Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.499623874324066
Filename:	SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
Filesize:	2138112
MD5:	2a5f4c6d957f37ecea115fffe6d28467
SHA1:	9fe8436f8e1f6198b883404f0b59256b4f08bbed
SHA256:	5058d869c59bfb3480d1dc6f8f51d191adb890039c89ff9fd668fe7b481099b8
SHA512:	673861e0bb2c2a4a26a9ab0a34fee45aa48e26b0677fb1815c9cc79fb1520d81c75d63d27af69e7229d79823022c5ca78ab4b7dd0d74388e84a93ef789a04ba8
SSDEEP:	49152:aVhyh5fVd/kOz40n4OdaVZsNz/Trp/HfaBa4kRQaddfZL17N:LY4rn4OdYiH9Qa/RLz
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,..;M.R;M.R;M.R@Q.R:M.R.B.R3M.RTR.R:M.R.Q.R8M.RTR.R0M.RTR.R?M.R.k.R9M.R;M.R.L.R.k.R8M.R=n.R?M.R=n.RmM.R.R.R0M.R.K.R:M.RRich;M.

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Disable or Modify Tools Software Packing
Found malware configuration	AV Detection	Access Token Manipulation
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection	Disable or Modify Tools
Contains functionality to automate explorer (e.g. start an application)	HIPS / PFW / Operating System Protection Evasion	Access Token Manipulation Disable or Modify Tools
Contains functionality to detect sleep reduction / modifications	Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to infect the boot sector	Persistence and Installation Behavior, Boot Survival	Bootkit Access Token Manipulation
Contains functionality to modify windows services which are used for security filtering and protection	Lowering of HIPS / PFW / Operating System Security Settings	Windows Service File and Directory Discovery
Found evasive API chain (may stop execution after checking mutex)	Malware Analysis System Evasion	Disable or Modify Tools Masquerading
Hides threads from debuggers	Anti Debugging	Disable or Modify Tools
Machine Learning detection for sample	AV Detection
PE file has a writeable .text section	System Summary	Access Token Manipulation
Tries to detect virtualization through RDTSC time measurements	Malware Analysis System Evasion	Native API
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings
Checks if the current process is being debugged	Anti Debugging	Virtualization/Sandbox Evasion
Contains functionality for execution timing, often used to detect debuggers	Malware Analysis System Evasion, Anti Debugging
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging	Disable or Modify Tools
Contains functionality to clear windows event logs (to hide its activities)	Hooking and other Techniques for Hiding and Protection	Indicator Removal
Contains functionality to communicate with device drivers	System Summary
Contains functionality to create new users	Persistence and Installation Behavior	Native API Create Account Disable or Modify Tools
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	Disable or Modify Tools System Information Discovery
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a DirectInput object (often for capturing keystrokes)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Creates files inside the system directory	System Summary	Disable or Modify Tools Masquerading
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Disable or Modify Tools File and Directory Discovery
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found evasive API chain (may stop execution after checking a module file name)	Malware Analysis System Evasion	Access Token Manipulation
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities
Found large amount of non-executed APIs	Malware Analysis System Evasion	Access Token Manipulation
Installs a raw input device (often for capturing keystrokes)	Key, Mouse, Clipboard, Microphone and Screen Capturing
May check if the current machine is a sandbox (GetTickCount - Sleep)	Malware Analysis System Evasion	Disable or Modify Tools Security Software Discovery
PE file contains executable resources (Code or Archives)	System Summary	Disable or Modify Tools
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary	Disable or Modify Tools
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary	Disable or Modify Tools
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to check free disk space	System Summary
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enum processes or threads	System Summary	Access Token Manipulation
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary	Access Token Manipulation
Contains functionality to modify services (start/stop/modify)	System Summary	Service Execution Access Token Manipulation System Time Discovery
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery
Contains functionality to query local drives	Spreading, Malware Analysis System Evasion
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to start windows services	Boot Survival	Access Token Manipulation
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Disable or Modify Tools
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation Disable or Modify Tools
Sample reads its own file content	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading Disable or Modify Tools
URLs found in memory or binary data	Networking	Disable or Modify Tools Indicator Removal
PE file has a big code size	System Summary	Disable or Modify Tools
Submission file is bigger than most known malware samples	System Summary	Disable or Modify Tools

C:\Windows\SysWOW64\Dtldt.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Windows\SysWOW64\Dtldt.exe
Category:	dropped
Dump:	Dtldt.exe.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.499623874324066
Encrypted:	false
Ssdeep:	49152:aVhyh5fVd/kOz40n4OdaVZsNz/Trp/HfaBa4kRQaddfZL17N:LY4rn4OdYiH9Qa/RLz
Size:	2138112
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Drops executables to the windows directory (C:\Windows) and starts them	Persistence and Installation Behavior	Masquerading
Hides threads from debuggers	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Machine Learning detection for dropped file	AV Detection
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Contains functionality to call native functions	System Summary
Contains functionality to read the PEB	Anti Debugging
Creates files inside the system directory	System Summary	Masquerading
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
Found large amount of non-executed APIs	Malware Analysis System Evasion
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Windows\SysWOW64\Dtldt.exe:Zone.Identifier

ASCII text, with CRLF line terminators

modified

Details

File:	C:\Windows\SysWOW64\Dtldt.exe:Zone.Identifier
Category:	modified
Dump:	Dtldt.exe_Zone.Identifier.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Hides threads from debuggers	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Machine Learning detection for dropped file	AV Detection
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Contains functionality to call native functions	System Summary
Contains functionality to read the PEB	Anti Debugging
Creates files inside the system directory	System Summary	Masquerading
Found large amount of non-executed APIs	Malware Analysis System Evasion
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Tries to load missing DLLs	System Summary	DLL Side-Loading

\Device\Null

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\Null
Category:	dropped
Dump:	Null.7.dr
ID:	dr_2
Target ID:	7
Process:	C:\Windows\SysWOW64\PING.EXE
Type:	ASCII text, with CRLF line terminators
Entropy:	4.92149009030101
Encrypted:	false
Ssdeep:	6:PzLSLzMRfmWxHLThx2LThx0sW26VY7FwAFeMmvVOIHJFxMVlmJHaVFEG1vv:PKMRJpTeT0sBSAFSkIrxMVlmJHaVzvv
Size:	331
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

"C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe"

Details

Is windows:	false
Is dropped:	false
PID:	408
Target ID:	0
Parent PID:	1028
Name:	SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe"
Size:	2138112
MD5:	2A5F4C6D957F37ECEA115FFFE6D28467
Time:	12:30:01
Date:	24/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	3350528
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Yara detected GhostRat	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Mimikatz	Stealing of Sensitive Information
Machine Learning detection for sample	AV Detection
PE file has a writeable .text section	System Summary
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Use NTFS Short Name in Command Line	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Keylogger Generic	Key, Mouse, Clipboard, Microphone and Screen Capturing
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\Dtldt.exe

C:\Windows\SysWOW64\Dtldt.exe -auto

Details

Is windows:	false
Is dropped:	true
PID:	5708
Target ID:	3
Parent PID:	632
Name:	Dtldt.exe
Path:	C:\Windows\SysWOW64\Dtldt.exe
Commandline:	C:\Windows\SysWOW64\Dtldt.exe -auto
Size:	2138112
MD5:	2A5F4C6D957F37ECEA115FFFE6D28467
Time:	12:30:38
Date:	24/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	3350528
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Drops executables to the windows directory (C:\Windows) and starts them	Persistence and Installation Behavior	Masquerading
Creates files inside the system directory	System Summary	Masquerading
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
Yara detected Keylogger Generic	Key, Mouse, Clipboard, Microphone and Screen Capturing
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\SECURI~1.EXE > nul

Details

Is windows:	true
Is dropped:	false
PID:	3292
Target ID:	5
Parent PID:	408
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\SECURI~1.EXE > nul
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	12:31:08
Date:	24/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x790000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Use NTFS Short Name in Command Line	System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

Details

Is windows:	true
Is dropped:	false
PID:	3116
Target ID:	7
Parent PID:	3292
Name:	PING.EXE
Class:	system-tools
Path:	C:\Windows\SysWOW64\PING.EXE
Commandline:	ping -n 2 127.0.0.1
Size:	18944
MD5:	B3624DD758CCECF93A1226CEF252CA12
Time:	12:31:08
Date:	24/04/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x6d0000
Modulesize:	36864
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Uses ping.exe to check the status of other devices and networks	Networking	System Network Configuration Discovery Remote System Discovery
Uses ping.exe to sleep	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	1272
Target ID:	6
Parent PID:	3292
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	12:31:08
Date:	24/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

206.238.196.240

https://ssl.ptlogin2.qq.com%s

unknown

http://www.appspeed.com/

unknown

http://www.appspeed.com/support

unknown

https://localhost.ptlogin2.qq.com:4301%sAccept-Language:

unknown

https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_

unknown

https://ssl.ptlogin2.qq.com%sAccept-Language:

unknown

http://ptlogin2.qun.qq.com%s

unknown

http://ptlogin2.qun.qq.com%sAccept-Language:

unknown

http://qun.qq.com%s

unknown

https://localhost.ptlogin2.qq.com:4301%s

unknown

http://qun.qq.com%sAccept-Language:

unknown

There are 2 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

127.0.0.1

unknown

Details

IP:	127.0.0.1
TargetID:	7
Current Path:	C:\Windows\SysWOW64\PING.EXE
Private:	true

Signature Hits	Behavior Group	Mitre Attack
Uses ping.exe to check the status of other devices and networks	Networking	System Network Configuration Discovery Remote System Discovery
Uses ping.exe to sleep	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Use NTFS Short Name in Command Line	System Summary
Spawns processes	System Summary	Process Injection

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SYSTEM\Select

MarkTime

Memdumps

Base Address

Regiontype

Protect

Malicious

100F5000

trusted library allocation

page read and write

51F000

unkown

page execute and read and write

6D5000

unkown

page write copy

400000

unkown

page readonly

710000

heap

page read and write

2EF6000

trusted library allocation

page read and write

11C0000

heap

page execute and read and write

1C4A000

trusted library allocation

page read and write

5FE000

unkown

page execute and write copy

6D5000

unkown

page read and write

5DB000

unkown

page execute and write copy

30EF000

stack

page read and write

6D5000

unkown

page read and write

6D3000

unkown

page execute and read and write

50D000

unkown

page execute and read and write

2E80000

trusted library allocation

page execute and read and write

28FD000

trusted library allocation

page read and write

5D7000

unkown

page execute and read and write

1540000

trusted library allocation

page execute and read and write

4FD000

unkown

page execute and read and write

2E9E000

trusted library allocation

page execute and read and write

56B000

unkown

page execute and read and write

1AC2000

trusted library allocation

page execute and read and write

C8F000

stack

page read and write

DE0000

heap

page read and write

11DD000

heap

page execute and read and write

6D0000

unkown

page execute and write copy

731000

unkown

page readonly

57D000

unkown

page execute and read and write

1548000

trusted library allocation

page read and write

A78000

heap

page read and write

14BB000

heap

page execute and read and write

2E70000

trusted library allocation

page execute and read and write

1768000

heap

page execute and read and write

1AD6000

trusted library allocation

page execute and read and write

1691000

trusted library allocation

page read and write

10197000

trusted library allocation

page read and write

8B0000

heap

page read and write

57D000

unkown

page execute and read and write

1670000

trusted library allocation

page read and write

309E000

trusted library allocation

page read and write

1663000

trusted library allocation

page read and write

91E000

stack

page read and write

118D000

stack

page read and write

27F0000

heap

page read and write

2B2A000

heap

page execute and read and write

114E000

stack

page read and write

1AE6000

trusted library allocation

page execute and read and write

2FEE000

stack

page read and write

2A39000

trusted library allocation

page read and write

55F000

unkown

page execute and read and write

1ABE000

trusted library allocation

page execute and read and write

5F0000

unkown

page execute and write copy

1A3C000

trusted library allocation

page execute and read and write

1694000

trusted library allocation

page read and write

10001000

trusted library allocation

page execute read

5F8000

unkown

page execute and read and write

12F5000

heap

page read and write

D10000

heap

page execute and read and write

400000

unkown

page readonly

6D1000

unkown

page execute and write copy

1673000

trusted library allocation

page read and write

1B42000

trusted library allocation

page read and write

2A21000

trusted library allocation

page read and write

6D0000

unkown

page execute and write copy

6D6000

unkown

page write copy

138F000

heap

page execute and read and write

DBC000

heap

page read and write

731000

unkown

page readonly

127D000

heap

page execute and read and write

14B7000

heap

page execute and read and write

100C4000

trusted library allocation

page readonly

100E6000

trusted library allocation

page readonly

5F8000

unkown

page execute and read and write

5EF000

unkown

page execute and read and write

401000

unkown

page execute and read and write

85E000

stack

page read and write

2E6F000

heap

page read and write

166C000

trusted library allocation

page read and write

401000

unkown

page execute and write copy

CCE000

stack

page read and write

400000

unkown

page readonly

89E000

stack

page read and write

5D9000

unkown

page execute and read and write

2E00000

heap

page read and write

401000

unkown

page execute and read and write

2872000

heap

page execute and read and write

8AE000

stack

page read and write

129D000

heap

page execute and read and write

9C000

stack

page read and write

740000

heap

page read and write

2595000

heap

page read and write

11A7000

heap

page read and write

266B000

heap

page execute and read and write

2D0A000

heap

page execute and read and write

8D0000

heap

page read and write

31EF000

stack

page read and write

10193000

trusted library allocation

page readonly

1AB5000

trusted library allocation

page execute and read and write

9C000

stack

page read and write

D2A000

heap

page read and write

2EA1000

trusted library allocation

page execute and read and write

1948000

heap

page execute and read and write

5D9000

unkown

page execute and write copy

A70000

heap

page read and write

2A28000

trusted library allocation

page read and write

2DF7000

trusted library allocation

page execute and read and write

5DB000

unkown

page execute and write copy

267B000

heap

page execute and read and write

2FFD000

trusted library allocation

page read and write

2B23000

heap

page read and write

6D6000

unkown

page write copy

6D1000

unkown

page execute and write copy

C6F000

stack

page read and write

2B0C000

heap

page read and write

860000

heap

page read and write

6D5000

unkown

page write copy

1AE3000

trusted library allocation

page execute and read and write

B8E000

stack

page read and write

2AFD000

stack

page read and write

100B3000

trusted library allocation

page readonly

12AD000

heap

page execute and read and write

2A18000

trusted library allocation

page read and write

295D000

trusted library allocation

page execute and read and write

5EF000

unkown

page execute and read and write

28F8000

heap

page read and write

D0D000

stack

page read and write

19C000

stack

page read and write

124D000

heap

page execute and read and write

1684000

trusted library allocation

page read and write

5FE000

unkown

page execute and write copy

DE5000

heap

page read and write

400000

unkown

page readonly

A90000

heap

page read and write

401000

unkown

page execute and write copy

2B22000

heap

page read and write

998000

heap

page read and write

D59000

heap

page read and write

740000

heap

page read and write

261B000

heap

page execute and read and write

95E000

stack

page read and write

274A000

heap

page execute and read and write

690000

unkown

page execute and read and write

11D2000

heap

page read and write

2A49000

trusted library allocation

page read and write

26B8000

heap

page read and write

1543000

heap

page read and write

28F0000

trusted library allocation

page execute and read and write

6CD000

stack

page read and write

25AB000

heap

page execute and read and write

5D9000

unkown

page execute and read and write

8A0000

heap

page read and write

D20000

heap

page read and write

740000

heap

page read and write

2D50000

trusted library allocation

page execute and read and write

264B000

heap

page execute and read and write

D31000

heap

page read and write

1B4B000

trusted library allocation

page read and write

2E7D000

trusted library allocation

page execute and read and write

1C3E000

stack

page read and write

2E91000

trusted library allocation

page execute and read and write

2A46000

trusted library allocation

page read and write

731000

unkown

page readonly

2A25000

trusted library allocation

page read and write

E30000

heap

page read and write

1995000

trusted library allocation

page execute and read and write

2DCE000

unkown

page read and write

2AEF000

stack

page read and write

9B0000

heap

page read and write

2B00000

heap

page read and write

78E000

unkown

page read and write

173F000

stack

page read and write

5D7000

unkown

page execute and read and write

19D000

stack

page read and write

1AC5000

trusted library allocation

page execute and read and write

15AD000

trusted library allocation

page execute and read and write

2EF6000

trusted library allocation

page read and write

990000

heap

page read and write

690000

unkown

page execute and read and write

5F0000

unkown

page execute and write copy

1CF3000

trusted library allocation

page read and write

10000000

trusted library allocation

page read and write

5D9000

unkown

page execute and write copy

731000

unkown

page readonly

2876000

heap

page execute and read and write

100D4000

trusted library allocation

page readonly

1115000

heap

page read and write

There are 177 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSecuriteInfo.com.Win32.RATX-gen.24533.28061.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
SecuriteInfo.com.Win32.RATX-gen.24533.28061.exe