Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Implosions.exe

"C:\Users\user\Desktop\Implosions.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6364
Target ID:	0
Parent PID:	4056
Name:	Implosions.exe
Path:	C:\Users\user\Desktop\Implosions.exe
Commandline:	"C:\Users\user\Desktop\Implosions.exe"
Size:	97792
MD5:	1DE3D44FC259E585D924D872D8224972
Time:	14:57:07
Date:	16/03/2025
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x2f0000
Modulesize:	122880
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6368
Target ID:	1
Parent PID:	6364
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	14:57:07
Date:	16/03/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6e60e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://209.38.151.4:55123/

209.38.151.4

209.38.151.4:55123

https://ipinfo.io/ip%appdata%

unknown

http://209.38.151.4:55123

unknown

http://tempuri.org/Endpoint/CheckConnectLR

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous

unknown

http://tempuri.org/Endpoint/CheckConnectResponse

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX

unknown

https://api.ip.sb/geoip%USERPEnvironmentROFILE%

unknown

http://schemas.xmlsoap.org/soap/envelope/

unknown

http://tempuri.org/

unknown

http://tempuri.org/Endpoint/CheckConnect

unknown

http://tempuri.org/Endpoint/EnvironmentSettingsLR

unknown

http://tempuri.org/Endpoint/VerifyUpdateResponse

unknown

http://tempuri.org/Endpoint/SetEnvironmentResponse

unknown

http://tempuri.org/Endpoint/SetEnvironmentLR

unknown

https://api.ipify.orgcookies//settinString.Removeg

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing

unknown

http://tempuri.org/Endpoint/GetUpdatesLR

unknown

http://tempuri.org/Endpoint/VerifyUpdateLR

unknown

http://tempuri.org/Endpoint/GetUpdatesResponse

unknown

http://tempuri.org/Endpoint/

unknown

http://tempuri.org/Endpoint/EnvironmentSettingsResponse

unknown

http://tempuri.org/Endpoint/CheckConnectT

unknown

http://tempuri.org/0

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://schemas.xmlsoap.org/soap/actor/next

unknown

There are 17 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

209.38.151.4

unknown

United States

Details

IP:	209.38.151.4
TargetID:	0
Current Path:	C:\Users\user\Desktop\Implosions.exe
Country:	United States
Countrycode:	USA
ASN number:	7018
ASN name:	ATT-INTERNET4US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
HTTP GET or POST without a user agent	Networking
Connects to IPs without corresponding DNS lookups	Networking
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Implosions_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Implosions_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Implosions_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Implosions_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Implosions_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Implosions_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Implosions_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Implosions_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Implosions_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Implosions_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Implosions_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Implosions_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Implosions_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Implosions_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

2F2000

unkown

page readonly

B02000

trusted library allocation

page read and write

B80000

trusted library allocation

page read and write

5D0E000

stack

page read and write

7AA000

heap

page read and write

4FE0000

trusted library allocation

page read and write

50BE000

stack

page read and write

4EF1000

trusted library allocation

page read and write

B05000

trusted library allocation

page execute and read and write

54AE000

stack

page read and write

4ECE000

stack

page read and write

4B9E000

trusted library allocation

page read and write

4F80000

trusted library allocation

page read and write

765000

heap

page read and write

AF0000

trusted library allocation

page read and write

476E000

stack

page read and write

6F7000

stack

page read and write

B0B000

trusted library allocation

page execute and read and write

2663000

trusted library allocation

page read and write

4ED0000

trusted library allocation

page read and write

AA0000

heap

page read and write

2F0000

unkown

page readonly

4BA1000

trusted library allocation

page read and write

810000

heap

page read and write

A70000

trusted library allocation

page read and write

4BB0000

trusted library allocation

page read and write

5C0F000

stack

page read and write

4B81000

trusted library allocation

page read and write

4B92000

trusted library allocation

page read and write

51D0000

trusted library allocation

page read and write

35D1000

trusted library allocation

page read and write

2666000

trusted library allocation

page read and write

7EE80000

trusted library allocation

page execute and read and write

26AF000

trusted library allocation

page read and write

B70000

trusted library allocation

page read and write

266F000

trusted library allocation

page read and write

51CE000

stack

page read and write

4F70000

trusted library allocation

page read and write

265E000

trusted library allocation

page read and write

A8D000

trusted library allocation

page execute and read and write

710000

heap

page read and write

B90000

heap

page read and write

25D1000

trusted library allocation

page read and write

B40000

heap

page read and write

5E0E000

stack

page read and write

7A0000

heap

page read and write

7C7000

heap

page read and write

4FF0000

trusted library allocation

page read and write

2685000

trusted library allocation

page read and write

A83000

trusted library allocation

page execute and read and write

5E24000

heap

page read and write

4BC0000

heap

page execute and read and write

265B000

trusted library allocation

page read and write

A84000

trusted library allocation

page read and write

7D4000

heap

page read and write

4F30000

trusted library allocation

page read and write

4F60000

trusted library allocation

page execute and read and write

266C000

trusted library allocation

page read and write

A9D000

trusted library allocation

page execute and read and write

B60000

heap

page execute and read and write

2793000

trusted library allocation

page read and write

24C0000

heap

page read and write

4B6E000

stack

page read and write

50C0000

trusted library allocation

page execute and read and write

500D000

trusted library allocation

page read and write

25CF000

stack

page read and write

7AE000

heap

page read and write

4B7B000

trusted library allocation

page read and write

5020000

trusted library allocation

page read and write

700000

heap

page read and write

39C000

stack

page read and write

5030000

trusted library allocation

page execute and read and write

760000

heap

page read and write

500A000

trusted library allocation

page read and write

AF6000

trusted library allocation

page execute and read and write

267C000

trusted library allocation

page read and write

AFA000

trusted library allocation

page execute and read and write

A80000

trusted library allocation

page read and write

7E1000

heap

page read and write

4BB8000

trusted library allocation

page read and write

4B86000

trusted library allocation

page read and write

AF2000

trusted library allocation

page read and write

4B70000

trusted library allocation

page read and write

24BE000

stack

page read and write

247E000

stack

page read and write

4BBA000

trusted library allocation

page read and write

4F10000

trusted library allocation

page read and write

507D000

stack

page read and write

5010000

trusted library allocation

page read and write

4F20000

trusted library allocation

page read and write

4F90000

trusted library allocation

page execute and read and write

B30000

trusted library allocation

page execute and read and write

546E000

stack

page read and write

B07000

trusted library allocation

page execute and read and write

279A000

trusted library allocation

page read and write

A90000

trusted library allocation

page read and write

889000

heap

page read and write

5E10000

heap

page read and write

5E52000

heap

page read and write

4BB4000

trusted library allocation

page read and write

4EE0000

trusted library allocation

page read and write

There are 91 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Implosions.exe

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportImplosions.exe

Processes

URLs

IPs

Registry

Memdumps

IOC Report
Implosions.exe