Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.746345735326208
Filename:	file.exe
Filesize:	1978181
MD5:	19dbb47666f2eb1bb2889c42fc2fd3db
SHA1:	0eeeef0203c5e51e07f521ff4d8d29a422319316
SHA256:	09570f445a9a80479957a36ea2e038800d5a01acf338793274f936c108f21f24
SHA512:	8311734676547436fc48423f7481ce1499003934cba291720b841779dbca9041914d58d9958f5b94a15a5c32e7c45ebea439886f0d51b61584280ebd7b782856
SSDEEP:	49152:YI4RI1ayrqA8h2uJeRoWHDyct4BhbXjz1xfc242:YbLUqDh2uiSS4BlXnbk2V
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............w...w...w..<.V..w..<.T..w..<.U..w....Z..w.......w.......w.......w....$..w....4..w...w...v.......w.......w....X..w.......w.

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to communicate with device drivers	System Summary
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to read the PEB	Anti Debugging
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
File is packed with WinRar	Data Obfuscation
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Checks the free space of harddrives	Malware Analysis System Evasion
Contains functionality for error logging	System Summary
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Executes batch files	System Summary	Scripting
Might use command line arguments	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe
Category:	dropped
Dump:	work.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.897829922390777
Encrypted:	false
Ssdeep:	49152:cI1ayrqA8h2uJeRoWHDyct4BhbXjz1xfc24G:cLUqDh2uiSS4BlXnbk2j
Size:	1643442
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Found evasive API chain checking for process token information	Malware Analysis System Evasion	Native API
Checks the free space of harddrives	Malware Analysis System Evasion	System Information Discovery
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Program exit points	Malware Analysis System Evasion
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Local\Temp\RarSFX1\feswa.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\RarSFX1\feswa.exe
Category:	dropped
Dump:	feswa.exe.4.dr
ID:	dr_2
Target ID:	4
Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.772842588209776
Encrypted:	false
Ssdeep:	24576:9lXwHInb9sLY/OfaHNDYdk/qN5cymz4xyJEZ/tgB5+E91XEZifJCfPI6x:9ljnxOCtDok/q05CyJEBtC5pXEZiwfP7
Size:	1315840
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Hides threads from debuggers	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Installs new ROOT certificates	Persistence and Installation Behavior	Install Root Certificate
Machine Learning detection for dropped file	AV Detection
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	Data from Local System OS Credential Dumping
Tries to steal Crypto Currency Wallets	Stealing of Sensitive Information	Data from Local System
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings	Security Software Discovery Windows Management Instrumentation
Contains functionality to detect virtual machines (SLDT)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Drops certificate files (DER)	E-Banking Fraud
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Parts of this applications are using Borland Delphi (Probably coded in Delphi)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses Microsoft Silverlight	System Summary

C:\Users\Public\Desktop\Google Chrome.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 13:16:56 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide

dropped

Details

File:	C:\Users\Public\Desktop\Google Chrome.lnk
Category:	dropped
Dump:	Google Chrome.lnk.5.dr
ID:	dr_7
Target ID:	5
Process:	C:\Users\user\AppData\Local\Temp\RarSFX1\feswa.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 13:16:56 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
Entropy:	3.4517191780503143
Encrypted:	false
Ssdeep:	48:8Szl2dfTXdARYrnvPdAKRkdAGdAKRFdAKRE:8SzlO7
Size:	2104
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\feswa.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\feswa.exe.log
Category:	dropped
Dump:	feswa.exe.log.5.dr
ID:	dr_3
Target ID:	5
Process:	C:\Users\user\AppData\Local\Temp\RarSFX1\feswa.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.3318368586986695
Encrypted:	false
Ssdeep:	96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlqY
Size:	3274
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat

DOS batch file, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat
Category:	dropped
Dump:	1.bat.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	DOS batch file, ASCII text, with CRLF line terminators
Entropy:	4.286146588249911
Encrypted:	false
Ssdeep:	3:mKDDFRK58FoXMMH:h08Foc2
Size:	35
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Executes batch files	System Summary	Scripting
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\Tmp46EF.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Tmp46EF.tmp
Category:	dropped
Dump:	Tmp46EF.tmp.5.dr
ID:	dr_4
Target ID:	5
Process:	C:\Users\user\AppData\Local\Temp\RarSFX1\feswa.exe
Type:	data
Entropy:	7.8230547059446645
Encrypted:	false
Ssdeep:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
Size:	2662
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops certificate files (DER)	E-Banking Fraud

C:\Users\user\AppData\Local\Temp\Tmp4700.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Tmp4700.tmp
Category:	dropped
Dump:	Tmp4700.tmp.5.dr
ID:	dr_5
Target ID:	5
Process:	C:\Users\user\AppData\Local\Temp\RarSFX1\feswa.exe
Type:	data
Entropy:	7.8230547059446645
Encrypted:	false
Ssdeep:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
Size:	2662
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops certificate files (DER)	E-Banking Fraud

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06
Category:	dropped
Dump:	76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06.5.dr
ID:	dr_6
Target ID:	5
Process:	C:\Users\user\AppData\Local\Temp\RarSFX1\feswa.exe
Type:	data
Entropy:	0.0
Encrypted:	false
Ssdeep:	3::
Size:	2251
Whitelisted:	true
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Users\user\AppData\Local\Temp\RarSFX1\feswa.exe

"C:\Users\user\AppData\Local\Temp\RarSFX1\feswa.exe"

Details

Is windows:	false
Is dropped:	true
PID:	4436
Target ID:	5
Parent PID:	2104
Name:	feswa.exe
Path:	C:\Users\user\AppData\Local\Temp\RarSFX1\feswa.exe
Commandline:	"C:\Users\user\AppData\Local\Temp\RarSFX1\feswa.exe"
Size:	1315840
MD5:	28CBE77F47C6E613C90CF1B449051BF2
Time:	16:25:59
Date:	24/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x270000
Modulesize:	4014080
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	1476
Target ID:	0
Parent PID:	1028
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	1978181
MD5:	19DBB47666F2EB1BB2889C42FC2FD3DB
Time:	16:25:57
Date:	24/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x370000
Modulesize:	495616
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" "

Details

Is windows:	true
Is dropped:	false
PID:	5652
Target ID:	2
Parent PID:	1476
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" "
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	16:25:58
Date:	24/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x790000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Executes batch files	System Summary	Scripting
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	1240
Target ID:	3
Parent PID:	5652
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	16:25:58
Date:	24/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe

work.exe -priverdD

Details

Is windows:	false
Is dropped:	true
PID:	2104
Target ID:	4
Parent PID:	5652
Name:	work.exe
Path:	C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe
Commandline:	work.exe -priverdD
Size:	1643442
MD5:	DB5AF0B8F6E4BDB07B5BEC9FB8DE1B7F
Time:	16:25:58
Date:	24/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xab0000
Modulesize:	491520
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

URLs

Name

Malicious

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/sct

unknown

https://duckduckgo.com/chrome_newtab

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk

unknown

https://duckduckgo.com/ac/?q=

unknown

http://tempuri.org/Entity/Id14ResponseD

unknown

http://tempuri.org/Entity/Id23ResponseD

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary

unknown

http://tempuri.org/Entity/Id12Response

unknown

http://tempuri.org/

unknown

http://tempuri.org/Entity/Id2Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1

unknown

http://tempuri.org/Entity/Id21Response

unknown

http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap

unknown

http://tempuri.org/Entity/Id9

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID

unknown

http://tempuri.org/Entity/Id8

unknown

http://tempuri.org/Entity/Id6ResponseD

unknown

http://tempuri.org/Entity/Id5

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare

unknown

http://tempuri.org/Entity/Id4

unknown

http://tempuri.org/Entity/Id7

unknown

http://tempuri.org/Entity/Id6

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret

unknown

http://tempuri.org/Entity/Id19Response

unknown

http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence

unknown

http://tempuri.org/Entity/Id13ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/fault

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat

unknown

http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey

unknown

http://tempuri.org/Entity/Id15Response

unknown

http://tempuri.org/Entity/Id5ResponseD

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register

unknown

http://tempuri.org/Entity/Id6Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey

unknown

https://api.ip.sb/ip

unknown

http://schemas.xmlsoap.org/ws/2004/04/sc

unknown

http://tempuri.org/Entity/Id1ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel

unknown

http://tempuri.org/Entity/Id9Response

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

http://tempuri.org/Entity/Id20

unknown

http://tempuri.org/Entity/Id21

unknown

http://tempuri.org/Entity/Id22

unknown

http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1

unknown

http://tempuri.org/Entity/Id23

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1

unknown

http://tempuri.org/Entity/Id24

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue

unknown

http://tempuri.org/Entity/Id24Response

unknown

https://www.ecosia.org/newtab/

unknown

http://tempuri.org/Entity/Id1Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey

unknown

http://tempuri.org/Entity/Id21ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust

unknown

http://tempuri.org/Entity/Id10

unknown

http://tempuri.org/Entity/Id11

unknown

http://tempuri.org/Entity/Id10ResponseD

unknown

http://tempuri.org/Entity/Id12

unknown

http://tempuri.org/Entity/Id16Response

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel

unknown

http://tempuri.org/Entity/Id13

unknown

http://tempuri.org/Entity/Id14

unknown

http://tempuri.org/Entity/Id15

unknown

http://www.enigmaprotector.com/

unknown

http://tempuri.org/Entity/Id16

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce

unknown

http://tempuri.org/Entity/Id17

unknown

http://tempuri.org/Entity/Id18

unknown

http://tempuri.org/Entity/Id5Response

unknown

http://tempuri.org/Entity/Id19

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns

unknown

http://tempuri.org/Entity/Id15ResponseD

unknown

http://tempuri.org/Entity/Id10Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Renew

unknown

http://tempuri.org/Entity/Id11ResponseD

unknown

http://tempuri.org/Entity/Id8Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT

unknown

http://schemas.xmlsoap.org/ws/2006/02/addressingidentity

unknown

http://tempuri.org/Entity/Id17ResponseD

unknown

http://www.enigmaprotector.com/openU

unknown

There are 90 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

193.233.132.169

unknown

Russian Federation

Details

IP:	193.233.132.169
TargetID:	5
Current Path:	C:\Users\user\AppData\Local\Temp\RarSFX1\feswa.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	2895
ASN name:	FREE-NET-ASFREEnetEU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064

Blob

Details

TargetID:	5
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064
Value name:	Blob
Value data:	0B 00 00 00 01 00 00 00 48 00 00 00 54 00 69 00 74 00 61 00 6E 00 69 00 75 00 6D 00 20 00 52 00 6F 00 6F 00 74 00 20 00 43 00 65 00 72 00 74 00 69 00 66 00 69 00 63 00 61 00 74 00 65 00 20 00 41 00 75 00 74 00 68 00 6F 00 72 00 69 00 74 00 79 00 00 00 02 00 00 00 01 00 00 00 CC 00 00 00 1C 00 00 00 6C 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 7B 00 34 00 31 00 37 00 34 00 34 00 42 00 45 00 34 00 2D 00 31 00 31 00 43 00 35 00 2D 00 34 00 39 00 34 00 43 00 2D 00 41 00 32 00 31 00 33 00 2D 00 42 00 41 00 30 00 43 00 45 00 39 00 34 00 34 00 39 00 33 00 38 00 45 00 7D 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 45 00 6E 00 68 00 61 00 6E 00 63 00 65 00 64 00 20 00 43 00 72 00 79 00 70 00 74 00 6F 00 67 00 72 00 61 00 70 00 68 00 69 00 63 00 20 00 50 00 72 00 6F 00 76 00 69 00 64 00 65 00 72 00 20 00 76 00 31 00 2E 00 30 00 00 00 00 00 03 00 00 00 01 00 00 00 14 00 00 00 F1 A5 78 C4 CB 5D E7 9A 37 08 93 98 3F D4 DA 8B 67 B2 B0 64 20 00 00 00 01 00 00 00 0A 03 00 00 30 82 03 06 30 82 01 EE A0 03 02 01 02 02 08 67 F7 BE B9 6A 4C 27 98 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30 2E 31 2C 30 2A 06 03 55 04 03 0C 23 54 69 74 61 6E 69 75 6D 20 52 6F 6F 74 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6F 72 69 74 79 30 1E 17 0D 32 33 30 33 31 34 31 30 33 35 32 30 5A 17 0D 32 36 30 36 31 37 31 30 33 35 32 30 5A 30 2E 31 2C 30 2A 06 03 55 04 03 0C 23 54 69 74 61 6E 69 75 6D 20 52 6F 6F 74 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6F 72 69 74 79 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 86 E4 57 7A 58 61 CE 81 91 77 D0 05 FA 51 D5 51 5A 93 6C 61 0C CF CB DE 53 32 CD 15 1D A6 47 EE 88 1A 24 5C 9B 02 83 3B 02 AF 3D 76 FE 20 BD 3B FA F7 A2 09 73 E7 2E BD 94 40 D0 9D 8C 3D 27 13 BD F0 D0 9F EB 95 32 AC D7 A4 2D A2 A9 52 DA A8 6A 2A 88 EE 42 7D 30 95 9D 90 BF BA 05 27 6A A0 29 98 A6 98 6F C0 13 06 62 9B 79 B8 40 5D 1F 1F A6 D9 A4 2F 82 7A FC 75 66 34 0D C2 DE 27 01 2B 94 BB 4A 27 B3 CB 1C 21 9A 3C B2 C1 42 03 F3 44 51 BD 62 65 20 ED D4 DB CC 41 4F 59 3F 2A CB C4 84 79 F7 14 3C BE 13 9C FD 12 9C 91 3E 53 03 DC 20 F9 4C 44 35 89 01 B6 9A 84 8D 7E A0 2E 30 8A 31 15 60 AC 00 AE 00 9A 29 10 9A EE D9 71 3D D8 91 9B 97 ED 59 80 58 E1 7F 07 26 C7 A0 20 F7 10 AB C0 62 91 DF AA F1 81 C6 BE 6A 76 C8 9C B6 8E B0 B0 EC 1C D9 5F 32 6C 7E 55 58 8B FD 76 C5 19 02 03 01 00 01 A3 28 30 26 30 13 06 03 55 1D 25 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 30 0F 06 03 55 1D 13 01 01 FF 04 05 30 03 01 01 FF 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 03 82 01 01 00 70 85 12 93 D7 57 E9 82 79 7D C5 F7 F2 7D A8 94 EF 0C DB 32 9F 06 A6 09 6E 0C F6 04 B0 E5 47 11 56 0E F4 0F 52 82 08 2E 21 0F 55 A3 DB 41 F3 12 54 8B 76 11 F5 F0 DA CE A3 C7 8B 13 F6 FC 24 3C 02 B1 06 66 5B E6 9E 18 40 88 41 5B 27 39 99 B8 77 BE E3 53 A2 48 CE C7 EE B5 A0 95 C2 17 4B C9 52 6C AF E3 37 2C 59 DB FB E7 58 13 4E D3 51 E5 14 72 73 FE C6 85 77 AE 45 52 A6 F9 9A C8 0C A8 D0 EE 42 2A F5 28 85 8C 6B E8 1C B0 A8 03 1A B0 AE 83 C0 EB 55 64 F4 E8 7A 5C 06 29 5D 39 03 EE E2 FD F9 2D 62 A7 F4 D4 05 4D EA A7 9B CA EB DA 4E 8B 1A 6E FD 42 AE F9 D0 1C 70 75 72 8C B1 3A A8 55 7C 85 A7 25 32 B5 E2 D6 C3 E5 50 41 C9 86 7C A8 F5 62 BB D2 AB 0C 37 10 D8 31 73 EC 37 81 D1 DC AA C5 C6 E0 7E E7 26 62 4D FD C5 81 4C FF D3 36 E1 79 32 F8 9B EB 9C F7 FD BE E9 BE BF 61

Signature Hits	Behavior Group	Mitre Attack
Installs new ROOT certificates	Persistence and Installation Behavior	Install Root Certificate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Owner

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

SessionHash

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Sequence

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFiles0000

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFilesHash

Memdumps

Base Address

Regiontype

Protect

Malicious

3D89000

trusted library allocation

page read and write

3CE1000

trusted library allocation

page read and write

272000

unkown

page execute and read and write

3385000

heap

page read and write

4161000

trusted library allocation

page read and write

8CFE000

stack

page read and write

4254000

trusted library allocation

page read and write

458E000

trusted library allocation

page read and write

5030000

trusted library allocation

page read and write

7089000

heap

page read and write

3FBD000

trusted library allocation

page read and write

8590000

heap

page read and write

4D02000

trusted library allocation

page read and write

7471000

trusted library allocation

page read and write

5A41000

trusted library allocation

page read and write

76E0000

trusted library allocation

page read and write

58A9000

trusted library allocation

page read and write

582C000

trusted library allocation

page read and write

328D000

heap

page read and write

43E1000

trusted library allocation

page read and write

4FA8000

trusted library allocation

page read and write

6B68000

heap

page read and write

5A89000

trusted library allocation

page read and write

5705000

trusted library allocation

page read and write

337D000

heap

page read and write

58B9000

trusted library allocation

page read and write

56A5000

trusted library allocation

page read and write

AB1000

unkown

page execute read

3F5A000

trusted library allocation

page read and write

5385000

trusted library allocation

page read and write

58CD000

trusted library allocation

page read and write

57BF000

stack

page read and write

4247000

trusted library allocation

page read and write

593E000

trusted library allocation

page read and write

57CB000

trusted library allocation

page read and write

53D0000

trusted library allocation

page read and write

7A59000

trusted library allocation

page read and write

428E000

trusted library allocation

page read and write

337D000

heap

page read and write

5764000

trusted library allocation

page read and write

5FEF000

stack

page read and write

74A0000

trusted library allocation

page read and write

328F000

heap

page read and write

325F000

heap

page read and write

7490000

trusted library allocation

page read and write

3255000

heap

page read and write

5A1D000

trusted library allocation

page read and write

4EC9000

trusted library allocation

page read and write

3240000

trusted library allocation

page read and write

3283000

heap

page read and write

3E8F000

trusted library allocation

page read and write

370000

unkown

page readonly

557B000

stack

page read and write

3DD7000

trusted library allocation

page read and write

270000

unkown

page readonly

32E1000

heap

page read and write

3214000

heap

page read and write

43F7000

trusted library allocation

page read and write

507A000

trusted library allocation

page read and write

5726000

trusted library allocation

page read and write

3200000

trusted library allocation

page read and write

4ED0000

trusted library allocation

page read and write

3349000

heap

page read and write

5844000

trusted library allocation

page read and write

3334000

heap

page read and write

3684000

heap

page read and write

594E000

trusted library allocation

page read and write

5A05000

trusted library allocation

page read and write

3FD1000

trusted library allocation

page read and write

7451000

trusted library allocation

page read and write

33CE000

stack

page read and write

3500000

trusted library allocation

page read and write

3217000

heap

page read and write

3B15000

trusted library allocation

page read and write

4F06000

trusted library allocation

page read and write

5955000

trusted library allocation

page read and write

4E73000

trusted library allocation

page read and write

5025000

trusted library allocation

page read and write

4E9D000

trusted library allocation

page read and write

501B000

trusted library allocation

page read and write

52D4000

heap

page read and write

3B20000

heap

page read and write

50EE000

trusted library allocation

page read and write

378B000

heap

page read and write

571F000

trusted library allocation

page read and write

3520000

heap

page read and write

4073000

trusted library allocation

page read and write

3FF8000

trusted library allocation

page read and write

328F000

heap

page read and write

3349000

heap

page read and write

4384000

trusted library allocation

page read and write

598F000

trusted library allocation

page read and write

3EA8000

trusted library allocation

page read and write

337C000

heap

page read and write

3214000

trusted library allocation

page read and write

34AE000

stack

page read and write

4F14000

trusted library allocation

page read and write

AB1000

unkown

page execute read

3385000

heap

page read and write

2C2000

unkown

page execute and write copy

8860000

trusted library allocation

page read and write

321E000

stack

page read and write

41B5000

trusted library allocation

page read and write

41E4000

trusted library allocation

page read and write

587C000

trusted library allocation

page read and write

39EE000

stack

page read and write

505A000

trusted library allocation

page read and write

4033000

trusted library allocation

page read and write

5777000

trusted library allocation

page read and write

3FE8000

trusted library allocation

page read and write

7700000

trusted library allocation

page execute and read and write

3333000

heap

page read and write

7A17000

trusted library allocation

page read and write

30D2000

stack

page read and write

3AF0000

trusted library allocation

page read and write

4CE1000

trusted library allocation

page read and write

3ED9000

trusted library allocation

page read and write

3B0000

unkown

page read and write

74B0000

trusted library allocation

page read and write

5DB0000

heap

page read and write

595F000

trusted library allocation

page read and write

4FC4000

trusted library allocation

page read and write

3214000

heap

page read and write

322D000

trusted library allocation

page execute and read and write

86A9000

trusted library allocation

page read and write

4FB5000

trusted library allocation

page read and write

B10000

unkown

page read and write

4314000

trusted library allocation

page read and write

2FA5000

heap

page read and write

57C4000

trusted library allocation

page read and write

86A0000

trusted library allocation

page read and write

5828000

trusted library allocation

page read and write

5850000

trusted library allocation

page read and write

165E000

stack

page read and write

6262000

trusted library allocation

page read and write

708C000

heap

page read and write

4F1A000

trusted library allocation

page read and write

835E000

heap

page read and write

43BD000

trusted library allocation

page read and write

5803000

trusted library allocation

page read and write

11D0000

heap

page read and write

5041000

trusted library allocation

page read and write

43A3000

trusted library allocation

page read and write

4F63000

trusted library allocation

page read and write

40C1000

trusted library allocation

page read and write

55C0000

trusted library allocation

page read and write

5A0A000

trusted library allocation

page read and write

59A8000

trusted library allocation

page read and write

59E4000

trusted library allocation

page read and write

364E000

stack

page read and write

3B0E000

trusted library allocation

page read and write

5065000

trusted library allocation

page read and write

3259000

heap

page read and write

4E8A000

trusted library allocation

page read and write

7480000

trusted library allocation

page read and write

5A18000

trusted library allocation

page read and write

84A0000

trusted library allocation

page read and write

5020000

trusted library allocation

page read and write

4466000

trusted library allocation

page read and write

AF0000

unkown

page write copy

5D06000

trusted library allocation

page read and write

3384000

heap

page read and write

3E05000

trusted library allocation

page read and write

796C000

stack

page read and write

615E000

stack

page read and write

79FE000

stack

page read and write

8C7E000

stack

page read and write

504E000

trusted library allocation

page read and write

434E000

trusted library allocation

page read and write

407B000

trusted library allocation

page read and write

833B000

heap

page read and write

11F6000

heap

page read and write

3338000

heap

page read and write

3338000

heap

page read and write

3210000

heap

page read and write

3242000

trusted library allocation

page read and write

5810000

trusted library allocation

page read and write

3FCA000

trusted library allocation

page read and write

786C000

stack

page read and write

54BE000

trusted library allocation

page read and write

6280000

trusted library allocation

page read and write

43D7000

trusted library allocation

page read and write

2E30000

heap

page read and write

3160000

heap

page read and write

32ED000

heap

page read and write

56CA000

trusted library allocation

page read and write

3256000

heap

page read and write

4FB7000

trusted library allocation

page read and write

3344000

heap

page read and write

4F42000

trusted library allocation

page read and write

4FBF000

trusted library allocation

page read and write

3D6000

unkown

page readonly

3237000

heap

page read and write

4F8B000

trusted library allocation

page read and write

6B70000

trusted library allocation

page read and write

42BD000

trusted library allocation

page read and write

AF7000

unkown

page read and write

416E000

trusted library allocation

page read and write

410B000

trusted library allocation

page read and write

3180000

heap

page readonly

5883000

trusted library allocation

page read and write

4E7C000

trusted library allocation

page read and write

4E7F000

trusted library allocation

page read and write

B14000

unkown

page read and write

3175000

heap

page read and write

4F1F000

trusted library allocation

page read and write

7462000

trusted library allocation

page read and write

82E8000

heap

page read and write

431F000

trusted library allocation

page read and write

5973000

trusted library allocation

page read and write

4272000

trusted library allocation

page read and write

3EE0000

trusted library allocation

page read and write

4182000

trusted library allocation

page read and write

5A10000

trusted library allocation

page read and write

59D3000

trusted library allocation

page read and write

3E9D000

trusted library allocation

page read and write

3210000

heap

page read and write

3AEE000

stack

page read and write

2EA0000

direct allocation

page execute and read and write

43DC000

trusted library allocation

page read and write

5968000

trusted library allocation

page read and write

337D000

heap

page read and write

69BE000

stack

page read and write

30F9000

stack

page read and write

4EDA000

trusted library allocation

page read and write

86B8000

trusted library allocation

page read and write

5D0D000

trusted library allocation

page read and write

82C8000

heap

page read and write

44B4000

trusted library allocation

page read and write

78AE000

stack

page read and write

6188000

heap

page read and write

5712000

trusted library allocation

page read and write

3F9A000

trusted library allocation

page read and write

505D000

trusted library allocation

page read and write

4F36000

trusted library allocation

page read and write

3295000

heap

page read and write

590F000

trusted library allocation

page read and write

2E60000

direct allocation

page execute and read and write

503A000

trusted library allocation

page read and write

31E7000

heap

page read and write

30EB000

stack

page read and write

7A10000

trusted library allocation

page read and write

875D000

stack

page read and write

3F91000

trusted library allocation

page read and write

4F7B000

trusted library allocation

page read and write

5948000

trusted library allocation

page read and write

3326000

heap

page read and write

86F0000

trusted library allocation

page read and write

3337000

heap

page read and write

30DD000

stack

page read and write

2DF6000

stack

page read and write

3254000

heap

page read and write

86CF000

trusted library allocation

page read and write

3295000

heap

page read and write

3353000

heap

page read and write

AB0000

unkown

page readonly

56E0000

trusted library allocation

page read and write

581D000

trusted library allocation

page read and write

1326000

heap

page read and write

8810000

trusted library allocation

page execute and read and write

776C000

stack

page read and write

58C5000

trusted library allocation

page read and write

371000

unkown

page execute read

5819000

trusted library allocation

page read and write

7590000

trusted library allocation

page execute and read and write

3030000

heap

page read and write

75A0000

heap

page read and write

574D000

trusted library allocation

page read and write

587B000

stack

page read and write

5898000

trusted library allocation

page read and write

5A79000

trusted library allocation

page read and write

3353000

heap

page read and write

3280000

heap

page read and write

5CFE000

trusted library allocation

page read and write

6DBE000

stack

page read and write

76C1000

heap

page read and write

5676000

trusted library allocation

page read and write

11F0000

heap

page read and write

82D0000

heap

page read and write

5731000

trusted library allocation

page read and write

687E000

stack

page read and write

30D7000

stack

page read and write

4FDC000

trusted library allocation

page read and write

577A000

trusted library allocation

page read and write

3B10000

trusted library allocation

page read and write

5782000

trusted library allocation

page read and write

3259000

heap

page read and write

5683000

trusted library allocation

page read and write

6D90000

heap

page read and write

2D6000

unkown

page execute and write copy

425B000

trusted library allocation

page read and write

3B30000

trusted library allocation

page read and write

3E76000

trusted library allocation

page read and write

3EED000

trusted library allocation

page read and write

2FA0000

heap

page read and write

125E000

heap

page read and write

3295000

heap

page read and write

869E000

stack

page read and write

6172000

heap

page read and write

35AE000

stack

page read and write

534E000

stack

page read and write

76F0000

trusted library allocation

page read and write

31D6000

heap

page read and write

548A000

trusted library allocation

page read and write

328F000

heap

page read and write

8B3E000

stack

page read and write

3384000

heap

page read and write

56BE000

stack

page read and write

7710000

trusted library allocation

page read and write

2FF0000

heap

page read and write

30C0000

stack

page read and write

2FEE000

stack

page read and write

4F75000

trusted library allocation

page read and write

3201000

heap

page read and write

7540000

trusted library allocation

page execute and read and write

3E84000

trusted library allocation

page read and write

4E76000

trusted library allocation

page read and write

3F0E000

trusted library allocation

page read and write

30C0000

stack

page read and write

5965000

trusted library allocation

page read and write

446E000

trusted library allocation

page read and write

34BE000

stack

page read and write

705B000

heap

page read and write

4F0C000

trusted library allocation

page read and write

56B1000

trusted library allocation

page read and write

7510000

trusted library allocation

page read and write

8DFE000

stack

page read and write

3255000

heap

page read and write

54A5000

trusted library allocation

page read and write

5774000

trusted library allocation

page read and write

3ECD000

trusted library allocation

page read and write

5D12000

trusted library allocation

page read and write

50A2000

trusted library allocation

page read and write

4FF5000

trusted library allocation

page read and write

7410000

trusted library allocation

page read and write

5CE0000

trusted library allocation

page read and write

3258000

heap

page read and write

7419000

trusted library allocation

page read and write

5814000

trusted library allocation

page read and write

106A000

stack

page read and write

4155000

trusted library allocation

page read and write

31F0000

heap

page read and write

4F95000

trusted library allocation

page read and write

40D1000

trusted library allocation

page read and write

32D8000

heap

page read and write

3EFA000

trusted library allocation

page read and write

58F5000

trusted library allocation

page read and write

59FB000

trusted library allocation

page read and write

30DD000

stack

page read and write

328F000

heap

page read and write

44A8000

trusted library allocation

page read and write

31FB000

heap

page read and write

3510000

trusted library allocation

page read and write

3210000

trusted library allocation

page read and write

3020000

heap

page read and write

786B000

stack

page read and write

6FB0000

trusted library allocation

page execute and read and write

5902000

trusted library allocation

page read and write

323A000

trusted library allocation

page execute and read and write

729E000

stack

page read and write

3210000

heap

page read and write

5047000

trusted library allocation

page read and write

84C0000

trusted library allocation

page read and write

4E82000

trusted library allocation

page read and write

2D06000

stack

page read and write

7400000

trusted library allocation

page read and write

855B000

stack

page read and write

4FB1000

trusted library allocation

page read and write

123D000

stack

page read and write

328D000

heap

page read and write

58FC000

stack

page read and write

32B8000

heap

page read and write

3EAD000

trusted library allocation

page read and write

4142000

trusted library allocation

page read and write

2E0000

unkown

page execute and write copy

426000

unkown

page execute and read and write

3384000

heap

page read and write

58C7000

trusted library allocation

page read and write

5A35000

trusted library allocation

page read and write

6F90000

trusted library allocation

page execute and read and write

4EE5000

trusted library allocation

page read and write

4282000

trusted library allocation

page read and write

5057000

trusted library allocation

page read and write

553E000

stack

page read and write

746E000

trusted library allocation

page read and write

44CF000

trusted library allocation

page read and write

3E3F000

trusted library allocation

page read and write

370000

unkown

page readonly

5922000

trusted library allocation

page read and write

58F8000

trusted library allocation

page read and write

4CEF000

trusted library allocation

page read and write

7520000

trusted library allocation

page read and write

7405000

trusted library allocation

page read and write

4E66000

trusted library allocation

page read and write

4277000

trusted library allocation

page read and write

12AA000

heap

page read and write

6CBF000

stack

page read and write

709C000

heap

page read and write

59C7000

trusted library allocation

page read and write

376B000

heap

page read and write

57F3000

trusted library allocation

page read and write

4F0F000

trusted library allocation

page read and write

3FDC000

trusted library allocation

page read and write

3780000

heap

page read and write

6DA0000

trusted library allocation

page read and write

50E7000

trusted library allocation

page read and write

54C8000

trusted library allocation

page read and write

592E000

trusted library allocation

page read and write

3D5000

unkown

page write copy

3385000

heap

page read and write

56F9000

trusted library allocation

page read and write

42F4000

trusted library allocation

page read and write

32DC000

heap

page read and write

4426000

trusted library allocation

page read and write

569C000

trusted library allocation

page read and write

3FED000

trusted library allocation

page read and write

3300000

heap

page read and write

3741000

trusted library allocation

page read and write

328D000

heap

page read and write

3F21000

trusted library allocation

page read and write

5490000

trusted library allocation

page read and write

44B9000

trusted library allocation

page read and write

6F00000

trusted library allocation

page read and write

2FAE000

heap

page read and write

3341000

heap

page read and write

30ED000

stack

page read and write

5917000

trusted library allocation

page read and write

3B00000

trusted library allocation

page read and write

4396000

trusted library allocation

page read and write

151E000

stack

page read and write

59CE000

trusted library allocation

page read and write

4515000

trusted library allocation

page read and write

5822000

trusted library allocation

page read and write

4D23000

trusted library allocation

page read and write

8280000

heap

page read and write

5757000

trusted library allocation

page read and write

6FD4000

heap

page read and write

3FE3000

trusted library allocation

page read and write

3385000

heap

page read and write

324B000

trusted library allocation

page execute and read and write

5B10000

heap

page read and write

3CCC000

stack

page read and write

4D5F000

trusted library allocation

page read and write

321A000

heap

page read and write

43C4000

trusted library allocation

page read and write

8584000

trusted library allocation

page read and write

5A74000

trusted library allocation

page read and write

7370000

heap

page read and write

32E2000

heap

page read and write

31D0000

heap

page read and write

AF0000

unkown

page read and write

86CA000

trusted library allocation

page read and write

421B000

trusted library allocation

page read and write

5A7E000

trusted library allocation

page read and write

7A5C000

trusted library allocation

page read and write

75A0000

trusted library allocation

page execute and read and write

580A000

trusted library allocation

page read and write

58AF000

trusted library allocation

page read and write

4224000

trusted library allocation

page read and write

30DA000

stack

page read and write

58B6000

trusted library allocation

page read and write

458B000

trusted library allocation

page read and write

74D0000

trusted library allocation

page read and write

4E6C000

trusted library allocation

page read and write

576B000

trusted library allocation

page read and write

54CD000

trusted library allocation

page read and write

441000

unkown

page execute and read and write

4199000

trusted library allocation

page read and write

86A5000

trusted library allocation

page read and write

5051000

trusted library allocation

page read and write

82B4000

heap

page read and write

560000

unkown

page execute and read and write

3201000

heap

page read and write

8570000

trusted library allocation

page read and write

595B000

trusted library allocation

page read and write

57E8000

trusted library allocation

page read and write

5933000

trusted library allocation

page read and write

419E000

trusted library allocation

page read and write

31C0000

heap

page read and write

30CD000

stack

page read and write

3260000

trusted library allocation

page read and write

31EB000

heap

page read and write

34FB000

stack

page read and write

375A000

trusted library allocation

page read and write

3338000

heap

page read and write

4FE8000

trusted library allocation

page read and write

5738000

trusted library allocation

page read and write

3247000

trusted library allocation

page execute and read and write

879F000

stack

page read and write

3D5000

unkown

page readonly

4309000

trusted library allocation

page read and write

43D0000

trusted library allocation

page read and write

2D80000

heap

page readonly

560000

unkown

page execute and write copy

31F7000

heap

page read and write

3760000

heap

page read and write

5CEB000

trusted library allocation

page read and write

4FBA000

trusted library allocation

page read and write

3295000

heap

page read and write

56FE000

stack

page read and write

579E000

trusted library allocation

page read and write

31EF000

heap

page read and write

3F36000

trusted library allocation

page read and write

573E000

stack

page read and write

40B5000

trusted library allocation

page read and write

3FA2000

trusted library allocation

page read and write

4EEF000

trusted library allocation

page read and write

5611000

trusted library allocation

page read and write

749A000

heap

page read and write

567C000

stack

page read and write

586A000

trusted library allocation

page read and write

5CE4000

trusted library allocation

page read and write

3232000

trusted library allocation

page read and write

3202000

heap

page read and write

6B60000

heap

page read and write

5D20000

trusted library allocation

page read and write

74C0000

trusted library allocation

page read and write

76D0000

trusted library allocation

page read and write

449D000

trusted library allocation

page read and write

11E0000

heap

page read and write

2E0000

unkown

page execute and read and write

4004000

trusted library allocation

page read and write

B15000

unkown

page write copy

8CBF000

stack

page read and write

3EBB000

trusted library allocation

page read and write

30A0000

direct allocation

page execute and read and write

3259000

heap

page read and write

4F9B000

trusted library allocation

page read and write

3F2B000

trusted library allocation

page read and write

596A000

trusted library allocation

page read and write

4F7F000

trusted library allocation

page read and write

55F8000

trusted library allocation

page read and write

4153000

trusted library allocation

page read and write

30CD000

stack

page read and write

AE4000

unkown

page readonly

421000

unkown

page execute and read and write

58C2000

trusted library allocation

page read and write

6D99000

heap

page read and write

3349000

heap

page read and write

73FE000

stack

page read and write

43EC000

trusted library allocation

page read and write

7A00000

trusted library allocation

page execute and read and write

5871000

trusted library allocation

page read and write

7012000

heap

page read and write

5A01000

trusted library allocation

page read and write

5A0E000

trusted library allocation

page read and write

5471000

trusted library allocation

page read and write

8580000

trusted library allocation

page read and write

7054000

heap

page read and write

30DA000

stack

page read and write

321A000

heap

page read and write

7A40000

trusted library allocation

page execute and read and write

7440000

trusted library allocation

page read and write

3788000

heap

page read and write

AE4000

unkown

page readonly

7720000

trusted library allocation

page execute and read and write

3237000

heap

page read and write

1167000

stack

page read and write

749B000

trusted library allocation

page read and write

3237000

heap

page read and write

30E5000

stack

page read and write

59BC000

trusted library allocation

page read and write

30E0000

direct allocation

page execute and read and write

5260000

heap

page read and write

5888000

trusted library allocation

page read and write

43B0000

trusted library allocation

page read and write

30D3000

direct allocation

page execute and read and write

3ED4000

trusted library allocation

page read and write

4EF6000

trusted library allocation

page read and write

321D000

trusted library allocation

page execute and read and write

417B000

trusted library allocation

page read and write

31DE000

stack

page read and write

4F6E000

trusted library allocation

page read and write

5480000

heap

page read and write

5787000

trusted library allocation

page read and write

4F03000

trusted library allocation

page read and write

86E0000

trusted library allocation

page read and write

3EC2000

trusted library allocation

page read and write

7493000

heap

page read and write

57FD000

trusted library allocation

page read and write

576E000

trusted library allocation

page read and write

5A6D000

trusted library allocation

page read and write

56D3000

trusted library allocation

page read and write

58A2000

trusted library allocation

page read and write

AB0000

unkown

page readonly

3768000

heap

page read and write

52D0000

heap

page read and write

8C3E000

stack

page read and write

7498000

heap

page read and write

817D000

stack

page read and write

3D4000

unkown

page read and write

3FB0000

trusted library allocation

page read and write

70BC000

heap

page read and write

3384000

heap

page read and write

3010000

heap

page read and write

8351000

heap

page read and write

7495000

trusted library allocation

page read and write

272000

unkown

page execute and write copy

7417000

trusted library allocation

page read and write

423A000

trusted library allocation

page read and write

74E0000

trusted library allocation

page read and write

6B6E000

heap

page read and write

5977000

trusted library allocation

page read and write

422C000

trusted library allocation

page read and write

3F26000

trusted library allocation

page read and write

30EB000

stack

page read and write

588D000

trusted library allocation

page read and write

6260000

trusted library allocation

page read and write

3230000

trusted library allocation

page read and write

3680000

heap

page read and write

55FE000

stack

page read and write

371000

unkown

page execute read

32E0000

heap

page read and write

4ED5000

trusted library allocation

page read and write

414C000

trusted library allocation

page read and write

4F5C000

trusted library allocation

page read and write

40A9000

trusted library allocation

page read and write

505F000

trusted library allocation

page read and write

57B7000

trusted library allocation

page read and write

740A000

trusted library allocation

page read and write

4EAA000

trusted library allocation

page read and write

577C000

trusted library allocation

page read and write

5002000

trusted library allocation

page read and write

347E000

stack

page read and write

59F4000

trusted library allocation

page read and write

155E000

stack

page read and write

8180000

heap

page read and write

50E2000

trusted library allocation

page read and write

3353000

heap

page read and write

3F43000

trusted library allocation

page read and write

749E000

trusted library allocation

page read and write

53E0000

heap

page read and write

54B3000

trusted library allocation

page read and write

5009000

trusted library allocation

page read and write

86BF000

trusted library allocation

page read and write

6270000

trusted library allocation

page read and write

58E9000

trusted library allocation

page read and write

57E3000

trusted library allocation

page read and write

30E7000

stack

page read and write

3E0F000

trusted library allocation

page read and write

2E50000

heap

page read and write

76CF000

heap

page read and write

6278000

trusted library allocation

page read and write

3385000

heap

page read and write

4EFC000

trusted library allocation

page read and write

5929000

trusted library allocation

page read and write

B15000

unkown

page readonly

4D1B000

trusted library allocation

page read and write

5EE0000

heap

page execute and read and write

549A000

trusted library allocation

page read and write

41AA000

trusted library allocation

page read and write

1250000

heap

page read and write

328D000

heap

page read and write

3213000

trusted library allocation

page execute and read and write

6DFE000

stack

page read and write

3338000

heap

page read and write

885E000

stack

page read and write

54D4000

trusted library allocation

page read and write

5A13000

trusted library allocation

page read and write

1275000

heap

page read and write

87A0000

heap

page read and write

3245000

trusted library allocation

page execute and read and write

32B0000

heap

page read and write

58BF000

trusted library allocation

page read and write

2E90000

heap

page read and write

30E7000

stack

page read and write

4E5F000

trusted library allocation

page read and write

8560000

trusted library allocation

page execute and read and write

31EF000

heap

page read and write

4FAC000

trusted library allocation

page read and write

59D8000

trusted library allocation

page read and write

4F4F000

trusted library allocation

page read and write

7A50000

trusted library allocation

page read and write

585D000

trusted library allocation

page read and write

350D000

stack

page read and write

B16000

unkown

page readonly

3220000

trusted library allocation

page read and write

719D000

stack

page read and write

44AF000

trusted library allocation

page read and write

3A4000

unkown

page readonly

321A000

heap

page read and write

69FE000

stack

page read and write

7415000

trusted library allocation

page read and write

57AA000

trusted library allocation

page read and write

4194000

trusted library allocation

page read and write

87F0000

trusted library allocation

page read and write

7456000

trusted library allocation

page read and write

360D000

stack

page read and write

3F07000

trusted library allocation

page read and write

86D0000

trusted library allocation

page read and write

86D8000

trusted library allocation

page read and write

4506000

trusted library allocation

page read and write

321F000

heap

page read and write

59EE000

trusted library allocation

page read and write

86A2000

trusted library allocation

page read and write

31EB000

heap

page read and write

270000

unkown

page readonly

5606000

trusted library allocation

page read and write

4E84000

trusted library allocation

page read and write

418D000

trusted library allocation

page read and write

438E000

trusted library allocation

page read and write

426D000

trusted library allocation

page read and write

5EDE000

stack

page read and write

86BA000

trusted library allocation

page read and write

87FB000

trusted library allocation

page read and write

50B2000

trusted library allocation

page read and write

3190000

heap

page read and write

5490000

heap

page read and write

3B0000

unkown

page write copy

5D40000

trusted library allocation

page read and write

583F000

stack

page read and write

2C7000

unkown

page execute and write copy

30FA000

stack

page read and write

4EB7000

trusted library allocation

page read and write

337D000

heap

page read and write

3EDB000

trusted library allocation

page read and write

44C4000

trusted library allocation

page read and write

76C0000

trusted library allocation

page read and write

408A000

trusted library allocation

page read and write

59B5000

trusted library allocation

page read and write

5D50000

trusted library allocation

page read and write

328F000

heap

page read and write

3F1A000

trusted library allocation

page read and write

2DD0000

heap

page read and write

2DCE000

stack

page read and write

3760000

heap

page read and write

79AC000

stack

page read and write

87EE000

stack

page read and write

3FA4000

trusted library allocation

page read and write

4589000

trusted library allocation

page read and write

3214000

heap

page read and write

31F1000

heap

page read and write

3B7000

unkown

page read and write

3270000

trusted library allocation

page execute and read and write

54DA000

trusted library allocation

page read and write

30D7000

stack

page read and write

57FC000

stack

page read and write

5742000

trusted library allocation

page read and write

543D000

stack

page read and write

5A4E000

trusted library allocation

page read and write

5D01000

trusted library allocation

page read and write

581F000

trusted library allocation

page read and write

5D52000

trusted library allocation

page read and write

3170000

heap

page read and write

573D000

trusted library allocation

page read and write

86C5000

trusted library allocation

page read and write

5D60000

trusted library allocation

page execute and read and write

2FA9000

heap

page read and write

4F12000

trusted library allocation

page read and write

5014000

trusted library allocation

page read and write

4096000

trusted library allocation

page read and write

4488000

trusted library allocation

page read and write

30F3000

direct allocation

page execute and read and write

5A5B000

trusted library allocation

page read and write

3CD0000

heap

page execute and read and write

744B000

trusted library allocation

page read and write

4495000

trusted library allocation

page read and write

697F000

stack

page read and write

55ED000

trusted library allocation

page read and write

4539000

trusted library allocation

page read and write

597C000

stack

page read and write

2D70000

heap

page read and write

7408000

trusted library allocation

page read and write

3295000

heap

page read and write

445C000

trusted library allocation

page read and write

7F700000

trusted library allocation

page execute and read and write

6FC1000

heap

page read and write

599B000

trusted library allocation

page read and write

4069000

trusted library allocation

page read and write

40DC000

trusted library allocation

page read and write

7530000

trusted library allocation

page execute and read and write

422E000

trusted library allocation

page read and write

76CB000

heap

page read and write

3B38000

trusted library allocation

page read and write

34CE000

stack

page read and write

55E3000

trusted library allocation

page read and write

3A4000

unkown

page readonly

30F2000

stack

page read and write

566D000

trusted library allocation

page read and write

4FA2000

trusted library allocation

page read and write

5A62000

trusted library allocation

page read and write

6D96000

heap

page read and write

447B000

trusted library allocation

page read and write

596D000

trusted library allocation

page read and write

4266000

trusted library allocation

page read and write

3236000

trusted library allocation

page execute and read and write

5E9E000

stack

page read and write

4EBE000

trusted library allocation

page read and write

57D6000

trusted library allocation

page read and write

2E37000

heap

page read and write

58D2000

trusted library allocation

page read and write

4E91000

trusted library allocation

page read and write

57DD000

trusted library allocation

page read and write

72FE000

stack

page read and write

50F4000

trusted library allocation

page read and write

575E000

trusted library allocation

page read and write

6EFE000

stack

page read and write

There are 787 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
file.exe