Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

BhT6NDfElu.exe

PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.798166250975832
Filename:	BhT6NDfElu.exe
Filesize:	883200
MD5:	d5a7afaa7cc3c7dc5e19665034a32512
SHA1:	44df27378857397ff58662160bd0efbd82adc925
SHA256:	9440713d78fbc82ff0f1b24bf757e63c5b5c31163fdf2428a2ee244369c81370
SHA512:	e65df38e801fece8a1e4cb389a05732fd9247ada8ddf1cddd488f03720117c7f9fb28499053b6a1e0b6983699683ed96c0f1387f63954b849713b5a2b6627438
SSDEEP:	24576:26WkXAgAmrtn5VDaeToj9ySOF7kXr7Sl:ctmrtK9ob
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....wf................................. ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection	Process Injection
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Contains functionality to inject code into remote processes	HIPS / PFW / Operating System Protection Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion
Machine Learning detection for sample	AV Detection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains functionality to call native functions	System Summary
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	Process Injection
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
PE file contains sections with non-standard names	Data Obfuscation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Native API
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Process Injection Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary	Process Injection
Binary may include packed or encrypted code	Data Obfuscation	Process Injection Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Process Injection
.NET source code contains long base64-encoded strings	System Summary	Process Injection Disable or Modify Tools
Contains functionality to modify the execution of threads in other processes
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Process Injection Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BhT6NDfElu.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BhT6NDfElu.exe.log
Category:	dropped
Dump:	BhT6NDfElu.exe.log.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\BhT6NDfElu.exe
Type:	CSV text
Entropy:	5.360398796477698
Encrypted:	false
Ssdeep:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
Size:	226
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Found strings which match to known social media urls	Networking
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Roaming\d3d9.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\d3d9.dll
Category:	dropped
Dump:	d3d9.dll.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\BhT6NDfElu.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.718918458173882
Encrypted:	false
Ssdeep:	6144:9HGPVgCBV/AkU4+L64QDxB9Aeob1tQLBYh6ft:9HGtgCBVmNyDxBC7b1tQLBYhst
Size:	224256
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Machine Learning detection for dropped file	AV Detection
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Category:	dropped
Dump:	AppLaunch.exe.log.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.330114603578639
Encrypted:	false
Ssdeep:	48:MxHKlYHKh3okHafHK7HKhBHKntHo6hAHKzeEHK8THQmHKtXoPHZHjHKx1qHxLHqV:iqlYqh3okmq7qLqntI6eqzPqojqo5DqL
Size:	2545
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\BhT6NDfElu.exe

"C:\Users\user\Desktop\BhT6NDfElu.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7256
Target ID:	0
Parent PID:	2580
Name:	BhT6NDfElu.exe
Path:	C:\Users\user\Desktop\BhT6NDfElu.exe
Commandline:	"C:\Users\user\Desktop\BhT6NDfElu.exe"
Size:	883200
MD5:	D5A7AFAA7CC3C7DC5E19665034A32512
Time:	17:36:57
Date:	13/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xe60000
Modulesize:	909312
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Found strings which match to known social media urls	Networking
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7316
Target ID:	2
Parent PID:	7256
Name:	AppLaunch.exe
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Size:	103528
MD5:	89D41E1CF478A3D3C2C701A27A5692B2
Time:	17:36:57
Date:	13/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x8c0000
Modulesize:	102400
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7264
Target ID:	1
Parent PID:	7256
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	17:36:57
Date:	13/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://t.me/+J_Z1QGHfHko0MGZi

149.154.167.99

https://t.me/

unknown

https://t.me/+J_Z1QGHfHko0MGZi*https://steamcommunity.com/id/elcadillac

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/sct

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary

unknown

http://tempuri.org/Contract/MSValue3ResponseD

unknown

http://tempuri.org/Contract/MSValue2Response

unknown

http://tempuri.org/

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1

unknown

http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret

unknown

http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/fault

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat

unknown

http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey

unknown

https://api.ip.sb/ip

unknown

http://schemas.xmlsoap.org/ws/2004/04/sc

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel

unknown

http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1

unknown

http://tempuri.org/Contract/MSValue3Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce

unknown

http://tempuri.org/Contract/MSValue2ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/faultD

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Renew

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT

unknown

http://schemas.xmlsoap.org/ws/2006/02/addressingidentity

unknown

http://schemas.xmlsoap.org/soap/envelope/

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey

unknown

http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1

unknown

http://tempuri.org/Contract/MSValue1

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust

unknown

http://tempuri.org/Contract/MSValue2

unknown

http://tempuri.org/Contract/MSValue3

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT

unknown

http://tempuri.org/D

unknown

http://schemas.xmlsoap.org/ws/2004/06/addressingex

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew

unknown

http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey

unknown

http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ

unknown

http://www.w3.o

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault

unknown

http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous

unknown

http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap

unknown

http://schemas.xmlsoap.org/ws/2002/12/policy

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/dk

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue

unknown

http://tempuri.org/Contract/MSValue1ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Issue

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT

unknown

There are 90 hidden URLs, click here to show them.

Domains

Name

Malicious

t.me

149.154.167.99

Details

Name:	t.me
IP:	149.154.167.99
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

sp.joger.top

95.217.245.123

Details

Name:	sp.joger.top
IP:	95.217.245.123
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

95.217.245.123

sp.joger.top

Germany

Details

IP:	95.217.245.123
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Country:	Germany
Countrycode:	DEU
ASN number:	24940
ASN name:	HETZNER-ASDE
Private:	false
Domain:	sp.joger.top

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

149.154.167.99

t.me

United Kingdom

Details

IP:	149.154.167.99
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	62041
ASN name:	TELEGRAMRU
Private:	false
Domain:	t.me

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AppLaunch_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AppLaunch_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AppLaunch_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AppLaunch_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AppLaunch_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AppLaunch_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AppLaunch_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AppLaunch_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AppLaunch_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AppLaunch_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AppLaunch_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AppLaunch_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AppLaunch_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AppLaunch_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

6E38C000

unkown

page read and write

402000

remote allocation

page execute and read and write

9ADE000

stack

page read and write

989E000

stack

page read and write

9DD0000

trusted library allocation

page read and write

AC13000

heap

page read and write

9D31000

heap

page read and write

54A7000

heap

page read and write

6E3A9000

unkown

page readonly

1870000

heap

page execute and read and write

15F0000

trusted library allocation

page read and write

3350000

trusted library allocation

page read and write

BBD0000

heap

page read and write

ADA0000

trusted library allocation

page read and write

AF5F000

trusted library allocation

page read and write

D7E9000

trusted library allocation

page read and write

AE08000

trusted library allocation

page read and write

93ED000

stack

page read and write

AF7D000

trusted library allocation

page read and write

ABC2000

heap

page read and write

AC39000

heap

page read and write

B470000

trusted library allocation

page execute and read and write

AC8D000

heap

page read and write

12F8000

stack

page read and write

9DA0000

trusted library allocation

page read and write

334E000

stack

page read and write

AB90000

heap

page read and write

AC1C000

heap

page read and write

ADB6000

trusted library allocation

page read and write

1860000

trusted library allocation

page execute and read and write

CB3E000

stack

page read and write

57B0000

heap

page read and write

AD48000

heap

page read and write

BBF4000

heap

page read and write

1501000

heap

page read and write

54FC000

heap

page read and write

9853000

heap

page execute and read and write

AF6E000

trusted library allocation

page read and write

5772000

trusted library allocation

page read and write

ADE8000

trusted library allocation

page read and write

9850000

heap

page execute and read and write

AD70000

heap

page read and write

9F30000

trusted library allocation

page read and write

576D000

trusted library allocation

page execute and read and write

53A0000

heap

page read and write

ADB0000

trusted library allocation

page read and write

15FD000

trusted library allocation

page execute and read and write

AF54000

trusted library allocation

page read and write

41E000

remote allocation

page execute and read and write

ABD3000

heap

page read and write

9DC1000

trusted library allocation

page read and write

1420000

heap

page read and write

5395000

heap

page read and write

AF50000

trusted library allocation

page read and write

575D000

trusted library allocation

page execute and read and write

9DDD000

trusted library allocation

page read and write

1490000

heap

page read and write

552C000

heap

page read and write

1850000

trusted library allocation

page read and write

ADFD000

trusted library allocation

page read and write

B290000

trusted library allocation

page read and write

15F4000

trusted library allocation

page read and write

15CE000

stack

page read and write

5780000

trusted library allocation

page read and write

AF0E000

stack

page read and write

9DB0000

trusted library allocation

page read and write

B540000

trusted library allocation

page execute and read and write

3371000

trusted library allocation

page read and write

18BE000

stack

page read and write

5776000

trusted library allocation

page execute and read and write

9DF1000

trusted library allocation

page read and write

B3E0000

trusted library allocation

page read and write

5539000

heap

page read and write

173E000

stack

page read and write

9D95000

trusted library allocation

page read and write

AC42000

heap

page read and write

1340000

heap

page read and write

CA3E000

stack

page read and write

ADB3000

trusted library allocation

page read and write

14BC000

heap

page read and write

B5A0000

trusted library allocation

page execute and read and write

A2C0000

trusted library allocation

page read and write

B280000

trusted library allocation

page read and write

543E000

stack

page read and write

B550000

trusted library allocation

page execute and read and write

5470000

heap

page read and write

AE15000

trusted library allocation

page read and write

B440000

trusted library allocation

page execute and read and write

999F000

stack

page read and write

5516000

heap

page read and write

5511000

heap

page read and write

5A06000

heap

page read and write

9C50000

heap

page read and write

B560000

trusted library allocation

page read and write

1627000

trusted library allocation

page execute and read and write

59D0000

heap

page execute and read and write

B580000

trusted library allocation

page read and write

ADF9000

trusted library allocation

page read and write

53F0000

heap

page read and write

AF9B000

trusted library allocation

page read and write

9D66000

trusted library allocation

page read and write

5390000

heap

page read and write

5740000

trusted library allocation

page read and write

9D5B000

trusted library allocation

page read and write

A2A0000

trusted library allocation

page read and write

B32E000

stack

page read and write

E60000

unkown

page readonly

AC77000

heap

page read and write

82C2000

trusted library allocation

page read and write

72B1000

trusted library allocation

page read and write

A2B0000

trusted library allocation

page execute and read and write

5753000

trusted library allocation

page execute and read and write

AF4E000

stack

page read and write

B437000

trusted library allocation

page read and write

ACAA000

heap

page read and write

B68B000

stack

page read and write

AD8E000

heap

page read and write

573E000

stack

page read and write

548E000

heap

page read and write

AF5B000

trusted library allocation

page read and write

AE20000

trusted library allocation

page read and write

ABBC000

heap

page read and write

AF68000

trusted library allocation

page read and write

ABCD000

heap

page read and write

1310000

heap

page read and write

F0C000

unkown

page readonly

C13E000

stack

page read and write

ABE1000

heap

page read and write

AB8F000

stack

page read and write

3360000

heap

page read and write

72EB000

trusted library allocation

page read and write

AD4C000

heap

page read and write

9D17000

heap

page read and write

A28E000

stack

page read and write

AD90000

trusted library allocation

page execute and read and write

7333000

trusted library allocation

page read and write

9D81000

trusted library allocation

page read and write

15E0000

trusted library allocation

page read and write

6E370000

unkown

page readonly

B690000

trusted library allocation

page read and write

9E00000

heap

page read and write

9B1D000

stack

page read and write

BBD8000

heap

page read and write

5820000

heap

page read and write

AE50000

trusted library allocation

page execute and read and write

72F3000

trusted library allocation

page read and write

FF580000

trusted library allocation

page execute and read and write

AD06000

heap

page read and write

5787000

trusted library allocation

page execute and read and write

D731000

trusted library allocation

page read and write

82CE000

trusted library allocation

page read and write

D630000

heap

page read and write

9D50000

trusted library allocation

page read and write

AF85000

trusted library allocation

page read and write

ADEB000

trusted library allocation

page read and write

5531000

heap

page read and write

B51E000

trusted library allocation

page read and write

56B0000

heap

page read and write

A340000

trusted library allocation

page read and write

AF64000

trusted library allocation

page read and write

19BF000

stack

page read and write

8324000

trusted library allocation

page read and write

C766000

trusted library allocation

page read and write

B430000

trusted library allocation

page read and write

ABFE000

heap

page read and write

57A0000

trusted library allocation

page read and write

AA8E000

stack

page read and write

B26E000

stack

page read and write

AE30000

trusted library allocation

page read and write

BC14000

heap

page read and write

9D9A000

trusted library allocation

page read and write

19C0000

heap

page read and write

82BB000

trusted library allocation

page read and write

AF79000

trusted library allocation

page read and write

B400000

trusted library allocation

page read and write

B570000

trusted library allocation

page execute and read and write

5754000

trusted library allocation

page read and write

1620000

trusted library allocation

page read and write

8317000

trusted library allocation

page read and write

5750000

trusted library allocation

page read and write

ABE9000

heap

page read and write

14AF000

heap

page read and write

AE1F000

trusted library allocation

page read and write

ADF5000

trusted library allocation

page read and write

5A00000

heap

page read and write

AECD000

stack

page read and write

5338000

stack

page read and write

82C8000

trusted library allocation

page read and write

5785000

trusted library allocation

page execute and read and write

B2A0000

trusted library allocation

page execute and read and write

B3EB000

trusted library allocation

page read and write

AE23000

trusted library allocation

page read and write

578B000

trusted library allocation

page execute and read and write

5760000

trusted library allocation

page read and write

9DD7000

trusted library allocation

page read and write

C030000

heap

page read and write

82D5000

trusted library allocation

page read and write

AF71000

trusted library allocation

page read and write

FCC000

stack

page read and write

A360000

trusted library allocation

page read and write

C74D000

trusted library allocation

page read and write

6E385000

unkown

page readonly

56F0000

trusted library allocation

page execute and read and write

5770000

trusted library allocation

page read and write

B410000

trusted library allocation

page read and write

5A0E000

heap

page read and write

B2EE000

stack

page read and write

A330000

trusted library allocation

page execute and read and write

6E371000

unkown

page execute read

9D7E000

trusted library allocation

page read and write

92EC000

stack

page read and write

5810000

trusted library allocation

page execute and read and write

AD7C000

heap

page read and write

E62000

unkown

page readonly

9D72000

trusted library allocation

page read and write

BC03000

heap

page read and write

146E000

stack

page read and write

ADF0000

trusted library allocation

page read and write

592E000

stack

page read and write

1600000

trusted library allocation

page read and write

ACEC000

heap

page read and write

1498000

heap

page read and write

57FE000

stack

page read and write

9D61000

trusted library allocation

page read and write

B296000

trusted library allocation

page read and write

ADD0000

heap

page execute and read and write

AC05000

heap

page read and write

B3F0000

heap

page read and write

5A0A000

heap

page read and write

149E000

heap

page read and write

A350000

trusted library allocation

page read and write

B420000

trusted library allocation

page read and write

B270000

trusted library allocation

page read and write

14D2000

heap

page read and write

4374000

trusted library allocation

page read and write

5544000

heap

page read and write

A310000

trusted library allocation

page read and write

A320000

trusted library allocation

page read and write

B3D0000

trusted library allocation

page read and write

AC5F000

heap

page read and write

9F20000

trusted library allocation

page read and write

B500000

trusted library allocation

page read and write

AC6F000

heap

page read and write

183F000

stack

page read and write

4371000

trusted library allocation

page read and write

AD60000

heap

page read and write

AF99000

trusted library allocation

page read and write

AF82000

trusted library allocation

page read and write

8326000

trusted library allocation

page read and write

AE0F000

trusted library allocation

page read and write

9760000

heap

page read and write

523C000

stack

page read and write

9F0D000

stack

page read and write

5549000

heap

page read and write

9CE4000

heap

page read and write

5800000

heap

page readonly

59AE000

stack

page read and write

59E0000

trusted library allocation

page read and write

9ECE000

stack

page read and write

AF90000

trusted library allocation

page read and write

5523000

heap

page read and write

A290000

trusted library allocation

page execute and read and write

53ED000

stack

page read and write

B5D0000

trusted library allocation

page read and write

AE1A000

trusted library allocation

page read and write

56D0000

trusted library allocation

page read and write

72E5000

trusted library allocation

page read and write

596E000

stack

page read and write

1630000

heap

page read and write

59F0000

trusted library allocation

page read and write

162B000

trusted library allocation

page execute and read and write

AE40000

trusted library allocation

page execute and read and write

324E000

stack

page read and write

5782000

trusted library allocation

page read and write

15F3000

trusted library allocation

page execute and read and write

8320000

trusted library allocation

page read and write

54F0000

heap

page read and write

14B7000

heap

page read and write

AC98000

heap

page read and write

1315000

heap

page read and write

B510000

trusted library allocation

page read and write

82B1000

trusted library allocation

page read and write

898C000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

ADC0000

trusted library allocation

page execute and read and write

B590000

trusted library allocation

page execute and read and write

BC48000

heap

page read and write

1604000

trusted library allocation

page read and write

99DE000

stack

page read and write

D646000

heap

page read and write

550B000

heap

page read and write

ADE0000

trusted library allocation

page read and write

9C1E000

stack

page read and write

72AF000

stack

page read and write

AC83000

heap

page read and write

551E000

heap

page read and write

5559000

heap

page read and write

AC07000

heap

page read and write

9730000

heap

page read and write

9750000

heap

page read and write

549A000

heap

page read and write

9D90000

trusted library allocation

page read and write

9E8E000

stack

page read and write

AF76000

trusted library allocation

page read and write

AE60000

trusted library allocation

page read and write

5478000

heap

page read and write

9CAB000

heap

page read and write

There are 297 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
BhT6NDfElu.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportBhT6NDfElu.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
BhT6NDfElu.exe