Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Rendeles_042024,jpg.scr.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.9246958307344695
Filename:	Rendeles_042024,jpg.scr.exe
Filesize:	738816
MD5:	f9a9054852e6529e9e3d8b392241601c
SHA1:	e96482de839c1fe063982ef64d6d930312054ea6
SHA256:	96c18fdcc302306d493535b0c90413892759a61925bcb3cf2f0d1a1cbbac554e
SHA512:	91349fbd232b4663e72f5b54398f5e751a4ba86cb436efd44a605976386d4944270ee50971349509108157f8e55742c4cb4709ef9e086db2146bfd0afefeaabf
SSDEEP:	12288:nTB778QduSfT7LaUuOuIgVuboparMfRVzZ9uc+VnP6GStXRl4UNmXP1dDhu1vMCg:TBLuA8OzgVub4arqVzZ9o3OXRlBNYP1X
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0..8...........W... ...`....@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains method to dynamically call methods (often used by packers)	Data Obfuscation
.NET source code contains potential unpacker	Data Obfuscation
.NET source code contains very large array initializations	System Summary	Disable or Modify Tools
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)	Anti Debugging
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)	Malware Analysis System Evasion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information	Credentials in Registry
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to harvest and steal ftp login credentials	Stealing of Sensitive Information
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Checks if the current process is being debugged	Anti Debugging
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary	System Information Discovery
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Rendeles_042024,jpg.scr.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Rendeles_042024,jpg.scr.exe.log
Category:	dropped
Dump:	Rendeles_042024,jpg.scr.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Rendeles_042024,jpg.scr.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Rendeles_042024,jpg.scr.exe

"C:\Users\user\Desktop\Rendeles_042024,jpg.scr.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2884
Target ID:	0
Parent PID:	1028
Name:	Rendeles_042024,jpg.scr.exe
Path:	C:\Users\user\Desktop\Rendeles_042024,jpg.scr.exe
Commandline:	"C:\Users\user\Desktop\Rendeles_042024,jpg.scr.exe"
Size:	738816
MD5:	F9A9054852E6529E9E3D8B392241601C
Time:	10:17:49
Date:	29/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xd30000
Modulesize:	761856
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\Rendeles_042024,jpg.scr.exe

"C:\Users\user\Desktop\Rendeles_042024,jpg.scr.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2260
Target ID:	3
Parent PID:	2884
Name:	Rendeles_042024,jpg.scr.exe
Path:	C:\Users\user\Desktop\Rendeles_042024,jpg.scr.exe
Commandline:	"C:\Users\user\Desktop\Rendeles_042024,jpg.scr.exe"
Size:	738816
MD5:	F9A9054852E6529E9E3D8B392241601C
Time:	10:17:50
Date:	29/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x50000
Modulesize:	761856
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\Rendeles_042024,jpg.scr.exe

"C:\Users\user\Desktop\Rendeles_042024,jpg.scr.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2140
Target ID:	4
Parent PID:	2884
Name:	Rendeles_042024,jpg.scr.exe
Path:	C:\Users\user\Desktop\Rendeles_042024,jpg.scr.exe
Commandline:	"C:\Users\user\Desktop\Rendeles_042024,jpg.scr.exe"
Size:	738816
MD5:	F9A9054852E6529E9E3D8B392241601C
Time:	10:17:50
Date:	29/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xc40000
Modulesize:	761856
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

https://api.ipify.org/

104.26.13.205

Details

Name:	https://api.ipify.org/
IP:	104.26.13.205
TargetID:	4
From Memory:	false
Current Path:	C:\Users\user\Desktop\Rendeles_042024,jpg.scr.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://api.ipify.org

unknown

Details

Name:	https://api.ipify.org
TargetID:	-1
From Memory:	true
Source:	Rendeles_042024,jpg.scr.exe, 00000000.00000002.2010581386.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, Rendeles_042024,jpg.scr.exe, 00000000.00000002.2010581386.0000000004E82000.00000004.00000800.00020000.00000000.sdmp, Rendeles_042024,jpg.scr.exe, 00000004.00000002.3247016161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Rendeles_042024,jpg.scr.exe, 00000004.00000002.3249220624.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://mail.woxi.cz

unknown

https://account.dyn.com/

unknown

Details

Name:	https://account.dyn.com/
TargetID:	-1
From Memory:	true
Source:	Rendeles_042024,jpg.scr.exe, 00000000.00000002.2010581386.0000000004EFE000.00000004.00000800.00020000.00000000.sdmp, Rendeles_042024,jpg.scr.exe, 00000000.00000002.2010581386.0000000004E82000.00000004.00000800.00020000.00000000.sdmp, Rendeles_042024,jpg.scr.exe, 00000004.00000002.3247016161.0000000000402000.00000040.00000400.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://api.ipify.org/t

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://ip-api.com/line/?fields=hosting

208.95.112.1

Details

Name:	http://ip-api.com/line/?fields=hosting
IP:	208.95.112.1
TargetID:	4
From Memory:	false
Current Path:	C:\Users\user\Desktop\Rendeles_042024,jpg.scr.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking

http://ip-api.com

unknown

Domains

Name

Malicious

mail.woxi.cz

77.93.220.4

Details

Name:	mail.woxi.cz
IP:	77.93.220.4
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

api.ipify.org

104.26.13.205

Details

Name:	api.ipify.org
IP:	104.26.13.205
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

ip-api.com

208.95.112.1

Details

Name:	ip-api.com
IP:	208.95.112.1
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Check if machine is in data center or colocation facility	Malware Analysis System Evasion	Security Software Discovery
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

77.93.220.4

mail.woxi.cz

Czech Republic

Details

IP:	77.93.220.4
TargetID:	4
Current Path:	C:\Users\user\Desktop\Rendeles_042024,jpg.scr.exe
Country:	Czech Republic
Countrycode:	CZE
ASN number:	24971
ASN name:	MASTER-ASCzechRepublicwwwmasterczCZ
Private:	false
Domain:	mail.woxi.cz

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

208.95.112.1

ip-api.com

United States

104.26.13.205

api.ipify.org

United States

Details

IP:	104.26.13.205
TargetID:	4
Current Path:	C:\Users\user\Desktop\Rendeles_042024,jpg.scr.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Rendeles_042024,jpg_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Rendeles_042024,jpg_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Rendeles_042024,jpg_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Rendeles_042024,jpg_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Rendeles_042024,jpg_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Rendeles_042024,jpg_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Rendeles_042024,jpg_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Rendeles_042024,jpg_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Rendeles_042024,jpg_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Rendeles_042024,jpg_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Rendeles_042024,jpg_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Rendeles_042024,jpg_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Rendeles_042024,jpg_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Rendeles_042024,jpg_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

3004000

trusted library allocation

page read and write

302D000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

4EFE000

trusted library allocation

page read and write

3259000

trusted library allocation

page read and write

4E82000

trusted library allocation

page read and write

3035000

trusted library allocation

page read and write

7BB0000

trusted library section

page read and write

7FAC0000

trusted library allocation

page execute and read and write

2EA0000

trusted library allocation

page read and write

6F10000

heap

page read and write

548E000

trusted library allocation

page read and write

4A25000

trusted library allocation

page read and write

150E000

stack

page read and write

3130000

trusted library allocation

page read and write

1250000

heap

page read and write

15B3000

trusted library allocation

page execute and read and write

5780000

heap

page read and write

303B000

trusted library allocation

page read and write

7BA0000

trusted library section

page read and write

10F8000

stack

page read and write

4B5E000

trusted library allocation

page read and write

7B90000

trusted library allocation

page execute and read and write

15D2000

trusted library allocation

page read and write

54B2000

trusted library allocation

page read and write

5486000

trusted library allocation

page read and write

4985000

trusted library allocation

page read and write

5750000

heap

page execute and read and write

3527000

trusted library allocation

page read and write

2E3C000

stack

page read and write

302B000

trusted library allocation

page read and write

15FE000

stack

page read and write

124A000

heap

page read and write

1443000

heap

page read and write

11FA000

heap

page read and write

548B000

trusted library allocation

page read and write

5C9F000

stack

page read and write

1420000

heap

page read and write

5B9E000

stack

page read and write

1435000

heap

page read and write

9DA2000

trusted library allocation

page read and write

13CA000

trusted library allocation

page execute and read and write

6F20000

trusted library allocation

page read and write

7F88000

trusted library allocation

page read and write

1300000

heap

page read and write

138E000

unkown

page read and write

7F80000

trusted library allocation

page read and write

56FE000

stack

page read and write

96AE000

heap

page read and write

3571000

trusted library allocation

page read and write

6828000

heap

page read and write

DA7E000

stack

page read and write

2DFE000

stack

page read and write

5721000

trusted library allocation

page read and write

572D000

trusted library allocation

page read and write

14F2000

heap

page read and write

1400000

heap

page read and write

13E7000

trusted library allocation

page execute and read and write

A2EE000

stack

page read and write

57B3000

heap

page read and write

2F84000

trusted library allocation

page read and write

15B4000

trusted library allocation

page read and write

3170000

heap

page execute and read and write

1441000

heap

page read and write

7F95000

heap

page read and write

5D07000

trusted library allocation

page read and write

13B0000

trusted library allocation

page read and write

4A73000

trusted library allocation

page read and write

1207000

heap

page read and write

7E40000

trusted library allocation

page read and write

1275000

heap

page read and write

36B4000

trusted library allocation

page read and write

6D43000

trusted library allocation

page read and write

5740000

heap

page read and write

5570000

heap

page read and write

7FD4000

heap

page read and write

DEBF000

stack

page read and write

7E60000

heap

page read and write

13A4000

trusted library allocation

page read and write

527C000

stack

page read and write

7BC0000

trusted library allocation

page read and write

6BBE000

stack

page read and write

3070000

trusted library section

page read and write

1240000

heap

page read and write

57A0000

trusted library allocation

page read and write

9C8D000

stack

page read and write

43E000

remote allocation

page execute and read and write

D89000

stack

page read and write

3160000

trusted library allocation

page execute and read and write

4181000

trusted library allocation

page read and write

2D90000

trusted library allocation

page read and write

14F6000

heap

page read and write

124C000

heap

page read and write

49D7000

trusted library allocation

page read and write

6B3D000

stack

page read and write

7910000

trusted library allocation

page read and write

6D50000

trusted library allocation

page read and write

D32000

unkown

page execute and read and write

7B80000

heap

page read and write

3100000

trusted library allocation

page read and write

11EF000

heap

page read and write

16FE000

stack

page read and write

15DA000

trusted library allocation

page execute and read and write

3090000

trusted library allocation

page read and write

140E000

heap

page read and write

13C0000

trusted library allocation

page read and write

2FA1000

trusted library allocation

page read and write

7FB0000

heap

page read and write

571E000

trusted library allocation

page read and write

13D0000

heap

page read and write

68BE000

stack

page read and write

2E40000

trusted library allocation

page execute and read and write

5790000

trusted library allocation

page read and write

3525000

trusted library allocation

page read and write

13CE000

unkown

page read and write

5580000

heap

page read and write

7F90000

heap

page read and write

2F80000

trusted library allocation

page read and write

1255000

heap

page read and write

11D0000

heap

page read and write

15CD000

trusted library allocation

page execute and read and write

3000000

heap

page read and write

DEFE000

stack

page read and write

2D95000

trusted library allocation

page execute and read and write

DB7E000

stack

page read and write

15A0000

trusted library allocation

page read and write

DE5000

unkown

page execute and read and write

DDBE000

stack

page read and write

6780000

heap

page read and write

7E50000

trusted library allocation

page execute and read and write

D97E000

stack

page read and write

3125000

trusted library allocation

page read and write

69BE000

stack

page read and write

3027000

trusted library allocation

page read and write

5CF0000

trusted library allocation

page read and write

5492000

trusted library allocation

page read and write

A30A000

heap

page read and write

DE0000

heap

page read and write

A31A000

heap

page read and write

6DCE000

stack

page read and write

4009000

trusted library allocation

page read and write

2EEE000

stack

page read and write

6D63000

trusted library allocation

page read and write

2D9B000

trusted library allocation

page execute and read and write

7BD0000

heap

page execute and read and write

6D80000

trusted library allocation

page execute and read and write

1428000

heap

page read and write

5726000

trusted library allocation

page read and write

6B7F000

stack

page read and write

13BD000

trusted library allocation

page execute and read and write

2FF1000

trusted library allocation

page read and write

2FDF000

trusted library allocation

page read and write

5792000

trusted library allocation

page read and write

2E50000

trusted library allocation

page read and write

DE5000

heap

page read and write

9B4E000

stack

page read and write

15E7000

heap

page read and write

2FED000

trusted library allocation

page read and write

55FE000

stack

page read and write

599C000

stack

page read and write

1204000

heap

page read and write

6E80000

trusted library allocation

page read and write

2FEE000

stack

page read and write

15D0000

trusted library allocation

page read and write

549A000

trusted library allocation

page read and write

1247000

heap

page read and write

14CE000

stack

page read and write

13C6000

trusted library allocation

page execute and read and write

15B0000

trusted library allocation

page read and write

2DB0000

trusted library allocation

page read and write

9B0E000

stack

page read and write

1449000

heap

page read and write

1390000

trusted library allocation

page read and write

11D8000

heap

page read and write

96A0000

heap

page read and write

306E000

stack

page read and write

54C0000

trusted library allocation

page read and write

2D92000

trusted library allocation

page read and write

3FA1000

trusted library allocation

page read and write

15D6000

trusted library allocation

page execute and read and write

136E000

stack

page read and write

80E0000

trusted library allocation

page read and write

134E000

stack

page read and write

12D0000

heap

page read and write

64FF000

stack

page read and write

D30000

unkown

page readonly

3140000

trusted library allocation

page read and write

107A000

stack

page read and write

3120000

trusted library allocation

page read and write

9A50000

trusted library section

page read and write

6DD0000

heap

page read and write

13E0000

trusted library allocation

page read and write

67C6000

heap

page read and write

9C4E000

stack

page read and write

56FF000

stack

page read and write

DDB000

unkown

page execute and read and write

7DAB000

stack

page read and write

15BD000

trusted library allocation

page execute and read and write

6D40000

trusted library allocation

page read and write

12A9000

heap

page read and write

11E0000

heap

page read and write

2E60000

trusted library allocation

page read and write

5704000

trusted library allocation

page read and write

5480000

trusted library allocation

page read and write

1447000

heap

page read and write

15C0000

trusted library allocation

page read and write

34D1000

trusted library allocation

page read and write

57B0000

heap

page read and write

5A9E000

stack

page read and write

2D97000

trusted library allocation

page execute and read and write

D32000

unkown

page readonly

2F7F000

stack

page read and write

2FD5000

trusted library allocation

page read and write

4FA8000

trusted library allocation

page read and write

1177000

stack

page read and write

D30000

unkown

page execute and read and write

5740000

trusted library allocation

page read and write

13A0000

trusted library allocation

page read and write

13E2000

trusted library allocation

page read and write

142D000

heap

page read and write

3573000

trusted library allocation

page read and write

30EC000

stack

page read and write

2F90000

heap

page execute and read and write

7E30000

trusted library allocation

page execute and read and write

7F70000

trusted library allocation

page read and write

11D0000

heap

page read and write

3020000

trusted library allocation

page execute and read and write

2FF0000

trusted library allocation

page execute and read and write

5573000

heap

page read and write

6D6D000

trusted library allocation

page read and write

3029000

trusted library allocation

page read and write

13A3000

trusted library allocation

page execute and read and write

DC80000

heap

page read and write

5700000

trusted library allocation

page read and write

30F0000

trusted library allocation

page read and write

3110000

trusted library allocation

page read and write

15E0000

heap

page read and write

1408000

heap

page read and write

DF0000

heap

page read and write

13EB000

trusted library allocation

page execute and read and write

4989000

trusted library allocation

page read and write

1307000

heap

page read and write

6AFE000

stack

page read and write

6F60000

trusted library allocation

page execute and read and write

6D70000

trusted library allocation

page read and write

A2F0000

heap

page read and write

400000

remote allocation

page execute and read and write

63FD000

stack

page read and write

551C000

stack

page read and write

2E70000

heap

page read and write

549E000

trusted library allocation

page read and write

69FE000

stack

page read and write

A305000

heap

page read and write

56BE000

stack

page read and write

DFFE000

stack

page read and write

54AD000

trusted library allocation

page read and write

7B70000

heap

page read and write

570B000

trusted library allocation

page read and write

3181000

trusted library allocation

page read and write

5D00000

trusted library allocation

page read and write

7F6D000

stack

page read and write

6CBE000

stack

page read and write

3FC9000

trusted library allocation

page read and write

13AD000

trusted library allocation

page execute and read and write

7FA0000

heap

page read and write

7230000

heap

page read and write

54A1000

trusted library allocation

page read and write

513E000

stack

page read and write

DC7D000

stack

page read and write

7B60000

trusted library section

page readonly

713E000

stack

page read and write

54A6000

trusted library allocation

page read and write

6EA0000

trusted library allocation

page execute and read and write

122E000

stack

page read and write

6812000

heap

page read and write

There are 265 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Rendeles_042024,jpg.scr.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportRendeles_042024,jpg.scr.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
Rendeles_042024,jpg.scr.exe