Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.711083644811368
Filename:	file.exe
Filesize:	470528
MD5:	fdc69e7726f37315f2f576a3ca749c48
SHA1:	44cb651c3be86b959e4e630e741189ad2c945c44
SHA256:	1692db4e522605d93551ddcabeffa92a2cd43e764a134833644808319784b955
SHA512:	de974aa0e7cb1393eefacbd90a87f2283af59004de217283b9dbba2c338935aa013ba738065747d2491248ca3d781ee7ede0044082a58da3fa21989e3431dc2f
SSDEEP:	12288:REY+q1cYutAScujVzQ/B02L4dj5w2TUTup:W6ScuJzI028dNNUKp
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......jL$..-J,.-J,.-J,._I-"-J,._O-.-J,._N-;-J,._K---J,.-K,u-J,..N-<-J,..I-:-J,..O-`-J,..O-/-J,..H-/-J,Rich.-J,........PE..L.....Mf...

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion
Contains functionality to inject code into remote processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion
Machine Learning detection for sample	AV Detection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to modify the execution of threads in other processes
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery System Information Discovery
Contains functionality to register its own exception handler	Anti Debugging
Reads software policies	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Users\Public\Desktop\Google Chrome.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Thu Oct 5 05:47:14 2023, atime=Wed Sep 27 08:36:54 2023, length=3242272, window=hide

dropped

Details

File:	C:\Users\Public\Desktop\Google Chrome.lnk
Category:	dropped
Dump:	Google Chrome.lnk.2.dr
ID:	dr_3
Target ID:	2
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Thu Oct 5 05:47:14 2023, atime=Wed Sep 27 08:36:54 2023, length=3242272, window=hide
Entropy:	3.466670658720131
Encrypted:	false
Ssdeep:	48:8Sgd5TvG90lRYrnvPdAKRkdAGdAKRFdAKR6P:8SKby7
Size:	2104
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\Tmp59F0.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Tmp59F0.tmp
Category:	dropped
Dump:	Tmp59F0.tmp.2.dr
ID:	dr_0
Target ID:	2
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Type:	data
Entropy:	7.8230547059446645
Encrypted:	false
Ssdeep:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
Size:	2662
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops certificate files (DER)	E-Banking Fraud
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\Tmp5A01.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Tmp5A01.tmp
Category:	dropped
Dump:	Tmp5A01.tmp.2.dr
ID:	dr_1
Target ID:	2
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Type:	data
Entropy:	7.8230547059446645
Encrypted:	false
Ssdeep:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
Size:	2662
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops certificate files (DER)	E-Banking Fraud

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06
Category:	dropped
Dump:	76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Type:	data
Entropy:	7.639756177727786
Encrypted:	false
Ssdeep:	48:S7SjQDUisflUXD96K3k/4HAose4h+E1NuC/+98j1Gm:ASUDnsmIsAoszNzS8j1r
Size:	2251
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3160
Target ID:	0
Parent PID:	4004
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	470528
MD5:	FDC69E7726F37315F2F576A3CA749C48
Time:	11:04:55
Date:	22/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x4f0000
Modulesize:	491520
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Spawns processes	System Summary	Process Injection
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	3320
Target ID:	2
Parent PID:	3160
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	11:04:55
Date:	22/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xde0000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

URLs

Name

Malicious

5.42.65.115:40551

http://tempuri.org/Entity/Id24LR

unknown

http://tempuri.org/Entity/Id22LR

unknown

http://tempuri.org/Entity/Id20LR

unknown

http://tempuri.org/Entity/Id15Responsex

unknown

http://tempuri.org/Entity/Id18Responsex

unknown

http://schemas.xmlsoap.org/soap/envelope/

unknown

http://tempuri.org/

unknown

http://tempuri.org/Entity/Id19LR

unknown

http://tempuri.org/Entity/Id17LR

unknown

http://tempuri.org/Entity/Id22Responsex

unknown

http://tempuri.org/Entity/Id15LR

unknown

http://tempuri.org/Entity/Id9LR

unknown

http://tempuri.org/Entity/Id10Responsex

unknown

http://tempuri.org/Entity/Id19Responsex

unknown

http://tempuri.org/Entity/Id13LR

unknown

http://tempuri.org/Entity/Id7LR

unknown

http://tempuri.org/Entity/Id11LR

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse

unknown

http://tempuri.org/Entity/Id1LR

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence

unknown

http://tempuri.org/Entity/Id5LR

unknown

http://tempuri.org/Entity/Id3LR

unknown

http://tempuri.org/Entity/Id6Responsex

unknown

http://tempuri.org/Entity/Id7Responsex

unknown

http://tempuri.org/Entity/Id1Responsex

unknown

http://tempuri.org/Entity/Id21Responsex

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty

unknown

https://api.ip.sb/ip

unknown

http://tempuri.org/Entity/Id23Responsex

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement

unknown

http://tempuri.org/Entity/Id23LR

unknown

http://tempuri.org/Entity/Id21LR

unknown

http://tempuri.org/Entity/Id5Responsex

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous

unknown

http://tempuri.org/Entity/Id14Responsex

unknown

http://tempuri.org/Entity/Id2Responsex

unknown

http://tempuri.org/Entity/Id11Responsex

unknown

http://tempuri.org/Entity/Id20Responsex

unknown

http://tempuri.org/Entity/Id24Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested

unknown

http://tempuri.org/Entity/Id8Responsex

unknown

http://tempuri.org/Entity/Id18LR

unknown

http://tempuri.org/Entity/Id13Responsex

unknown

http://tempuri.org/Entity/Id16Responsex

unknown

http://tempuri.org/Entity/Id16LR

unknown

http://tempuri.org/Entity/Id8LR

unknown

http://tempuri.org/Entity/Id14LR

unknown

http://tempuri.org/Entity/Id6LR

unknown

http://tempuri.org/Entity/

unknown

http://tempuri.org/Entity/Id12LR

unknown

http://tempuri.org/Entity/Id9Responsex

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing

unknown

http://tempuri.org/Entity/Id10LR

unknown

http://tempuri.org/Entity/Id3Responsex

unknown

http://tempuri.org/Entity/Id4LR

unknown

http://tempuri.org/Entity/Id24Responsex

unknown

http://tempuri.org/Entity/Id2LR

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage

unknown

http://tempuri.org/Entity/Id13

unknown

http://tempuri.org/Entity/Id12Responsex

unknown

http://tempuri.org/Entity/Id17Responsex

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence

unknown

http://schemas.xmlsoap.org/soap/actor/next

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns

unknown

http://tempuri.org/Entity/Id4Responsex

unknown

There are 58 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

5.42.65.115

unknown

Russian Federation

Details

IP:	5.42.65.115
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	39493
ASN name:	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064

Blob

Details

TargetID:	2
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064
Value name:	Blob
Value data:	0B 00 00 00 01 00 00 00 48 00 00 00 54 00 69 00 74 00 61 00 6E 00 69 00 75 00 6D 00 20 00 52 00 6F 00 6F 00 74 00 20 00 43 00 65 00 72 00 74 00 69 00 66 00 69 00 63 00 61 00 74 00 65 00 20 00 41 00 75 00 74 00 68 00 6F 00 72 00 69 00 74 00 79 00 00 00 02 00 00 00 01 00 00 00 CC 00 00 00 1C 00 00 00 6C 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 7B 00 34 00 31 00 37 00 34 00 34 00 42 00 45 00 34 00 2D 00 31 00 31 00 43 00 35 00 2D 00 34 00 39 00 34 00 43 00 2D 00 41 00 32 00 31 00 33 00 2D 00 42 00 41 00 30 00 43 00 45 00 39 00 34 00 34 00 39 00 33 00 38 00 45 00 7D 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 45 00 6E 00 68 00 61 00 6E 00 63 00 65 00 64 00 20 00 43 00 72 00 79 00 70 00 74 00 6F 00 67 00 72 00 61 00 70 00 68 00 69 00 63 00 20 00 50 00 72 00 6F 00 76 00 69 00 64 00 65 00 72 00 20 00 76 00 31 00 2E 00 30 00 00 00 00 00 03 00 00 00 01 00 00 00 14 00 00 00 F1 A5 78 C4 CB 5D E7 9A 37 08 93 98 3F D4 DA 8B 67 B2 B0 64 20 00 00 00 01 00 00 00 0A 03 00 00 30 82 03 06 30 82 01 EE A0 03 02 01 02 02 08 67 F7 BE B9 6A 4C 27 98 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30 2E 31 2C 30 2A 06 03 55 04 03 0C 23 54 69 74 61 6E 69 75 6D 20 52 6F 6F 74 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6F 72 69 74 79 30 1E 17 0D 32 33 30 33 31 34 31 30 33 35 32 30 5A 17 0D 32 36 30 36 31 37 31 30 33 35 32 30 5A 30 2E 31 2C 30 2A 06 03 55 04 03 0C 23 54 69 74 61 6E 69 75 6D 20 52 6F 6F 74 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6F 72 69 74 79 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 86 E4 57 7A 58 61 CE 81 91 77 D0 05 FA 51 D5 51 5A 93 6C 61 0C CF CB DE 53 32 CD 15 1D A6 47 EE 88 1A 24 5C 9B 02 83 3B 02 AF 3D 76 FE 20 BD 3B FA F7 A2 09 73 E7 2E BD 94 40 D0 9D 8C 3D 27 13 BD F0 D0 9F EB 95 32 AC D7 A4 2D A2 A9 52 DA A8 6A 2A 88 EE 42 7D 30 95 9D 90 BF BA 05 27 6A A0 29 98 A6 98 6F C0 13 06 62 9B 79 B8 40 5D 1F 1F A6 D9 A4 2F 82 7A FC 75 66 34 0D C2 DE 27 01 2B 94 BB 4A 27 B3 CB 1C 21 9A 3C B2 C1 42 03 F3 44 51 BD 62 65 20 ED D4 DB CC 41 4F 59 3F 2A CB C4 84 79 F7 14 3C BE 13 9C FD 12 9C 91 3E 53 03 DC 20 F9 4C 44 35 89 01 B6 9A 84 8D 7E A0 2E 30 8A 31 15 60 AC 00 AE 00 9A 29 10 9A EE D9 71 3D D8 91 9B 97 ED 59 80 58 E1 7F 07 26 C7 A0 20 F7 10 AB C0 62 91 DF AA F1 81 C6 BE 6A 76 C8 9C B6 8E B0 B0 EC 1C D9 5F 32 6C 7E 55 58 8B FD 76 C5 19 02 03 01 00 01 A3 28 30 26 30 13 06 03 55 1D 25 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 30 0F 06 03 55 1D 13 01 01 FF 04 05 30 03 01 01 FF 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 03 82 01 01 00 70 85 12 93 D7 57 E9 82 79 7D C5 F7 F2 7D A8 94 EF 0C DB 32 9F 06 A6 09 6E 0C F6 04 B0 E5 47 11 56 0E F4 0F 52 82 08 2E 21 0F 55 A3 DB 41 F3 12 54 8B 76 11 F5 F0 DA CE A3 C7 8B 13 F6 FC 24 3C 02 B1 06 66 5B E6 9E 18 40 88 41 5B 27 39 99 B8 77 BE E3 53 A2 48 CE C7 EE B5 A0 95 C2 17 4B C9 52 6C AF E3 37 2C 59 DB FB E7 58 13 4E D3 51 E5 14 72 73 FE C6 85 77 AE 45 52 A6 F9 9A C8 0C A8 D0 EE 42 2A F5 28 85 8C 6B E8 1C B0 A8 03 1A B0 AE 83 C0 EB 55 64 F4 E8 7A 5C 06 29 5D 39 03 EE E2 FD F9 2D 62 A7 F4 D4 05 4D EA A7 9B CA EB DA 4E 8B 1A 6E FD 42 AE F9 D0 1C 70 75 72 8C B1 3A A8 55 7C 85 A7 25 32 B5 E2 D6 C3 E5 50 41 C9 86 7C A8 F5 62 BB D2 AB 0C 37 10 D8 31 73 EC 37 81 D1 DC AA C5 C6 E0 7E E7 26 62 4D FD C5 81 4C FF D3 36 E1 79 32 F8 9B EB 9C F7 FD BE E9 BE BF 61

Signature Hits	Behavior Group	Mitre Attack
Installs new ROOT certificates	Persistence and Installation Behavior	Install Root Certificate

Memdumps

Base Address

Regiontype

Protect

Malicious

517000

unkown

page read and write

32A1000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

3060000

heap

page read and write

1438000

heap

page read and write

12D0000

heap

page read and write

6C1B000

trusted library allocation

page read and write

3270000

trusted library allocation

page read and write

13DD000

trusted library allocation

page execute and read and write

7EEE0000

trusted library allocation

page execute and read and write

6C50000

trusted library allocation

page read and write

D60000

heap

page read and write

3285000

trusted library allocation

page read and write

6A40000

trusted library allocation

page read and write

347D000

trusted library allocation

page read and write

6BE5000

trusted library allocation

page read and write

5830000

trusted library allocation

page read and write

6C3E000

trusted library allocation

page read and write

55EB000

trusted library allocation

page read and write

55E0000

trusted library allocation

page read and write

55A000

unkown

page read and write

4F0000

unkown

page readonly

6BE9000

trusted library allocation

page read and write

13ED000

trusted library allocation

page execute and read and write

6C41000

trusted library allocation

page read and write

566000

unkown

page readonly

7E0000

heap

page read and write

6E90000

trusted library allocation

page read and write

4F0000

unkown

page readonly

160B000

trusted library allocation

page execute and read and write

4F1000

unkown

page execute read

54B000

unkown

page read and write

301E000

stack

page read and write

5832000

trusted library allocation

page read and write

6A3E000

stack

page read and write

6C90000

trusted library allocation

page read and write

6C6E000

trusted library allocation

page read and write

653E000

stack

page read and write

5840000

trusted library allocation

page execute and read and write

5A40000

heap

page read and write

50D000

unkown

page readonly

693E000

stack

page read and write

7F0000

direct allocation

page execute and read and write

5750000

heap

page read and write

325E000

stack

page read and write

13E0000

trusted library allocation

page read and write

42AF000

trusted library allocation

page read and write

432000

remote allocation

page execute and read and write

1675000

heap

page read and write

55FE000

trusted library allocation

page read and write

E10000

heap

page read and write

564E000

trusted library allocation

page read and write

5753000

heap

page read and write

14FE000

heap

page read and write

6A50000

trusted library allocation

page read and write

13FA000

trusted library allocation

page execute and read and write

55E4000

trusted library allocation

page read and write

140B000

heap

page read and write

5612000

trusted library allocation

page read and write

1620000

trusted library allocation

page read and write

5620000

trusted library allocation

page read and write

50D000

unkown

page readonly

6CF0000

trusted library allocation

page read and write

6C70000

trusted library allocation

page read and write

6BE7000

trusted library allocation

page read and write

108A000

stack

page read and write

5D00000

trusted library allocation

page read and write

5640000

trusted library allocation

page read and write

3290000

heap

page execute and read and write

6BE0000

trusted library allocation

page read and write

6AE0000

trusted library allocation

page execute and read and write

5A9A000

heap

page read and write

6D00000

trusted library allocation

page execute and read and write

6C26000

trusted library allocation

page read and write

C4E000

stack

page read and write

13F6000

trusted library allocation

page execute and read and write

11F0000

heap

page read and write

13F0000

trusted library allocation

page read and write

77D000

stack

page read and write

13D3000

trusted library allocation

page execute and read and write

5820000

heap

page read and write

5601000

trusted library allocation

page read and write

6EE0000

trusted library allocation

page read and write

1187000

stack

page read and write

1607000

trusted library allocation

page execute and read and write

7D0000

heap

page read and write

6BD0000

trusted library allocation

page read and write

14D0000

heap

page read and write

5930000

heap

page execute and read and write

3260000

trusted library allocation

page read and write

6B00000

trusted library allocation

page execute and read and write

64BE000

stack

page read and write

5AE3000

heap

page read and write

30B0000

heap

page read and write

1670000

heap

page read and write

55E6000

trusted library allocation

page read and write

3080000

trusted library allocation

page execute and read and write

3090000

trusted library allocation

page read and write

13D0000

trusted library allocation

page read and write

6CA0000

trusted library allocation

page read and write

68FF000

stack

page read and write

62D2000

heap

page read and write

517000

unkown

page write copy

446000

remote allocation

page execute and read and write

5CE0000

heap

page read and write

1605000

trusted library allocation

page execute and read and write

1600000

trusted library allocation

page read and write

6EA0000

trusted library allocation

page read and write

6ED0000

trusted library allocation

page execute and read and write

560D000

trusted library allocation

page read and write

1380000

heap

page read and write

13E3000

trusted library allocation

page read and write

1445000

heap

page read and write

5D08000

trusted library allocation

page read and write

342F000

trusted library allocation

page read and write

5A82000

heap

page read and write

E1A000

heap

page read and write

6C60000

trusted library allocation

page read and write

166E000

stack

page read and write

C8E000

stack

page read and write

6EB0000

trusted library allocation

page read and write

1370000

trusted library allocation

page read and write

6C32000

trusted library allocation

page read and write

6C4A000

trusted library allocation

page read and write

6D70000

trusted library allocation

page execute and read and write

42C2000

trusted library allocation

page read and write

6CE0000

trusted library allocation

page read and write

6D10000

trusted library allocation

page execute and read and write

42A1000

trusted library allocation

page read and write

33D6000

trusted library allocation

page read and write

30A0000

trusted library allocation

page read and write

1400000

heap

page read and write

3280000

trusted library allocation

page read and write

CF0000

heap

page read and write

6EC0000

heap

page execute and read and write

6C80000

trusted library allocation

page read and write

6BD8000

trusted library allocation

page read and write

13F2000

trusted library allocation

page read and write

6BD5000

trusted library allocation

page read and write

5606000

trusted library allocation

page read and write

55F2000

trusted library allocation

page read and write

6CB0000

trusted library allocation

page read and write

1320000

heap

page read and write

3278000

trusted library allocation

page read and write

110F000

stack

page read and write

437000

remote allocation

page execute and read and write

5CBE000

stack

page read and write

13D4000

trusted library allocation

page read and write

E1E000

heap

page read and write

5920000

heap

page read and write

4F1000

unkown

page execute read

6C10000

trusted library allocation

page read and write

1602000

trusted library allocation

page read and write

149D000

heap

page read and write

1325000

heap

page read and write

305D000

stack

page read and write

6C6B000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

566000

unkown

page readonly

5A54000

heap

page read and write

6C65000

trusted library allocation

page read and write

55EE000

trusted library allocation

page read and write

AFD000

stack

page read and write

6BDB000

trusted library allocation

page read and write

14B9000

heap

page read and write

34CC000

trusted library allocation

page read and write

6D60000

trusted library allocation

page execute and read and write

6C21000

trusted library allocation

page read and write

100F000

stack

page read and write

There are 159 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
file.exe