Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

c0evVb15Q1.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	3.9182223836995655
Filename:	c0evVb15Q1.exe
Filesize:	78848
MD5:	721ce91db1511b614eda698111dcd68c
SHA1:	34a5ef03e4fe55a3afbd59b08f60c3625d9788bc
SHA256:	405062f7037cddb27c2d1df1f9e371f512e14d83da7d878e516c5267a1944d3f
SHA512:	72de4cbd417bd85a1bc78ed82656e985190644a34707377d7b1c473f2ead4d6f64599963f93b0ab224fdbb8000959555309d33080ecdedaea6d5140e8f758d44
SSDEEP:	1536:LgMXVCT+m0yMVABCafXAbfuLbqp0pAUg0In2aKp+cyf8FIvy5hLy5y7OW8DtbNyg:0oIT+m0xVABCafXAbWLbqp0pAUg0Y2aN
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...45Jf................. ...........?... ...@....@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection	Access Token Manipulation
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation	Access Token Manipulation Software Packing
.NET source code contains suspicious base64 encoded strings	System Summary	Obfuscated Files or Information
.NET source code contains very large strings	System Summary
.NET source code references suspicious native API functions	HIPS / PFW / Operating System Protection Evasion	Native API
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Sample reads its own file content	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses new MSVCR Dlls	Compliance, System Summary	Access Token Manipulation

C:\Users\user\AppData\Roaming\server.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\server.exe
Category:	dropped
Dump:	server.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\c0evVb15Q1.exe
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	3.9182223836995655
Encrypted:	false
Ssdeep:	1536:LgMXVCT+m0yMVABCafXAbfuLbqp0pAUg0In2aKp+cyf8FIvy5hLy5y7OW8DtbNyg:0oIT+m0xVABCafXAbWLbqp0pAUg0Y2aN
Size:	78848
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Disables zone checking for all users	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Machine Learning detection for dropped file	AV Detection
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Abnormal high CPU Usage	System Summary
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Creates files inside the user directory	System Summary	Masquerading
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\c0evVb15Q1.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\c0evVb15Q1.exe.log
Category:	dropped
Dump:	c0evVb15Q1.exe.log.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\c0evVb15Q1.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.259753436570609
Encrypted:	false
Ssdeep:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
Size:	525
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

\Device\ConDrv

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Windows\SysWOW64\netsh.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.971939296804078
Encrypted:	false
Ssdeep:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
Size:	313
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\c0evVb15Q1.exe

"C:\Users\user\Desktop\c0evVb15Q1.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7488
Target ID:	0
Parent PID:	2580
Name:	c0evVb15Q1.exe
Path:	C:\Users\user\Desktop\c0evVb15Q1.exe
Commandline:	"C:\Users\user\Desktop\c0evVb15Q1.exe"
Size:	78848
MD5:	721CE91DB1511B614EDA698111DCD68C
Time:	13:56:52
Date:	27/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x750000
Modulesize:	106496
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Roaming\server.exe

"C:\Users\user\AppData\Roaming\server.exe"

Details

Is windows:	false
Is dropped:	true
PID:	7576
Target ID:	1
Parent PID:	7488
Name:	server.exe
Path:	C:\Users\user\AppData\Roaming\server.exe
Commandline:	"C:\Users\user\AppData\Roaming\server.exe"
Size:	78848
MD5:	721CE91DB1511B614EDA698111DCD68C
Time:	13:56:58
Date:	27/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x940000
Modulesize:	106496
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Creates files inside the user directory	System Summary	Masquerading
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\server.exe" "server.exe" ENABLE

Details

Is windows:	true
Is dropped:	false
PID:	7640
Target ID:	2
Parent PID:	7576
Name:	netsh.exe
Path:	C:\Windows\SysWOW64\netsh.exe
Commandline:	netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\server.exe" "server.exe" ENABLE
Size:	82432
MD5:	4E89A1A088BE715D6C946E55AB07C7DF
Time:	13:57:05
Date:	27/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x1560000
Modulesize:	122880
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7648
Target ID:	3
Parent PID:	7640
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	13:57:05
Date:	27/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

x555hd.ddns.net

Details

Name:	x555hd.ddns.net
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\c0evVb15Q1.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for domain / URL	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses dynamic DNS services	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

Domains

Name

Malicious

x555hd.ddns.net

197.202.219.104

Details

Name:	x555hd.ddns.net
IP:	197.202.219.104
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses dynamic DNS services	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

197.202.219.104

x555hd.ddns.net

Algeria

Details

IP:	197.202.219.104
TargetID:	1
Current Path:	C:\Users\user\AppData\Roaming\server.exe
Country:	Algeria
Countrycode:	DZA
ASN number:	36947
ASN name:	ALGTEL-ASDZ
Private:	false
Domain:	x555hd.ddns.net

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Registry

Path

Value

Malicious

HKEY_CURRENT_USER

Details

TargetID:	0
Path:	HKEY_CURRENT_USER
Value name:	di
Value data:	!

Signature Hits	Behavior Group	Mitre Attack
Disables zone checking for all users	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Reads software policies	System Summary	System Information Discovery

HKEY_CURRENT_USER\Environment

SEE_MASK_NOZONECHECKS

HKEY_CURRENT_USER\SOFTWARE\8357fcac226b59edf02cf5db0a407b2c

[kl]

Memdumps

Base Address

Regiontype

Protect

Malicious

2F01000

trusted library allocation

page read and write

4F90000

trusted library section

page read and write

2E31000

trusted library allocation

page read and write

5731000

heap

page read and write

1301000

heap

page read and write

5A1E000

stack

page read and write

5721000

heap

page read and write

125E000

heap

page read and write

12E8000

heap

page read and write

125F000

heap

page read and write

52C9000

stack

page read and write

130C000

heap

page read and write

12A2000

heap

page read and write

109A000

trusted library allocation

page execute and read and write

56FF000

stack

page read and write

CEB000

stack

page read and write

130D000

heap

page read and write

CF9000

stack

page read and write

1260000

heap

page read and write

E40000

heap

page read and write

125A000

heap

page read and write

1309000

heap

page read and write

1301000

heap

page read and write

5720000

trusted library allocation

page execute and read and write

12B6000

heap

page read and write

1301000

heap

page read and write

12BE000

heap

page read and write

BC8000

heap

page read and write

577E000

stack

page read and write

1227000

heap

page read and write

ED0000

heap

page execute and read and write

12C2000

heap

page read and write

12B8000

heap

page read and write

1301000

heap

page read and write

F52000

trusted library allocation

page execute and read and write

7FA00000

trusted library allocation

page execute and read and write

F77000

trusted library allocation

page execute and read and write

124C000

heap

page read and write

12B3000

heap

page read and write

12AE000

heap

page read and write

7FB000

stack

page read and write

591E000

stack

page read and write

5721000

heap

page read and write

E30000

heap

page read and write

5190000

trusted library allocation

page read and write

58A0000

heap

page read and write

12E1000

heap

page read and write

CF6000

stack

page read and write

12E8000

heap

page read and write

12A3000

heap

page read and write

11D0000

trusted library allocation

page read and write

F9B000

trusted library allocation

page execute and read and write

11C0000

heap

page read and write

1233000

heap

page read and write

DE4000

stack

page read and write

1260000

heap

page read and write

125A000

heap

page read and write

4F2E000

stack

page read and write

1301000

heap

page read and write

125D000

heap

page read and write

DDE000

stack

page read and write

BCE000

heap

page read and write

F7A000

trusted library allocation

page execute and read and write

750000

unkown

page readonly

2BA0000

heap

page read and write

12B7000

heap

page read and write

F00000

heap

page read and write

1180000

heap

page read and write

3E31000

trusted library allocation

page read and write

752000

unkown

page readonly

1306000

heap

page read and write

5732000

heap

page read and write

12BB000

heap

page read and write

573A000

heap

page read and write

12BC000

heap

page read and write

12AA000

heap

page read and write

12AA000

heap

page read and write

12E8000

heap

page read and write

12E8000

heap

page read and write

5731000

heap

page read and write

50B0000

heap

page read and write

11C6000

heap

page read and write

4FDC000

stack

page read and write

1302000

heap

page read and write

12AF000

heap

page read and write

12AA000

heap

page read and write

127F000

heap

page read and write

1223000

heap

page read and write

1280000

heap

page read and write

127F000

heap

page read and write

50E0000

heap

page read and write

1261000

heap

page read and write

10B0000

trusted library allocation

page read and write

12B3000

heap

page read and write

BE6000

heap

page read and write

108C000

trusted library allocation

page execute and read and write

12AB000

heap

page read and write

1301000

heap

page read and write

12BE000

heap

page read and write

54FF000

stack

page read and write

BBE000

stack

page read and write

1058000

heap

page read and write

BE8000

heap

page read and write

567E000

stack

page read and write

1304000

heap

page read and write

12B0000

heap

page read and write

5731000

heap

page read and write

553E000

stack

page read and write

5330000

unclassified section

page read and write

12BE000

heap

page read and write

525C000

stack

page read and write

120E000

stack

page read and write

1050000

trusted library allocation

page read and write

12BB000

heap

page read and write

5700000

heap

page read and write

563E000

stack

page read and write

9EA000

stack

page read and write

2FA2000

trusted library allocation

page read and write

2E98000

trusted library allocation

page read and write

126C000

heap

page read and write

F62000

trusted library allocation

page execute and read and write

D50000

heap

page read and write

12AE000

heap

page read and write

12B9000

heap

page read and write

51C0000

heap

page read and write

12A3000

heap

page read and write

1060000

heap

page read and write

1280000

heap

page read and write

2F7E000

trusted library allocation

page read and write

1233000

heap

page read and write

4EBE000

stack

page read and write

F5A000

trusted library allocation

page execute and read and write

1256000

heap

page read and write

1260000

heap

page read and write

57BC000

stack

page read and write

126D000

heap

page read and write

3051000

trusted library allocation

page read and write

121A000

heap

page read and write

1305000

heap

page read and write

EE0000

heap

page read and write

12AE000

heap

page read and write

1282000

heap

page read and write

527E000

stack

page read and write

C36000

heap

page read and write

BC0000

heap

page read and write

1260000

heap

page read and write

12A4000

heap

page read and write

12B5000

heap

page read and write

4F08000

trusted library allocation

page read and write

11AF000

stack

page read and write

1233000

heap

page read and write

12A8000

heap

page read and write

12E8000

heap

page read and write

12B7000

heap

page read and write

12B0000

heap

page read and write

2B9F000

stack

page read and write

FB0000

heap

page read and write

11E0000

heap

page execute and read and write

DEB000

stack

page read and write

58BC000

stack

page read and write

127F000

heap

page read and write

5727000

heap

page read and write

C6B000

heap

page read and write

1261000

heap

page read and write

5283000

heap

page read and write

13BE000

stack

page read and write

100E000

stack

page read and write

1072000

trusted library allocation

page execute and read and write

F66000

trusted library allocation

page execute and read and write

12A3000

heap

page read and write

12E8000

heap

page read and write

1267000

heap

page read and write

126C000

heap

page read and write

12BB000

heap

page read and write

F97000

trusted library allocation

page execute and read and write

5280000

heap

page read and write

5731000

heap

page read and write

125A000

heap

page read and write

1082000

trusted library allocation

page execute and read and write

5739000

heap

page read and write

107A000

trusted library allocation

page execute and read and write

12BF000

heap

page read and write

E8F000

stack

page read and write

12E8000

heap

page read and write

2A9E000

stack

page read and write

53FE000

stack

page read and write

12BC000

heap

page read and write

EAF000

stack

page read and write

C02000

heap

page read and write

521B000

stack

page read and write

12A5000

heap

page read and write

1022000

heap

page read and write

4ED0000

heap

page read and write

10FE000

stack

page read and write

F82000

trusted library allocation

page execute and read and write

12B1000

heap

page read and write

572E000

heap

page read and write

125A000

heap

page read and write

12A7000

heap

page read and write

12A2000

heap

page read and write

12A5000

heap

page read and write

51DC000

stack

page read and write

1301000

heap

page read and write

FBE000

heap

page read and write

1307000

heap

page read and write

C5E000

heap

page read and write

12A5000

heap

page read and write

F8A000

trusted library allocation

page execute and read and write

150E000

stack

page read and write

13C0000

trusted library allocation

page execute and read and write

E96000

heap

page read and write

DEE000

stack

page read and write

1040000

heap

page read and write

2AEE000

stack

page read and write

50DE000

stack

page read and write

12B9000

heap

page read and write

1301000

heap

page read and write

10B7000

trusted library allocation

page execute and read and write

1301000

heap

page read and write

1080000

trusted library allocation

page read and write

5731000

heap

page read and write

13D0000

heap

page read and write

CD0000

heap

page read and write

5726000

heap

page read and write

58B0000

heap

page read and write

130E000

heap

page read and write

108A000

trusted library allocation

page execute and read and write

F60000

trusted library allocation

page read and write

12BF000

heap

page read and write

117E000

unkown

page read and write

12BC000

heap

page read and write

1540000

heap

page read and write

1190000

heap

page read and write

12AE000

heap

page read and write

126A000

heap

page read and write

5270000

trusted library allocation

page execute and read and write

12B3000

heap

page read and write

52BE000

stack

page read and write

1267000

heap

page read and write

1301000

heap

page read and write

EEE000

stack

page read and write

B60000

heap

page read and write

1263000

heap

page read and write

573C000

heap

page read and write

5100000

trusted library allocation

page read and write

766000

unkown

page readonly

FBA000

heap

page read and write

AF6000

stack

page read and write

12BE000

heap

page read and write

F92000

trusted library allocation

page read and write

125C000

heap

page read and write

1045000

heap

page read and write

12BC000

heap

page read and write

517E000

stack

page read and write

FEF000

heap

page read and write

4FA0000

trusted library allocation

page read and write

1281000

heap

page read and write

12A7000

heap

page read and write

130E000

heap

page read and write

1010000

heap

page read and write

12B8000

heap

page read and write

12B5000

heap

page read and write

12AE000

heap

page read and write

12E8000

heap

page read and write

1249000

heap

page read and write

10A2000

trusted library allocation

page execute and read and write

140F000

unkown

page read and write

3F01000

trusted library allocation

page read and write

12A2000

heap

page read and write

12A9000

heap

page read and write

5732000

heap

page read and write

126E000

heap

page read and write

125D000

heap

page read and write

12E8000

heap

page read and write

130D000

heap

page read and write

E90000

heap

page read and write

5880000

heap

page read and write

F40000

trusted library allocation

page read and write

EE5000

heap

page read and write

126E000

heap

page read and write

1304000

heap

page read and write

5110000

trusted library allocation

page execute and read and write

12B7000

heap

page read and write

10BB000

trusted library allocation

page execute and read and write

125D000

heap

page read and write

1210000

heap

page read and write

F6A000

trusted library allocation

page execute and read and write

5731000

heap

page read and write

125A000

heap

page read and write

1306000

heap

page read and write

1060000

heap

page read and write

5722000

heap

page read and write

CD5000

heap

page read and write

B70000

heap

page read and write

C29000

heap

page read and write

53BE000

stack

page read and write

5260000

trusted library allocation

page read and write

126C000

heap

page read and write

There are 288 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
c0evVb15Q1.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportc0evVb15Q1.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
c0evVb15Q1.exe