

page execute and read and write

3001000

trusted library allocation

page read and write

3051000

trusted library allocation

page read and write

570E000

stack

page read and write

516E000

stack

page read and write

536D000

stack

page read and write

1640000

heap

page read and write

5616000

trusted library allocation

page read and write

41ED000

direct allocation

page read and write

14F2000

trusted library allocation

page read and write

42AE000

direct allocation

page read and write

3F20000

direct allocation

page read and write

16BF000

heap

page read and write

8E4000

unkown

page readonly

5673000

heap

page read and write

6524000

heap

page read and write

13DB000

stack

page read and write

4093000

direct allocation

page read and write

5622000

trusted library allocation

page read and write

560E000

trusted library allocation

page read and write

1970000

trusted library allocation

page read and write

3F70000

direct allocation

page read and write

701D1000

unkown

page execute read

17DE000

heap

page read and write

1510000

trusted library allocation

page read and write

3F70000

direct allocation

page read and write

13BE000

stack

page read and write

3300000

heap

page execute and read and write

16E9000

heap

page read and write

14A0000

heap

page read and write

3ED0000

direct allocation

page execute and read and write

15B0000

heap

page read and write

1530000

trusted library allocation

page read and write

58A0000

heap

page execute and read and write

14CD000

trusted library allocation

page execute and read and write

13C0000

heap

page read and write

4043000

direct allocation

page read and write

70DF000

stack

page read and write

1660000

heap

page read and write

1523000

trusted library allocation

page execute and read and write

3F70000

direct allocation

page read and write

16A0000

heap

page read and write

1668000

heap

page read and write

8E4000

unkown

page readonly

1634000

heap

page read and write

425E000

direct allocation

page read and write

42AE000

direct allocation

page read and write

169C000

heap

page read and write

13E5000

heap

page read and write

42AE000

direct allocation

page read and write

400000

system

page execute and read and write

5D60000

trusted library allocation

page read and write

17C0000

heap

page read and write

12B8000

heap

page read and write

1693000

heap

page read and write

57B0000

heap

page execute and read and write

5A3E000

stack

page read and write

1576000

heap

page read and write

14B0000

trusted library allocation

page read and write

5A7E000

stack

page read and write

162E000

stack

page read and write

14D5000

heap

page read and write

16A0000

heap

page read and write

1524000

trusted library allocation

page read and write

55F6000

trusted library allocation

page read and write

8E0000

unkown

page write copy

3060000

trusted library allocation

page read and write

6A70000

trusted library allocation

page read and write

12D9000

heap

page read and write

1540000

heap

page read and write

EC2000

unkown

page readonly

3271000

trusted library allocation

page read and write

1534000

trusted library allocation

page read and write

1684000

heap

page read and write

FC0000

heap

page read and write

4110000

direct allocation

page read and write

585F000

stack

page read and write

69F3000

trusted library allocation

page read and write

5AAF000

stack

page read and write

810000

unkown

page readonly

17DE000

heap

page read and write

13A0000

heap

page read and write

58FC000

stack

page read and write

17DD000

heap

page read and write

55FB000

trusted library allocation

page read and write

1840000

trusted library allocation

page execute and read and write

148D000

trusted library allocation

page execute and read and write

4FD8000

trusted library allocation

page read and write

5670000

heap

page read and write

13EF000

stack

page read and write

16E9000

heap

page read and write

1240000

heap

page read and write

4331000

trusted library allocation

page read and write

3F20000

direct allocation

page read and write

1474000

trusted library allocation

page read and write

15CA000

heap

page read and write

321C000

stack

page read and write

16CF000

heap

page read and write

1473000

trusted library allocation

page execute and read and write

5750000

heap

page execute and read and write

1668000

heap

page read and write

1548000

heap

page read and write

14FB000

trusted library allocation

page execute and read and write

1E5E000

stack

page read and write

5A9F000

stack

page read and write

679D000

stack

page read and write

1757000

trusted library allocation

page execute and read and write

17C0000

trusted library allocation

page execute and read and write

14D0000

heap

page read and write

6B40000

trusted library allocation

page execute and read and write

423D000

direct allocation

page read and write

13FF000

stack

page read and write

1830000

trusted library allocation

page read and write

3260000

heap

page execute and read and write

14EF000

stack

page read and write

17CF000

heap

page read and write

16DD000

heap

page read and write

1709000

heap

page read and write

5CBF000

stack

page read and write

425E000

direct allocation

page read and write

14F0000

trusted library allocation

page read and write

2FD1000

trusted library allocation

page read and write

7F6C0000

trusted library allocation

page execute and read and write

14B7000

trusted library allocation

page execute and read and write

14B0000

trusted library allocation

page read and write

17E0000

heap

page read and write

1650000

heap

page read and write

1480000

trusted library allocation

page read and write

40C0000

direct allocation

page read and write

EC0000

unkown

page readonly

1569000

heap

page read and write

5D50000

trusted library allocation

page read and write

811000

unkown

page execute read

6BDF000

stack

page read and write

16CF000

heap

page read and write

1770000

trusted library allocation

page read and write

2F8C000

stack

page read and write

3FD1000

trusted library allocation

page read and write

2F4E000

stack

page read and write

68DE000

stack

page read and write

599E000

stack

page read and write

ECA000

stack

page read and write

12E3000

heap

page read and write

135E000

stack

page read and write

17FE000

heap

page read and write

6A03000

trusted library allocation

page read and write

8AC000

unkown

page readonly

12B0000

heap

page read and write

41E9000

direct allocation

page read and write

302A000

trusted library allocation

page read and write

14E0000

trusted library allocation

page read and write

14DD000

trusted library allocation

page execute and read and write

2F90000

trusted library allocation

page read and write

139E000

stack

page read and write

14E2000

trusted library allocation

page read and write

16A0000

heap

page read and write

689F000

stack

page read and write

1630000

trusted library allocation

page execute and read and write

701ED000

unkown

page read and write

4093000

direct allocation

page read and write

304D000

trusted library allocation

page read and write

560A000

trusted library allocation

page read and write

582E000

stack

page read and write

1380000

heap

page read and write

17CF000

heap

page read and write

3320000

heap

page read and write

1250000

heap

page read and write

153D000

trusted library allocation

page execute and read and write

1960000

heap

page read and write

16E9000

heap

page read and write

1382000

heap

page read and write

185E000

stack

page read and write

593E000

stack

page read and write

5BAF000

stack

page read and write

6A6E000

stack

page read and write

17B3000

heap

page read and write

1260000

heap

page read and write

55F0000

trusted library allocation

page read and write

1750000

trusted library allocation

page read and write

701EF000

unkown

page readonly

16DD000

heap

page read and write

8AC000

unkown

page readonly

4239000

direct allocation

page read and write

16DE000

heap

page read and write

4033000

trusted library allocation

page read and write

1660000

heap

page read and write

1460000

heap

page read and write

5D67000

trusted library allocation

page read and write

FC9000

stack

page read and write

157D000

stack

page read and write

1990000

heap

page read and write

6C30000

trusted library allocation

page read and write

225E000

stack

page read and write

55FE000

trusted library allocation

page read and write

2FB0000

trusted library allocation

page read and write

1960000

trusted library allocation

page read and write

1698000

heap

page read and write

4239000

direct allocation

page read and write

FD0000

heap

page read and write

195E000

stack

page read and write

2E30000

trusted library allocation

page execute and read and write

4110000

direct allocation

page read and write

14D0000

trusted library allocation

page read and write

4271000

trusted library allocation

page read and write

8D2000

unkown

page readonly

15A5000

heap

page read and write

6A10000

trusted library allocation

page read and write

423D000

direct allocation

page read and write

14BB000

trusted library allocation

page execute and read and write

6A0D000

trusted library allocation

page read and write

13CE000

stack

page read and write

57AE000

stack

page read and write

69DD000

stack

page read and write

7140000

heap

page read and write

3034000

trusted library allocation

page read and write

16BF000

heap

page read and write

16EA000

heap

page read and write

17D0000

heap

page read and write

16E9000

heap

page read and write

6C20000

heap

page read and write

16E9000

heap

page read and write

14F5000

trusted library allocation

page execute and read and write

8DC000

unkown

page read and write

2FC0000

heap

page execute and read and write

4093000

direct allocation

page read and write

4239000

direct allocation

page read and write

1540000

heap

page read and write

17BE000

stack

page read and write

41ED000

direct allocation

page read and write

41ED000

direct allocation

page read and write

1230000

heap

page read and write

17EC000

heap

page read and write

175B000

trusted library allocation

page execute and read and write

57EE000

stack

page read and write

12FA000

stack

page read and write

561D000

trusted library allocation

page read and write

14E6000

trusted library allocation

page execute and read and write

2E2E000

stack

page read and write

ECA000

unkown

page readonly

DFA000

stack

page read and write

302C000

trusted library allocation

page read and write

EDC000

stack

page read and write

140E000

stack

page read and write

425E000

direct allocation

page read and write

3F20000

direct allocation

page read and write

2E40000

heap

page read and write

17FD000

heap

page read and write

1484000

trusted library allocation

page read and write

14F7000

trusted library allocation

page execute and read and write

810000

unkown

page readonly

423D000

direct allocation

page read and write

14EA000

trusted library allocation

page execute and read and write

5BBE000

stack

page read and write

15E0000

heap

page read and write

1257000

heap

page read and write

12E6000

heap

page read and write

3041000

trusted library allocation

page read and write

7110000

trusted library allocation

page execute and read and write

5630000

trusted library allocation

page read and write

17BF000

heap

page read and write

6520000

heap

page read and write

1684000

heap

page read and write

17FE000

heap

page read and write

4110000

direct allocation

page read and write

173F000

stack

page read and write

3059000

trusted library allocation

page read and write

17D0000

trusted library allocation

page read and write

40C0000

direct allocation

page read and write

41E9000

direct allocation

page read and write

701E6000

unkown

page readonly

FDA000

stack

page read and write

811000

unkown

page execute read

303F000

trusted library allocation

page read and write

1265000

heap

page read and write

3FF9000

trusted library allocation

page read and write

69F0000

trusted library allocation

page read and write

69E0000

trusted library allocation

page read and write

147D000

trusted library allocation

page execute and read and write

574E000

stack

page read and write

15DE000

stack

page read and write

8DC000

unkown

page write copy

57FC000

stack

page read and write

1370000

heap

page read and write

595F000

stack

page read and write

5602000

trusted library allocation

page read and write

195E000

stack

page read and write

144D000

stack

page read and write

1695000

heap

page read and write

182C000

stack

page read and write

701D0000

unkown

page readonly

5611000

trusted library allocation

page read and write

2FA0000

trusted library allocation

page read and write

5B7E000

stack

page read and write

1693000

heap

page read and write

15E0000

trusted library allocation

page read and write

16E9000

heap

page read and write

1510000

trusted library allocation

page read and write

5D40000

heap

page read and write

1850000

heap

page read and write

6FDE000

stack

page read and write

1564000

heap

page read and write

152D000

trusted library allocation

page execute and read and write

59AE000

stack

page read and write

8D2000

unkown

page readonly

1630000

heap

page read and write

6A1F000

trusted library allocation

page read and write

5680000

heap

page read and write

13E0000

heap

page read and write

1240000

heap

page read and write

3331000

trusted library allocation

page read and write

23F0000

heap

page read and write

1520000

heap

page read and write

4043000

direct allocation

page read and write

16E9000

heap

page read and write

4043000

direct allocation

page read and write

40C0000

direct allocation

page read and write

173B000

heap

page read and write

14C0000

trusted library allocation

page read and write

14C4000

trusted library allocation

page read and write

1460000

trusted library allocation

page read and write

14C3000

trusted library allocation

page execute and read and write

41E9000

direct allocation

page read and write

6A20000

trusted library allocation

page execute and read and write

15C0000

heap

page read and write

F5C000

stack

page read and write

542E000

stack

page read and write

15BE000

stack

page read and write

16E9000

heap

page read and write

1980000

trusted library allocation

page execute and read and write

There are 321 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
FAR.N_2430-240009934.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportFAR.N_2430-240009934.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
FAR.N_2430-240009934.exe