Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.678201785327781
Filename:	file.exe
Filesize:	678714
MD5:	0dd1f6c2b9bf477115701a1340d8d9a2
SHA1:	7b074f54130217609435efe3f45ba38d363dd381
SHA256:	bbf284e7e60430e7aa64fa92781ed283fd46883831720b959d8c786a42af7711
SHA512:	a3c8bcc7fe527eb2de6a6dd230bca9b4424653c6e251c1113bc27bd8c42cf79e1be1974e20c733e51be38f2c222ee1338257fd86209f2411f86e5f65213206e6
SSDEEP:	12288:GubsNSOetfARQAPyGUu7zNubsNSOetfARQAPyGUfT+tkrvdv:GubsnafAPyjSzNubsnafAPyjZrvh
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............w...w...w..<.V..w..<.T..w..<.U..w....Z..w.......w.......w.......w....$..w....4..w...w...v.......w.......w....X..w.......w.

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to communicate with device drivers	System Summary
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Process Discovery Archive Collected Data
Drops PE files	Persistence and Installation Behavior
File is packed with WinRar	Data Obfuscation	Software Packing
Found evasive API chain checking for process token information	Malware Analysis System Evasion	Native API Process Discovery
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Checks the free space of harddrives	Malware Analysis System Evasion
Contains functionality for error logging	System Summary
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query system information	Malware Analysis System Evasion	System Information Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Executes batch files	System Summary	Scripting
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
Might use command line arguments	System Summary	Command and Scripting Interpreter
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\ProgramData\kgit\xcod.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\ProgramData\kgit\xcod.exe
Category:	dropped
Dump:	xcod.exe.4.dr
ID:	dr_3
Target ID:	4
Process:	C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	5.871561394910096
Encrypted:	false
Ssdeep:	384:rC+AHNZw/WnlrobdglGbLMoy+yG+yir1dV:r0gklrydgQP1yO67V
Size:	16384
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Yara detected SystemBC	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for dropped file	AV Detection
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates mutexes	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe
Category:	dropped
Dump:	work.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.835347218383111
Encrypted:	false
Ssdeep:	6144:PiubWrNSOetO6cprlQAOWizGLIoSdRT+tkrhpQst:qubsNSOetfARQAPyGUfT+tkrvdt
Size:	343983
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Found evasive API chain checking for process token information	Malware Analysis System Evasion	Native API
Checks the free space of harddrives	Malware Analysis System Evasion	System Information Discovery
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Program exit points	Malware Analysis System Evasion
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe
Category:	dropped
Dump:	pogflaw.exe.3.dr
ID:	dr_2
Target ID:	3
Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	5.871561394910096
Encrypted:	false
Ssdeep:	384:rC+AHNZw/WnlrobdglGbLMoy+yG+yir1dV:r0gklrydgQP1yO67V
Size:	16384
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Yara detected SystemBC	Stealing of Sensitive Information, Remote Access Functionality
Found evasive API chain (may stop execution after checking mutex)	Malware Analysis System Evasion	Native API
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)	Malware Analysis System Evasion	Native API
Machine Learning detection for dropped file	AV Detection
Contains functionality for execution timing, often used to detect debuggers	Malware Analysis System Evasion, Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates files inside the system directory	System Summary	Masquerading
Creates job files (autostart)	Boot Survival	Scheduled Task/Job
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Found decision node followed by non-executed suspicious APIs	Malware Analysis System Evasion
Found evasive API chain (may stop execution after checking a module file name)	Malware Analysis System Evasion	Native API
Found evasive API chain checking for process token information	Malware Analysis System Evasion	Native API
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	Encrypted Channel
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat

DOS batch file, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat
Category:	dropped
Dump:	1.bat.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	DOS batch file, ASCII text, with CRLF line terminators
Entropy:	4.286146588249911
Encrypted:	false
Ssdeep:	3:mKDDFRK58FoXMMH:h08Foc2
Size:	35
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Executes batch files	System Summary	Scripting
Spawns processes	System Summary	Process Injection

C:\Windows\Tasks\xcod.job

data

dropped

Details

File:	C:\Windows\Tasks\xcod.job
Category:	dropped
Dump:	xcod.job.4.dr
ID:	dr_4
Target ID:	4
Process:	C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe
Type:	data
Entropy:	3.5035457146056412
Encrypted:	false
Ssdeep:	6:nBa4rgU/80e/h0bhEZOj/GytiDljgsW2YRZuy0lPp+dP1:B5gUS/ibFj/GzJjzvYRQVRAt
Size:	244
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the system directory	System Summary	Masquerading
Creates job files (autostart)	Boot Survival	Scheduled Task/Job

Processes

Path

Cmdline

Malicious

C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe

work.exe -priverdD

Details

Is windows:	false
Is dropped:	true
PID:	7024
Target ID:	3
Parent PID:	6880
Name:	work.exe
Path:	C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe
Commandline:	work.exe -priverdD
Size:	343983
MD5:	577CC10D77B4EE44F8613FC7DF186048
Time:	17:27:52
Date:	25/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x3a0000
Modulesize:	491520
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected SystemBC	Stealing of Sensitive Information, Remote Access Functionality
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe

"C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe"

Details

Is windows:	false
Is dropped:	true
PID:	7152
Target ID:	4
Parent PID:	7024
Name:	pogflaw.exe
Path:	C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe
Commandline:	"C:\Users\user\AppData\Local\Temp\RarSFX1\pogflaw.exe"
Size:	16384
MD5:	4F01C3D7439DDE153FF0110A26E2A71C
Time:	17:27:53
Date:	25/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	24576
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected SystemBC	Stealing of Sensitive Information, Remote Access Functionality
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Dropped file seen in connection with other malware	System Summary
Drops PE files	Persistence and Installation Behavior
Spawns processes	System Summary	Process Injection

C:\ProgramData\kgit\xcod.exe

C:\ProgramData\kgit\xcod.exe start2

Details

Is windows:	false
Is dropped:	true
PID:	5980
Target ID:	5
Parent PID:	1044
Name:	xcod.exe
Path:	C:\ProgramData\kgit\xcod.exe
Commandline:	C:\ProgramData\kgit\xcod.exe start2
Size:	16384
MD5:	4F01C3D7439DDE153FF0110A26E2A71C
Time:	17:27:53
Date:	25/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	24576
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected SystemBC	Stealing of Sensitive Information, Remote Access Functionality
Dropped file seen in connection with other malware	System Summary
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6764
Target ID:	0
Parent PID:	2580
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	678714
MD5:	0DD1F6C2B9BF477115701A1340D8D9A2
Time:	17:27:52
Date:	25/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xcd0000
Modulesize:	495616
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" "

Details

Is windows:	true
Is dropped:	false
PID:	6880
Target ID:	1
Parent PID:	6764
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" "
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	17:27:52
Date:	25/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x240000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Executes batch files	System Summary	Scripting
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6908
Target ID:	2
Parent PID:	6880
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	17:27:52
Date:	25/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

cobusabobus.cam

Details

Name:	cobusabobus.cam
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\file.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for domain / URL	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

Domains

Name

Malicious

cobusabobus.cam

212.162.153.199

mail.wavesmail.xyz

181.214.221.49

mail.salaamtakaful.com

175.107.196.14

heat-it.co.uk

173.254.31.29

zampub.rzeszow.pl

185.208.164.126

mail.cicek-gmbh.com

81.19.149.85

mail.buckeyecom.net

209.67.129.55

khalafholding.com

198.143.186.234

alessandrocorreia.com.br

191.252.137.76

maya.onda.com.br

200.195.199.10

smtp.almarei.it

62.149.128.202

smtp.orchid.atmailcloud.com

13.250.88.201

smtp.cubovacanze.it

62.149.128.200

topterrachile.cl

186.64.118.100

shawmail.glb.shawcable.net

64.59.128.135

mail-chello-sk.cname.unified.services

94.169.2.51

mail.technologyyours.com

207.174.215.249

smtp-ip.gtm.oss-core.net

203.134.71.82

smtp.telenet.be

195.130.132.11

smtp-vip.uni5.net

191.6.220.100

smtp.gamafire.com.br

177.53.143.242

smtp.freemail.hu

84.2.43.67

ma.medias.ne.jp

220.156.64.7

smtp.cefasming.com

186.64.118.30

smtp.stofanet.dk

212.10.10.65

phongkhamdakhoahongphong.vn

103.63.215.102

arcline.pl

185.204.219.204

mail.a1net.hr

212.91.113.96

mail.staff.gunadarma.ac.id

202.125.94.90

bbmail.stofanet.dk

212.10.10.66

mcc.smtp.a.cloudfilter.net

34.213.176.2

genzcyber.net

154.0.161.25

local-boss.com

192.185.116.205

swtexas.net.av-mx.com

129.159.110.135

concordecc.concord-ecc.com

15.204.207.249

mail.primehome.com

217.27.32.193

meusemails.com.br

92.204.136.188

cocoonfertility.com

103.211.216.137

mail.ciputra.co.id

20.6.97.20

geproin.com

186.64.119.240

hwhzssl.qiye.ntes53.netease.com

103.129.255.200

mail-1.webhostingy.net

195.181.248.170

wamail.ispn.net

64.35.208.156

mail.uv.ro

91.216.151.57

mail.mts.syn-alias.com

140.238.133.27

http.netsol.xion.oxcs.net

23.81.68.43

mail.vip.hr

212.91.113.96

sep-kakadu02.au-east.atmailcloud.com

52.63.237.70

mail.atlanticbb.net

38.111.141.32

relay.glb.proximus.be

195.238.22.30

mailhost.hetnet.nl

195.121.65.26

brindespremium.com.br

177.53.140.240

mail.cock.li

37.120.193.124

tsunagu-smtp-v4.xspmail.jp

160.13.60.151

smtp.netsol.xion.oxcs.net

23.81.68.43

mailsecurity.myt.mu

197.224.66.144

smtp.metalsoft.eu

unknown

mail.meusemails.com.br

unknown

smtp.shaw.ca

unknown

smtp.swtexas.net

unknown

smtp.legendsnorcal.com

unknown

mail.xmbaofeng.com

unknown

smtp.primehome.com

unknown

smtp.iprimus.com.au

unknown

smtp.primustecnologia.com.br

unknown

smtp.tumminaro.com

unknown

smtp.tpg.com.au

unknown

smtp.ca.em-net.ne.jp

unknown

smtp.bex.net

unknown

mail.horsefucker.org

unknown

smtp.skynet.be

unknown

smtp.ck.em-net.ne.jp

unknown

mail.uptopeople.com

unknown

mail.chello.sk

unknown

smtp.mymts.net

unknown

smtp.stinger.net

unknown

smtp.eafea.org

unknown

smtp.mediacombb.net

unknown

smtp.harconstruction.com

unknown

smtp.onda.com.br

unknown

smtp.deboraland.com

unknown

smtp.wamail.net

unknown

smtp.ah.em-net.ne.jp

unknown

smtp.ad.em-net.ne.jp

unknown

mail.khalafholding.com

unknown

mx3.conline.co.za

unknown

smtp.singnet.com.sg

unknown

smtp.hetnet.nl

unknown

smtp.taylor-ind.com

unknown

smtp.bbsyd.dk

unknown

smtp.comstockland.com

unknown

mail.cilm.net

unknown

There are 82 hidden domains, click here to show them.

IPs

Domain

Country

Malicious

212.162.153.199

cobusabobus.cam

Moldova Republic of

181.214.221.49

mail.wavesmail.xyz

Chile

212.91.113.96

mail.a1net.hr

Croatia (LOCAL Name: Hrvatska)

91.216.151.57

mail.uv.ro

Romania

203.134.71.82

smtp-ip.gtm.oss-core.net

Australia

34.213.176.2

mcc.smtp.a.cloudfilter.net

United States

191.252.137.76

alessandrocorreia.com.br

Brazil

195.238.22.30

relay.glb.proximus.be

Belgium

92.204.136.188

meusemails.com.br

Germany

191.6.220.100

smtp-vip.uni5.net

Brazil

195.121.65.26

mailhost.hetnet.nl

Netherlands

129.159.110.135

swtexas.net.av-mx.com

United States

64.35.208.156

wamail.ispn.net

United States

195.181.248.170

mail-1.webhostingy.net

Slovakia (SLOVAK Republic)

186.64.118.100

topterrachile.cl

Chile

177.53.140.240

brindespremium.com.br

Brazil

103.211.216.137

cocoonfertility.com

Seychelles

186.64.118.30

smtp.cefasming.com

Chile

212.10.10.66

bbmail.stofanet.dk

Denmark

212.10.10.65

smtp.stofanet.dk

Denmark

103.129.255.200

hwhzssl.qiye.ntes53.netease.com

Hong Kong

200.195.199.10

maya.onda.com.br

Brazil

154.0.161.25

genzcyber.net

South Africa

13.250.88.201

smtp.orchid.atmailcloud.com

United States

84.2.43.67

smtp.freemail.hu

Hungary

38.111.141.32

mail.atlanticbb.net

United States

173.254.31.29

heat-it.co.uk

United States

185.204.219.204

arcline.pl

Poland

81.19.149.85

mail.cicek-gmbh.com

Austria

64.59.128.135

shawmail.glb.shawcable.net

Canada

177.53.143.242

smtp.gamafire.com.br

Brazil

103.63.215.102

phongkhamdakhoahongphong.vn

Viet Nam

217.27.32.193

mail.primehome.com

Cyprus

15.204.207.249

concordecc.concord-ecc.com

United States

20.6.97.20

mail.ciputra.co.id

United States

140.238.133.27

mail.mts.syn-alias.com

United States

175.107.196.14

mail.salaamtakaful.com

Pakistan

197.224.66.144

mailsecurity.myt.mu

Mauritius

185.208.164.126

zampub.rzeszow.pl

Poland

195.130.132.11

smtp.telenet.be

Belgium

198.143.186.234

khalafholding.com

United States

220.156.64.7

ma.medias.ne.jp

Japan

209.67.129.55

mail.buckeyecom.net

United States

192.185.116.205

local-boss.com

United States

37.120.193.124

mail.cock.li

Romania

202.125.94.90

mail.staff.gunadarma.ac.id

Indonesia

62.149.128.200

smtp.cubovacanze.it

Italy

62.149.128.202

smtp.almarei.it

Italy

94.169.2.51

mail-chello-sk.cname.unified.services

Netherlands

160.13.60.151

tsunagu-smtp-v4.xspmail.jp

Japan

186.64.119.240

geproin.com

Chile

52.63.237.70

sep-kakadu02.au-east.atmailcloud.com

United States

23.81.68.43

http.netsol.xion.oxcs.net

United States

There are 43 hidden IPs, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

401000

unkown

page execute read

73E4000

heap

page read and write

401000

unkown

page execute read

401000

unkown

page execute read

401000

unkown

page execute read

2CEF000

stack

page read and write

2FC0000

heap

page read and write

375D000

stack

page read and write

22E0000

direct allocation

page read and write

406000

unkown

page readonly

3D4000

unkown

page readonly

2AEF000

stack

page read and write

404000

unkown

page read and write

405000

unkown

page write copy

5A5D000

stack

page read and write

3260000

direct allocation

page read and write

19B000

stack

page read and write

1F0000

heap

page read and write

73E9000

heap

page read and write

31E2000

heap

page read and write

33E2000

heap

page read and write

3020000

direct allocation

page read and write

3412000

heap

page read and write

480000

direct allocation

page read and write

2740000

trusted library allocation

page read and write

5F4000

heap

page read and write

3412000

heap

page read and write

3373000

heap

page read and write

595C000

stack

page read and write

3275000

heap

page read and write

2EC0000

direct allocation

page read and write

D17000

unkown

page read and write

336C000

heap

page read and write

523F000

stack

page read and write

3370000

heap

page read and write

32EE000

stack

page read and write

33C1000

heap

page read and write

3215000

heap

page read and write

32C0000

direct allocation

page read and write

420000

direct allocation

page read and write

404000

unkown

page readonly

405000

unkown

page readonly

311D000

stack

page read and write

321D000

stack

page read and write

3A90000

direct allocation

page read and write

5261000

trusted library allocation

page read and write

2F5A000

stack

page read and write

3A1000

unkown

page execute read

2EC0000

direct allocation

page read and write

300D000

stack

page read and write

D34000

unkown

page read and write

32AE000

stack

page read and write

5F4000

heap

page read and write

2155000

heap

page read and write

5091000

trusted library allocation

page read and write

420000

direct allocation

page read and write

CD0000

unkown

page readonly

591F000

stack

page read and write

36B0000

direct allocation

page read and write

316A000

heap

page read and write

400000

unkown

page readonly

2DF0000

heap

page readonly

420000

direct allocation

page read and write

794000

heap

page read and write

3400000

direct allocation

page read and write

317B000

heap

page read and write

31DB000

heap

page read and write

3C4D000

stack

page read and write

2E7D000

stack

page read and write

CD0000

unkown

page readonly

470000

direct allocation

page read and write

3C8E000

stack

page read and write

2D70000

direct allocation

page read and write

3186000

heap

page read and write

5F4000

heap

page read and write

3660000

direct allocation

page read and write

34ED000

stack

page read and write

317F000

heap

page read and write

37EB000

heap

page read and write

3270000

heap

page read and write

3040000

trusted library allocation

page read and write

549E000

stack

page read and write

225D000

stack

page read and write

404000

unkown

page readonly

5F4000

heap

page read and write

33D3000

heap

page read and write

379E000

stack

page read and write

D35000

unkown

page readonly

7520000

heap

page read and write

2FC6000

heap

page read and write

3216000

heap

page read and write

2F37000

stack

page read and write

2F20000

stack

page read and write

33DC000

heap

page read and write

3410000

direct allocation

page read and write

2EC0000

direct allocation

page read and write

6D10000

heap

page read and write

3180000

heap

page read and write

7FE000

heap

page read and write

3372000

heap

page read and write

337D000

stack

page read and write

9C000

stack

page read and write

81D000

stack

page read and write

2ED0000

direct allocation

page read and write

3E0000

unkown

page write copy

5F4000

heap

page read and write

317B000

heap

page read and write

52A4000

heap

page read and write

339E000

heap

page read and write

2D70000

direct allocation

page read and write

22F0000

heap

page read and write

33F0000

direct allocation

page read and write

3369000

heap

page read and write

30CD000

stack

page read and write

33ED000

stack

page read and write

CD1000

unkown

page execute read

30F2000

stack

page read and write

30C0000

stack

page read and write

5F4000

heap

page read and write

900000

direct allocation

page read and write

7C9000

heap

page read and write

490000

direct allocation

page read and write

2D70000

direct allocation

page read and write

2D86000

stack

page read and write

218D000

stack

page read and write

7645000

heap

page read and write

2EC0000

direct allocation

page read and write

4B0000

heap

page read and write

3A1E000

stack

page read and write

6D1F000

heap

page read and write

337F000

heap

page read and write

7580000

heap

page read and write

3640000

direct allocation

page read and write

31E2000

heap

page read and write

37E7000

heap

page read and write

4FC0000

direct allocation

page read and write

4BD0000

direct allocation

page read and write

3410000

heap

page read and write

D04000

unkown

page readonly

2F3D000

stack

page read and write

352E000

unkown

page read and write

31CD000

heap

page read and write

579000

stack

page read and write

8E0000

direct allocation

page read and write

470000

direct allocation

page read and write

339E000

heap

page read and write

59D000

heap

page read and write

5F4000

heap

page read and write

3950000

direct allocation

page read and write

910000

direct allocation

page read and write

85E000

stack

page read and write

539D000

stack

page read and write

764F000

heap

page read and write

3010000

direct allocation

page read and write

5F4000

heap

page read and write

30DA000

stack

page read and write

8F0000

direct allocation

page read and write

420000

direct allocation

page read and write

2E56000

stack

page read and write

8F0000

direct allocation

page read and write

32BE000

stack

page read and write

3215000

heap

page read and write

410000

heap

page read and write

320D000

heap

page read and write

490000

direct allocation

page read and write

559C000

stack

page read and write

8E0000

direct allocation

page read and write

3170000

heap

page read and write

2F2D000

stack

page read and write

353E000

stack

page read and write

5270000

heap

page read and write

22F4000

heap

page read and write

30ED000

stack

page read and write

33E5000

heap

page read and write

2F0E000

stack

page read and write

3800000

direct allocation

page read and write

3AA0000

direct allocation

page read and write

3260000

direct allocation

page read and write

3216000

heap

page read and write

52E000

stack

page read and write

31DB000

heap

page read and write

3560000

direct allocation

page read and write

2F4B000

stack

page read and write

3216000

heap

page read and write

561E000

stack

page read and write

6D20000

trusted library allocation

page read and write

2EC0000

direct allocation

page read and write

405000

unkown

page write copy

337E000

heap

page read and write

4A80000

direct allocation

page read and write

3340000

heap

page read and write

550000

heap

page read and write

2F41000

heap

page read and write

33C1000

heap

page read and write

3E7000

unkown

page read and write

3412000

heap

page read and write

29EE000

stack

page read and write

3412000

heap

page read and write

3400000

direct allocation

page read and write

4690000

direct allocation

page read and write

2D70000

direct allocation

page read and write

30EB000

stack

page read and write

3120000

heap

page read and write

3419000

heap

page read and write

29AF000

stack

page read and write

3630000

direct allocation

page read and write

2F41000

heap

page read and write

3250000

heap

page read and write

5F4000

heap

page read and write

33DC000

heap

page read and write

38DE000

stack

page read and write

72C0000

heap

page read and write

8F0000

direct allocation

page read and write

760000

heap

page read and write

5A0000

heap

page read and write

3124000

heap

page read and write

320E000

heap

page read and write

55DC000

stack

page read and write

8F0000

direct allocation

page read and write

37E0000

heap

page read and write

480000

direct allocation

page read and write

3B4D000

stack

page read and write

3100000

heap

page read and write

480000

direct allocation

page read and write

420000

direct allocation

page read and write

8F0000

direct allocation

page read and write

540000

heap

page read and write

325E000

stack

page read and write

2F47000

stack

page read and write

2FD0000

heap

page read and write

405000

unkown

page read and write

3220000

direct allocation

page read and write

4B5000

heap

page read and write

7570000

heap

page read and write

316A000

heap

page read and write

52F0000

trusted library allocation

page read and write

2EBE000

stack

page read and write

28AE000

stack

page read and write

764B000

heap

page read and write

5F4000

heap

page read and write

22E0000

direct allocation

page read and write

420000

direct allocation

page read and write

3D4000

unkown

page readonly

8E0000

direct allocation

page read and write

33DC000

heap

page read and write

5B1000

heap

page read and write

55A000

heap

page read and write

31E2000

heap

page read and write

53B0000

heap

page read and write

5560000

trusted library allocation

page read and write

400000

unkown

page readonly

3E0000

unkown

page read and write

4540000

direct allocation

page read and write

5A8000

heap

page read and write

337E000

heap

page read and write

2ED0000

direct allocation

page read and write

575C000

stack

page read and write

2DE0000

heap

page read and write

571F000

stack

page read and write

56DE000

stack

page read and write

55E000

heap

page read and write

7FA000

heap

page read and write

6AC8000

heap

page read and write

46E000

stack

page read and write

19B000

stack

page read and write

31CD000

heap

page read and write

43F0000

direct allocation

page read and write

22E0000

direct allocation

page read and write

7C5000

heap

page read and write

342D000

heap

page read and write

3040000

heap

page read and write

30DD000

stack

page read and write

3186000

heap

page read and write

4E0000

heap

page read and write

8E0000

direct allocation

page read and write

480000

direct allocation

page read and write

3425000

heap

page read and write

8E0000

direct allocation

page read and write

3260000

direct allocation

page read and write

2D80000

direct allocation

page read and write

3A0000

unkown

page readonly

770000

heap

page read and write

3212000

heap

page read and write

30E7000

stack

page read and write

7C0000

heap

page read and write

31D6000

heap

page read and write

5F4000

heap

page read and write

585C000

stack

page read and write

2BED000

unkown

page read and write

8F0000

direct allocation

page read and write

3400000

direct allocation

page read and write

400000

unkown

page readonly

30B0000

heap

page readonly

3630000

direct allocation

page read and write

490000

direct allocation

page read and write

317B000

heap

page read and write

581E000

stack

page read and write

490000

direct allocation

page read and write

320D000

heap

page read and write

500E000

stack

page read and write

3178000

heap

page read and write

33E5000

heap

page read and write

4930000

direct allocation

page read and write

490000

direct allocation

page read and write

1F0000

heap

page read and write

3260000

direct allocation

page read and write

910000

direct allocation

page read and write

324E000

stack

page read and write

8F0000

direct allocation

page read and write

405000

unkown

page write copy

3410000

heap

page read and write

470000

direct allocation

page read and write

3215000

heap

page read and write

3D8D000

stack

page read and write

52A0000

heap

page read and write

3A0000

unkown

page readonly

3270000

direct allocation

page read and write

389D000

stack

page read and write

D10000

unkown

page read and write

2120000

heap

page read and write

320E000

stack

page read and write

400000

unkown

page readonly

4D20000

direct allocation

page read and write

3650000

direct allocation

page read and write

2F52000

stack

page read and write

490000

direct allocation

page read and write

3410000

heap

page read and write

8E0000

direct allocation

page read and write

3410000

heap

page read and write

5A90000

heap

page read and write

4D20000

direct allocation

page read and write

3216000

heap

page read and write

50AA000

trusted library allocation

page read and write

5F0000

heap

page read and write

50E0000

heap

page read and write

3213000

heap

page read and write

89E000

stack

page read and write

33D3000

heap

page read and write

2150000

heap

page read and write

490000

direct allocation

page read and write

57DF000

stack

page read and write

30FA000

stack

page read and write

CD1000

unkown

page execute read

2D6E000

stack

page read and write

D10000

unkown

page write copy

362D000

stack

page read and write

2C30000

direct allocation

page read and write

2F3A000

stack

page read and write

320D000

heap

page read and write

470000

direct allocation

page read and write

527A000

trusted library allocation

page read and write

3215000

heap

page read and write

3419000

heap

page read and write

2F41000

heap

page read and write

9C000

stack

page read and write

31D6000

heap

page read and write

3419000

heap

page read and write

D36000

unkown

page readonly

6D1E000

heap

page read and write

6FF000

stack

page read and write

5F4000

heap

page read and write

900000

direct allocation

page read and write

47E0000

direct allocation

page read and write

2140000

direct allocation

page read and write

50F0000

heap

page read and write

286F000

stack

page read and write

30D2000

stack

page read and write

910000

direct allocation

page read and write

480000

direct allocation

page read and write

33E2000

heap

page read and write

5BE000

stack

page read and write

3419000

heap

page read and write

8DE000

stack

page read and write

900000

direct allocation

page read and write

3171000

heap

page read and write

3148000

heap

page read and write

339E000

heap

page read and write

910000

direct allocation

page read and write

3186000

heap

page read and write

910000

direct allocation

page read and write

33E2000

heap

page read and write

900000

direct allocation

page read and write

480000

direct allocation

page read and write

3216000

heap

page read and write

73EE000

heap

page read and write

910000

direct allocation

page read and write

22E0000

direct allocation

page read and write

33E0000

heap

page read and write

31DB000

heap

page read and write

3420000

heap

page read and write

31D6000

heap

page read and write

7F0000

heap

page read and write

3348000

heap

page read and write

D35000

unkown

page write copy

276E000

stack

page read and write

31CD000

heap

page read and write

317B000

heap

page read and write

2D2E000

unkown

page read and write

30FE000

stack

page read and write

54DC000

stack

page read and write

30D7000

stack

page read and write

337E000

heap

page read and write

790000

heap

page read and write

3170000

direct allocation

page read and write

2F45000

stack

page read and write

39DD000

stack

page read and write

5F4000

heap

page read and write

6AC0000

trusted library allocation

page read and write

333F000

stack

page read and write

3140000

heap

page read and write

5F4000

heap

page read and write

4E70000

direct allocation

page read and write

5A3000

heap

page read and write

569C000

stack

page read and write

33C1000

heap

page read and write

36B0000

direct allocation

page read and write

6AC0000

heap

page read and write

3167000

heap

page read and write

4F9000

stack

page read and write

405000

unkown

page read and write

2C30000

direct allocation

page read and write

2110000

heap

page read and write

3400000

direct allocation

page read and write

D04000

unkown

page readonly

404000

unkown

page readonly

228F000

stack

page read and write

3020000

direct allocation

page read and write

3A1000

unkown

page execute read

363D000

stack

page read and write

404000

unkown

page readonly

5340000

heap

page read and write

8F0000

direct allocation

page read and write

There are 422 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
file.exe