Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

V6363OW8Rh.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.966367505764052
Filename:	V6363OW8Rh.exe
Filesize:	74240
MD5:	1b5b62e15509efce8bb5379b28a5210b
SHA1:	e647ff934fc92b65344cb115b35c32e3792d36cc
SHA256:	f7a2183a529d01b8ddc02990103866057d1084444968e93862bf1f83d2467947
SHA512:	1d2f5872bea5c9742be431b7c6fdb78bb5b34e37dadf75ae764296681f568a465bb321588b445ff7657db40d1c883512814b6a1ead342624e0b34faaa2a16c60
SSDEEP:	1536:VxEuAytfJGZfzoGwPZ3kbyZ0nbo2CESOOXEnqjQc8:VDCzLwPZ3kbyUZSOOXDt8
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....yf............................n6... ...@....@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains method to dynamically call methods (often used by packers)	Data Obfuscation	Software Packing
.NET source code contains potential unpacker	Data Obfuscation
Contains functionality to capture screen (.Net source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Screen Capture
Machine Learning detection for sample	AV Detection
Protects its processes via BreakOnTermination flag	Operating System Destruction
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)	Malware Analysis System Evasion
Sample uses string decryption to hide its real strings	AV Detection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings	Windows Management Instrumentation
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Creates a start menu entry (Start Menu\Programs\Startup)	Boot Survival	Registry Run Keys / Startup Folder
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities	Obfuscated Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Stores files to the Windows start menu directory	Boot Survival
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary	Masquerading
Yara signature match	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Checks the free space of harddrives	Malware Analysis System Evasion	System Information Discovery
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates an autostart registry key	Boot Survival
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging	Disable or Modify Tools
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Executes batch files	System Summary	Scripting
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\V6363OW8Rh.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\V6363OW8Rh.exe.log
Category:	dropped
Dump:	V6363OW8Rh.exe.log.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\V6363OW8Rh.exe
Type:	CSV text
Entropy:	5.3718223239563105
Encrypted:	false
Ssdeep:	48:MxHKQwYHKGSI6o6+vxp3/elStHTHhAHKKkhHNp51qHGIs0HKD:iqbYqGSI6o9Zp/elStzHeqKkhtp5wmjB
Size:	1727
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample uses string decryption to hide its real strings	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Roaming\XClient.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\XClient.exe
Category:	dropped
Dump:	XClient.exe.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\V6363OW8Rh.exe
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.966367505764052
Encrypted:	false
Ssdeep:	1536:VxEuAytfJGZfzoGwPZ3kbyZ0nbo2CESOOXEnqjQc8:VDCzLwPZ3kbyUZSOOXDt8
Size:	74240
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for dropped file	AV Detection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Checks the free space of harddrives	Malware Analysis System Evasion	System Information Discovery
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log
Category:	dropped
Dump:	XClient.exe.log.2.dr
ID:	dr_4
Target ID:	2
Process:	C:\Users\user\AppData\Roaming\XClient.exe
Type:	CSV text
Entropy:	5.380476433908377
Encrypted:	false
Ssdeep:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
Size:	654
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Local\Temp\tmpAD99.tmp.bat

DOS batch file, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\tmpAD99.tmp.bat
Category:	dropped
Dump:	tmpAD99.tmp.bat.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\V6363OW8Rh.exe
Type:	DOS batch file, ASCII text, with CRLF line terminators
Entropy:	5.1103980176192945
Encrypted:	false
Ssdeep:	3:mKDDCMNqTtv3DN2+Hvhs9zTWT8VwDwU1hGDN+E2J5xAInTRIOFAVZPy:hWKqTtLN2KO9/WT8SDNeN723fTv2Vk
Size:	157
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Executes batch files	System Summary	Scripting
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Jul 1 13:32:56 2024, mtime=Mon Jul 1 13:32:56 2024, atime=Mon Jul 1 13:32:56 2024, length=74240, window=hide

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk
Category:	dropped
Dump:	XClient.lnk.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\V6363OW8Rh.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Jul 1 13:32:56 2024, mtime=Mon Jul 1 13:32:56 2024, atime=Mon Jul 1 13:32:56 2024, length=74240, window=hide
Entropy:	5.061334428770196
Encrypted:	false
Ssdeep:	12:8jjK245qpnu8ChzlXIsY//v4LqLgfjARG+HkQhl/mV:8cIDWlXUY0grARGFQhBm
Size:	767
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates a start menu entry (Start Menu\Programs\Startup)	Boot Survival	Registry Run Keys / Startup Folder
Sigma detected: Startup Folder File Write	System Summary
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

\Device\Null

ASCII text, with CRLF line terminators, with overstriking

dropped

Details

File:	\Device\Null
Category:	dropped
Dump:	Null.9.dr
ID:	dr_5
Target ID:	9
Process:	C:\Windows\System32\timeout.exe
Type:	ASCII text, with CRLF line terminators, with overstriking
Entropy:	4.41440934524794
Encrypted:	false
Ssdeep:	3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
Size:	60
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\V6363OW8Rh.exe

"C:\Users\user\Desktop\V6363OW8Rh.exe"

Details

Is windows:	false
Is dropped:	false
PID:	1340
Target ID:	0
Parent PID:	4004
Name:	V6363OW8Rh.exe
Path:	C:\Users\user\Desktop\V6363OW8Rh.exe
Commandline:	"C:\Users\user\Desktop\V6363OW8Rh.exe"
Size:	74240
MD5:	1B5B62E15509EFCE8BB5379B28A5210B
Time:	10:32:51
Date:	01/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xe60000
Modulesize:	98304
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Sample uses string decryption to hide its real strings	AV Detection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sigma detected: Startup Folder File Write	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Roaming\XClient.exe

"C:\Users\user\AppData\Roaming\XClient.exe"

Details

Is windows:	false
Is dropped:	true
PID:	2056
Target ID:	2
Parent PID:	4004
Name:	XClient.exe
Path:	C:\Users\user\AppData\Roaming\XClient.exe
Commandline:	"C:\Users\user\AppData\Roaming\XClient.exe"
Size:	74240
MD5:	1B5B62E15509EFCE8BB5379B28A5210B
Time:	10:33:06
Date:	01/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x220000
Modulesize:	98304
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Sample uses string decryption to hide its real strings	AV Detection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates files inside the user directory	System Summary	Masquerading
Spawns processes	System Summary	Process Injection
Windows shortcut file (LNK) contains relative path	System Summary

C:\Users\user\AppData\Roaming\XClient.exe

"C:\Users\user\AppData\Roaming\XClient.exe"

Details

Is windows:	false
Is dropped:	true
PID:	2812
Target ID:	4
Parent PID:	4004
Name:	XClient.exe
Path:	C:\Users\user\AppData\Roaming\XClient.exe
Commandline:	"C:\Users\user\AppData\Roaming\XClient.exe"
Size:	74240
MD5:	1B5B62E15509EFCE8BB5379B28A5210B
Time:	10:33:14
Date:	01/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x4f0000
Modulesize:	98304
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Sample uses string decryption to hide its real strings	AV Detection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates files inside the user directory	System Summary	Masquerading
Spawns processes	System Summary	Process Injection
Windows shortcut file (LNK) contains relative path	System Summary

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpAD99.tmp.bat""

Details

Is windows:	true
Is dropped:	false
PID:	5924
Target ID:	7
Parent PID:	1340
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpAD99.tmp.bat""
Size:	289792
MD5:	8A2122E8162DBEF04694B9C3E0B6CDEE
Time:	10:34:21
Date:	01/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6a5c10000
Modulesize:	421888
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Executes batch files	System Summary	Scripting
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	4092
Target ID:	8
Parent PID:	5924
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	10:34:22
Date:	01/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff66e660000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\timeout.exe

timeout 3

Details

Is windows:	true
Is dropped:	false
PID:	5328
Target ID:	9
Parent PID:	5924
Name:	timeout.exe
Path:	C:\Windows\System32\timeout.exe
Commandline:	timeout 3
Size:	32768
MD5:	100065E21CFBBDE57CBA2838921F84D6
Time:	10:34:22
Date:	01/07/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7cac00000
Modulesize:	53248
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

price-slow.gl.at.ply.gg

Details

Name:	price-slow.gl.at.ply.gg
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\V6363OW8Rh.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Domains

Name

Malicious

price-slow.gl.at.ply.gg

147.185.221.18

Details

Name:	price-slow.gl.at.ply.gg
IP:	147.185.221.18
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Connects to many ports of the same IP (likely port scanning)	Networking
Sample uses string decryption to hide its real strings	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

147.185.221.18

price-slow.gl.at.ply.gg

United States

Details

IP:	147.185.221.18
TargetID:	0
Current Path:	C:\Users\user\Desktop\V6363OW8Rh.exe
Country:	United States
Countrycode:	USA
ASN number:	12087
ASN name:	SALSGIVERUS
Private:	false
Domain:	price-slow.gl.at.ply.gg

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

XClient

Details

TargetID:	0
Path:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value name:	XClient
Value data:	C:\Users\user\AppData\Roaming\XClient.exe

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder

HKEY_CURRENT_USER\SOFTWARE\F89E52B49AA08D9BF38E

CC52384910CEE944DDBCC575A8E0177BFA6B16E3032438B207797164D5C94B34

Details

TargetID:	0
Path:	HKEY_CURRENT_USER\SOFTWARE\F89E52B49AA08D9BF38E
Value name:	CC52384910CEE944DDBCC575A8E0177BFA6B16E3032438B207797164D5C94B34
Value data:	00 4A 00 00 1F 8B 08 00 00 00 00 00 04 00 ED 7C 0B 78 5C 55 B5 FF 3A 67 66 CE 39 33 93 99 64 26 4D 9A B6 49 99 D2 87 D3 26 0D 4D 5F B4 D0 D2 E6 D1 47 A0 69 43 D3 D2 07 42 3A 99 39 4D A6 9D CC 49 CF 4C A0 A1 52 27 A2 57 2A 96 BF 28 78 2D E8 E5 75 F5 D2 7B D5 2B A2 50 54 04 44 D4 A2 A8 E8 5F E4 7A A1 82 A8 17 14 2F F8 FA FE 8A 5A EF 6F AD 73 E6 91 A6 28 F7 7E FF EF 7E FF EF FB DF 69 B3 CE 5E 6B ED BD F6 7A ED B5 F7 3E 99 B6 67 F7 FB C8 43 44 5E FC FC F9 CF 44 27 C8 F9 AC A5 BF FE 29 E0 27 7C CE E7 C2 F4 19 FF 93 B3 4E 28 9B 9E 9C B5 6D 28 9D 8B 8D D8 D6 A0 9D 18 8E 25 13 D9 AC 95 8F 0D 98 31 7B 34 1B 4B 67 63 5D 5B FA 62 C3 56 CA 6C 0D 85 02 73 5C 19 BD EB 88 36 29 1E FA BB 1F BE 64 16 E5 3E 4F E7 C6 82 4A 2F 51 07 10 CD A1 05 F6 00 C4 DC 49 89 6A A4 AD 3A 7A 13 95 9F F4 88 43 E7 8F 87 D6 BE 8B BB F2 DF F2 B3 F4 90 CF 89 7E A2 2D AE 31 1F F2 9C C5 C8 3B 88 AA DE 84 2F 26 7D A0 9F 51 81 1A C0 37 56 E0 AD 79 F3 60 9E 75 59 EB F4 15 5B D5 49 22 F6 B4 DA 39 3B 49 AE 6E D0 51 0C ED 9A D8 0F 22 D6 B6 DA 66 C6 4A BA BA DE E1 CA DA 38 A9 5F C7 99 6A BE D2 EF 3C 37 CA 10 1F 6D 5A 46 F4 99 F9 44 4A B1 43 7F 39 27 DE CC 67 A6 1A 9F 8A 68 2D 98 47 6A BC 01 0D 5A F0 B1 DC 34 3C 0B 10 E8 CD 4D E7 16 47 2D 37 83 5B 1E 6E 35 72 0B 56 79 17 D4 2E 52 24 36 E8 1A A1 C3 3C C0 6A 02 33 D0 4C 5A 89 A7 0A 8F 45 58 33 CF E4 79 84 C7 42 AD 73 CE E4 79 85 C7 D3 58 B1 32 4F A5 55 E0 F9 84 07 E8 9D 12 9F 05 66 50 6F 99 65 63 FA 91 6F 83 A6 C6 CF 05 C9 9A 0D 90 43 D2 06 AA 8C 82 4F C4 C9 80 D2 1C 41 92 54 85 1C AD 48 3E 97 D4 02 23 0B 2E CB 21 2A 5A 7C 2E 46 E7 41 50 0B 3A 53 E1 A9 79 EC 29 A2 E2 78 5D C6 EB C5 F1 13 E9 F1 10 64 08 FD FE 29 A7 B5 3A 20 B9 B7 B0 4E 71 76 9F C1 BA 9F D6 A6 4F A4 FA DD 69 E6 3B D3 D0 0C D8 BB 83 24 2F 23 AC 46 00 7C 4F 01 33 78 BD 05 48 F7 FA 0A D0 D3 1B F6 16 C2 78 1C 66 99 D6 02 0E E1 61 7F A9 79 6A C6 DC 78 33 BB 88 74 AB 05 CF F8 42 A6 C6 5B 01 4F 11 EB AC C8 E2 52 68 C5 4A 9A 01 9F 29 03 F5 85 6A 8C AE DF 57 88 70 B0 CF 63 BD 6A 59 2F D1 47 A7 8B E1 67 3F EB D3 30 B5 31 B7 88 B9 10 E0 AD 73 BA 4F 3D BA 1A 22 0A D1 09 23 0F 73 87 18 7D 8D C8 6A 13 ED CA F8 62 C6 1D C2 61 36 EE 30 DB 16 5F C2 F1 5B CA AC A9 A2 0B 35 C4 91 56 DA BC 53 21 31 A5 A4 7D 1C A9 1F B8 31 1D 88 2F E7 01 E7 73 AC A3 6A 7C 05 5B 7B 8E FF 28 16 8F 32 B7 DE 86 4D 23 77 CD 9D 7A 98 FD 75 D7 DC 06 2D BE 12 FC BB E6 4E 73 09 D3 A3 4A FC 02 F6 8B 43 9E E1 92 1B 41 BE B0 4C 6E 72 C9 33 0F B3 A7 EF 8A AF 62 56 03 27 90 A3 3B 1B 5C 2F F0 C6 74 3D E2 5A CF 71 85 2B 02 C2 B6 2E 42 6B DE A9 3A 27 12 21 8A 4F E3 91 45 2B E0 58 A5 91 63 B0 9F 02 A3 14 9A 2D CB E9 62 7A 79 89 52 C7 6D F6 F9 EF 15 F1 13 72 4D 42 73 5A 09 68 2D 9A 23 C5 F5 9E 6A AD 91 75 50 7F 5A AD 32 56 F2 DA 3D 1C 91 B0 9C 56 42 FE 95 0F 72 37 D1 F1 26 0C AE F5 46 BC 2B DF CB 24 8E 8E B5 96 6D 99 C3 F9 DE CE 11 E3 61 0E A3 83 27 AD 08 63 44 D2 02 E3 7D 11 5F CB 72 37 E2 6F DE FE E7 96 73 89 12 29 53 F7 FD E0 81 A9 4F 97 73 85 9A A7 38 CA B8 4A 5A 9D 62 2F AD F8 0C 15 D5 74 38 BA D5 25 19 24 FA AD 63 F9 2C 0E 2A 69 11 AD 65 F0 30 0A 99 B7 45 97 47 73 FD E1 7A 66 69 17 B1 2A EB D1 75 6E 81 E9 B9 0D 68 D6 EA 11 BD 6C BC B5 91 65 16 ED 39 9B E9 53 2B 55 3D D7 B1 A1 AC C3 0F 26 99 43 D4 EC 77 A3 7C AA F3 3F 91 21 F5 4E 86 D4 1A 13 52 44 E1 14 A1 F6 46 A7 5E 4F C1 CF 93 F0 E4 0B F8 81 10 72 72 44 25 14 10 AE 3D 5C 27 E2 8D 32 B3 BB F2 03 A4 9D 65 E5 2F 28 AE 7B 54 86 19 8E 0C 1F 7D 80 64 3F 82 0C C7 F8 80 1A 9F CD 89 81 0A A5 05 F5 1B D3 B2 1A 6C 08 1D 89 77 B3 44 66 56 69 46 BD 71 63 DA 09 8C A6 D7 EB C5 B6 18 56 37 D5 BA 98 4D 13 44 13 77 D7 6B E2 B5 07 EA AD 4B C4 E8 2A D2 5A 74 CD DA C4 63 9E 7D E3 45 C2 6B 44 45 E5 31 B3 C5 ED 5D A1 43 6F A3 BA A2 FD 5F 01 25 C4 BA 3B F5 CB 99 DE EA 29 69 62 6D AE 2C 87 67 77 8A 9B 58 5B CA 39 D6 F1 D7 6B 28 39 85 B7 B7 B2 67 15 19 67 ED E9 9F D4 33 44 FE B3 45 07 46 2D 25 D9 49 A6 C5 9C F8 10 76 BE 69 DB 8B ED 03 14 7E 7B B1 7D 1B 85 8F 97 63 78 12 A3 C2 EC 87 15 9F 47 2B B6 68 14 75 F2 D2 72 99 B5 B6 B2 F5 DA CA EB A8 18 E4 A0 7D 1E 07 B4 14 E8 2A E3 EC 81 0E E9 FE 7A 7F 31 B8 7A 45 D0 27 07 5A 77 02 AD 4F 08 74 BC 4F EC AE 22 BD 45 D7 DD 70 13 95 72 DE 7B 46 C4 69 6A AD 6F C5 EA 3F F3 11 D7 8D FD 02 B2 8E 15 63 1F A1 0F 1D A7 FA A2 CD DF C7 F1 A2 DA CD FD 38 DB C1 E5 4C 4A 76 5D 7D 7C 9B 13 EE FA 5B 83 7A 7C B1 D8 17 7B A1 ED A9 87 96 AD 31 62 F7 6E EF 3F BC 6C BA 11 AB 9E 7E 81 7A E1 77 79 D9 92 43 6C 3D B0 C2 54 F9 0C 58 F7 48 F8 93 17 FE C4 E5 F0 B0 0B 3F C8 75 69 A3 30 AB 4E 4E 7F 92 87 EF 5C FF D4 13 AD FB 9B 5D CA 85 77 70 8F 79 D2 E3 C4 27 BE F4 BF 5B AB 99 F3 C3 A7 7F F3 A7 D6 B6 15 D5 20 EB 36 76 96 91 FA F8 76 28 B6 F2 76 EE CC F5 5D B7 2F 2D 53 1F 66 EA 8B 42 4D 96 A9 3F 62 EA 93 42 3D 54 A6 3E C3 D4 07 84 7A 5D 99 FA 6B A6 DE 29 D4 1B CA 54 0D 84 15 37 08 F5 6F CB D4 18 53 47 85 7A 7B 99 7A 3E 53 FB B9 66 C7 CF E1 F0 FB 0F 5F C6 A9 B0 43 82 15 F1 B6 34 F8 63 75 E0 4E CD ED E4 2A 26 BC 99 BC 4B 63 D4 FC D2 28 DE 2B 2A C6 71 99 9E 16 F1 C9 C0 FA B3 0C 7C 8D 63 EB E4 C1 8A 1F 73 5B 9B 7A 6B 7C 17 7A 68 0D CE 33 B7 9B 91 69 2E 71 BA F3 E4 B5 83 01 F7 FD D5 01 F1 36 9E 67 C5 7B 8A 1D 97 B8 1D F9 99 BB 9C 3B BC 55 AA D8 34 87 54 5F 5F 3F 95 CF 97 1A 35 EF 26 EE 77 85 EC 1D 3C F2 4A 29 D3 11 A3 3E A2 2F F4 34 34 2B F5 87 FB 79 F8 B9 2C BF 79 21 D5 C7 F7 70 07 7F C4 6F DF 0B 8F F2 88 84 3B D7 00 F7 9B CB 49 9A E4 B9 90 FB A7 9A DC 25 10 A0 48 E0 AC C5 A0 58 FB D9 AD 0F 20 83 4E E0 A7 C9 AD FD B5 8B 3C 84 C5 C4 67 66 9C 39 53 BC A0 EB AB 50 84 43 46 AD D7 0F F7 7B 6B B5 E6 B7 E8 11 ED 56 0B D7 B5 80 EA 04 97 4F 01 D8 03 B1 10 C1 08 34 47 28 A2 4D 7D 9A A3 13 F1 B5 7D 77 4A E9 AC 1D 91 95 C6 72 F7 F2 58 6B 90 DC 83 38 F1 19 D8 E1 47 2B F8 43 15 FC 19 8B BC C4 17 C4 5A 67 5D E6 D2 AC D9 74 D9 24 AB 50 3D A6 5B FB B8 28 18 F5 F1 FD 52 05 F5 FA 5C 46 32 CB 3F F5 07 EE 5E CA CA 47 7C F5 7E 6B 98 7B 46 7C 81 53 D3 09 79 67 44 BC C5 EA 51 51 49 64 4E A7 4E B4 50 53 37 97 40 67 BF D8 BC C3 A9 19 AC CF 5B 9D FD 33 52 AC 7C 2A 2A 5D 96 CB B5 28 24 C5 8C F4 A9 A2 48 C8 AF D6 83 6D 59 4C F4 5B 23 6E ED F2 B7 E8 7E 77 46 A7 C8 05 26 16 34 6D 81 A3 C3 1C AA 5B E9 CC AB E2 F4 BE 7E 73 59 07 F8 90 EA 58 87 DC 01 56 21 67 CB 76 A1 1B 87 F9 28 2F 85 D6 CA 81 64 E5 A5 CC 36 58 A3 F2 B4 AE 62 9D 54 B8 27 E2 AD 8F E0 0C 61 5D 2D 93 CF 74 53 C7 47 11 DF 5F 3A DF 87 E8 82 0D D4 E4 D4 CB FF B2 0E 07 FF EF E9 80 33 2D C9 F9 25 E2 9C E2 D5 5B E5 FC 1E 24 9C BB C7 D0 C0 E3 1A 3C 62 81 D8 3C CA 1D 72 76 D4 F8 DB 24 2E 60 5D EB F4 38 2C 6B D4 B0 DE 8E A7 61 15 8A AB 3D 16 A3 6F 90 35 CE 3A 44 BD DF AE 2D DE 08 E3 EF 00 B8 16 87 76 6F D4 1B 5F E0 D6 A6 96 75 11 EF A1 69 7C C4 73 0F 91 4B FC 16 AA 68 00 54 5C 78 BD 87 10 4C 6F B1 DD E4 B4 A7 B3 8F 9A 79 A1 FB AD 77 4A CA F0 0D 2D 70 6A 61 65 72 38 17 95 89 C6 E4 DE C5 EE 72 DD 52 91 AF 8B E8 D6 27 8A FB 5A 98 BE F6 34 CD 2A C6 E9 4A AE AF EC 23 6F BC 85 2F 93 9A F5 37 EC AB F8 BB C5 DD D0 7E 2E 69 6A EE 7A 89 42 83 1B 05 0D 6B 39 7E A4 32 00 C5 6C 3F 8C BA 17 F0 EC CB DD C0 EE B4 3F CB 9B 7B 8C 0B FB D4 DC 7B DD 9A 6E 1D 65 8F 1A 77 B9 67 85 5A BD 1E 35 4E 8F 1A F1 1B 45 5E E9 9A 55 1B 88 06 E4 9E 55 EB 77 64 D7 06 B5 48 10 69 61 FD 2F EE 58 BE 7C 1D 9A 78 F9 8A 04 9D DB C6 3C 2E 7F EF A3 89 F7 30 FF D9 EF 61 FE 37 77 0F 3B 15 A6 48 10 B5 21 58 3C 48 86 23 06 50 3D 7E 93 84 E8 59 3A 55 E3 3A A8 AA 7C 7F 94 13 49 E9 AC 35 9D 82 73 A9 81 7D AF D2 DD F4 8E B9 8A 5B 43 DE 46 0F 2E 73 DA B0 86 9E 5E AF D4 38 F1 F1 10 8A 03 35 70 7C A2 CA E9 3A 24 B3 AA 22 D4 6B 39 35 F4 43 31 3E 07 1D C2 C6 E6 FD 41 95 7E 68 96 60 E7 30 16 32 A6 3E ED 9F FA B4 64 03 4E 3D 11 AF E4 35 87 53 32 AF 56 53 23 5A 03 DF C5 70 E1 85 51 3E 58 E1 73 8D 8A B8 EF 19 78 3D A9 B4 8E EA 76 3B 75 8E 73 65 18 B9 32 4D D6 F4 7F 31 D8 BE 7A 2C 00 5F 54 9B 14 6C 03 09 20 C1 D6 DD 60 FB E3 E7 71 00 DF CF CE 5F C4 0B 29 80 7D AB 22 33 83 88 C4 5B B0 97 39 A9 59 5B CE CD 2A 8A 54 9D 99 9B 91 40 C4 FF 26 32 C7 FF 17 32 47 3F 7B E6 E8 6F 3E 73 FC 70 B2 BF 9C 39 1A FB 7C 72 E6 84 CE C8 1C 59 C3 ED 29 27 33 AE 77 EE 1F 74 8B 93 13 E4 E4 11 11 B3 BF 85 9F 25 0A 91 9B 44 F2 AA 6F 35 9F 41 40 EB AC A0 F3 A7 8D C7 82 B6 4D 71 DE 7B 3A 7B 3C 57 09 CE 50 8A C4 1E FF 48 E3 78 40 6D 99 5B 1F 6C 9E A2 EA 16 EE 6C 01 2D 11 FB 80 42 CA EE 80 3E 75 67 50 57 AD 9B 41 3B 4F 6D 7E A1 B8 8F 47 39 47 38 37 54 4F FC 16 36 FC 83 E5 8D 9A DF 59 71 F1 69 14 7E FC 6F E9 8C F7 70 4D 4C FF 76 4D B1 8A 96 78 55 C5 BD 5F 8D 7F 88 2A DE CF F1 B9 64 A6 D0 DF EB C3 AC 53 4E 2B 41 BD C5 88 C3 9A E6 40 B3 8F 54 E9 38 8F 3C A7 EB 98 2D AF 1D E7 BB CB 50 CE 14 D8 0D E8 1C 19 7F E8 56 4E C1 DB 38 9B F5 F7 1A 8E AC 2A A3 65 4A 1C EE 6B 0E 3A 6C DD FA B0 53 82 75 91 BB B5 28 4D CD 7D 84 AB 3D 77 59 D0 9A 43 B0 B5 02 BF 0E 58 B0 D8 93 C7 1D 6C 06 BF F2 84 F1 1D 7D 17 77 28 EE 9B 53 B6 E7 AA A5 AD 8B 5A 97 2C 5A D2 B6 92 29 3E C2 41 80 4E C0 F4 D9 D8 69 E6 E0 D4 F0 0A 2E 19 B3 FB F2 76 3A 3B 98 E3 1E 35 58 D6 DF E0 18 6D EF A3 67 67 B9 F1 DA B0 BD 9B 5F F7 BE 02 FC 6B 3A F0 8E 8C 35 50 8E BB B2 A3 E9 AE 26 3F E4 D0 EB CA 12 DE 00 79 F6 7E 67 2F A4 59 9C 4F F8 61 1F 7C C4 3D EF 75 39 FE E0 77 9E FC DE 4D 8C F5 54 B4 15 97 C7 4F DD E5 39 AF A5 BF AE 3B 96 69 34 CD 97 AC D2 E8 6F 04 BE E6 39 16 AC A6 C7 F8 05 27 B5 79 57 FB 35 FA A3 C0 61 1F C3 95 02 B7 0A 3C 28 F4 26 6F 13 46 1D F3 30 FC B2 50 3E E0 1D D1 02 F4 05 CF ED B8 56 25 3D B7 EB 01 F2 7A 6F D7 C3 B4 D0 F3 EB 60 98 5E 0F 3C 10 D4 E8 E3 DE 63 68 6F F4 AE AA 0A D3 1E EF 46 45 A3 F3 C3 51 23 4C 5F 0A 70 9F 17 84 F2 3B 95 29 4D 34 0A 09 FF E0 39 66 68 F4 5D E8 A6 D1 61 0F EB F9 AE C0 75 80 EF F1 C7 FD 01 5A ED A9 C5 BC FB 95 35 9A 46 6F F5 47 8D 00 0D 85 3D 61 8D 7E A1 7F 07 39 38 5F FB BA 16 A5 4F A8 5F 07 F7 04 66 D1 E8 D5 F0 1A 50 0E F9 77 41 CF 1F E9 DF 00 C5 56 8E 54 6B F4 73 3F C3 76 E3 48 75 94 4E F8 79 D4 FB 82 0C BF 1A D8 05 F8 E9 D0 2E 48 F8 AE CA 12 DE 21 F0 1F AB 57 63 F6 8D 32 FB 1F 21 33 4C B3 94 55 55 01 7A 59 3B 16 0C D0 7D D5 9E 70 80 7E A5 32 7C 4E 65 7D 3E E5 63 8B 06 43 AB AA EA E9 FD 46 67 08 1E D3 58 CE 25 3A EB FC FB 2A EE F3 6B E8 1C A0 B5 D2 FF 2A 99 E5 43 C4 A3 6A 43 1B B1 C9 3C A1 30 FC 32 24 68 74 24 C8 5C A3 3A 6A 44 E9 E5 F0 D7 B5 7A 9A 17 64 99 D7 0B FD 71 58 BA 46 49 05 38 8E 0F A8 DF 01 EC D5 E6 C1 BA 53 01 9E 6B AE CA 56 B7 18 6C EF 34 81 CB 54 B6 BA 29 CC 96 EE 54 D9 6A F2 B3 C7 86 F5 A6 AA 28 D9 01 B6 BD 2B C8 1E BE 3B C4 FE 5F 88 59 38 7B D2 92 43 C5 55 F2 2B 23 53 DD 5D C2 7E 17 C8 54 F7 A0 CD 79 5D 43 17 85 33 D5 57 00 F3 48 32 FE 5D D5 CD 55 57 20 33 0D E1 C5 43 99 EA 77 21 3F 83 C2 FB 7E 35 F7 34 50 F7 B8 C6 DC 6F DC 6F 30 56 2D 52 17 84 18 C3 D9 49 78 03 61 C6 AA 71 8B 60 DE 77 AA 18 9B C2 B5 0C E8 03 01 07 6B 12 DE 93 7E 07 9B 2F 58 6F 35 63 75 D4 2A 3D 71 BE 25 C6 16 93 0F D8 4F 82 0E B6 44 B0 16 97 77 01 F9 B0 FC FE 5D B0 7A 5A 45 01 F0 BE CA 72 51 CD D7 08 76 9F 60 8D C0 78 8D 6D 90 9E 33 5D DE E2 30 F3 66 52 07 EA F7 C2 40 9D B7 8D BC 81 26 C0 86 C0 5C C0 F5 81 85 DE 08 6D 35 96 01 D6 79 56 02 FE 1F E5 22 6F 3D EA 79 07 E0 15 02 67 54 6F 00 AC 11 F8 33 62 F8 45 81 B7 09 7C 9F 72 31 E0 8F A9 07 70 B9 BE 15 F0 9A C0 76 C0 17 69 97 F7 D2 C2 ED 74 A5 77 16 2D AE 3E E5 59 4E 9F A2 04 E8 B8 7B 79 35 3A ED BB 12 30 14 62 38 37 F8 3D AC B9 B7 85 F6 A1 BD AF 9A 29 2F 09 3C 18 66 F8 7D 3F C3 EB A5 7D 81 71 A5 B7 37 26 95 A3 E1 7C AC 47 85 76 4E C0 06 04 8B 34 AC 0E 3E 0C EC BD 82 D5 1A 3F 0F 64 BD 0A DD E3 62 3F 32 72 C0 BE EC 62 5F 0C 1C 04 F6 BC 8B 7D 2F 78 2D B0 3F BA D8 78 E0 1D C0 BA 66 39 D8 9F D4 77 03 BB DC C5 FC 9E A3 C0 52 B3 CA F3 A9 74 CD AC B2 2E 2A BD 53 B0 7A E3 E3 E1 9B BD 2A 7D D8 1D 37 23 C4 D8 7D 13 C6 BD 30 61 DC 2B CE 38 DA EF 3F E6 9D C8 D3 69 CF B9 E5 71 FA 19 BC B7 9D EB 8C EB 0D 33 EF B5 D9 0E F6 92 EF 2E AF 4E 53 E6 39 58 42 39 EE 35 68 A7 8B 3D A2 7C 0E B5 7A CA 5B 1C EC C3 CA C3 C8 ED C6 B8 83 5D A0 31 56 39 43 80 6A E6 3B BC BD 90 E2 DC 2D 0A 54 1F FB 66 E8 9F BD C1 12 B6 4F FD 8C B7 AA 84 AD AA FE 82 B7 86 6A 5A 9C 71 1F F4 3F E2 AD 29 F1 9E 0B 7F D5 1B 71 B1 DA D8 53 E1 6F 23 37 86 DC 9E 37 E1 F2 30 9D AE 77 B1 E7 69 97 67 06 DD E3 62 BF 0B 3D E3 6D A4 15 0B 1D EC 55 60 4D F4 05 17 DB 17 7C C6 3B 93 D6 B6 3A D8 26 60 E7 4C B0 21 E6 CE 17 89 7D D4 FF 43 6F 19 7B CC F8 29 B2 F4 CB 32 2E 42 D7 1A FF EE 9D 4B 2F 9D E7 48 99 EB F9 AD 77 DE 04 29 F3 2B EC 3B ED 9D 4F D7 B7 39 3D FF D5 AF FA E6 D3 94 C5 0E B6 5D F5 FB 16 D0 6F 96 48 DC E9 0F 38 C0 B6 D0 22 39 CD 7F 45 5D 15 FA 84 67 21 F5 BA 58 8D AA 29 AD 34 24 D8 75 F4 33 B5 DE D7 4A EF

Signature Hits	Behavior Group	Mitre Attack
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry

Memdumps

Base Address

Regiontype

Protect

Malicious

31D1000

trusted library allocation

page read and write

E62000

unkown

page readonly

1480000

trusted library allocation

page read and write

7FFD3485C000

trusted library allocation

page execute and read and write

1790000

heap

page read and write

7FFD34856000

trusted library allocation

page read and write

9C1000

heap

page read and write

1450000

heap

page read and write

249C000

trusted library allocation

page read and write

940000

heap

page read and write

1C135000

heap

page read and write

15CA000

stack

page read and write

335F000

trusted library allocation

page read and write

1444FEE1000

heap

page read and write

1AA2D000

stack

page read and write

7FFD34880000

trusted library allocation

page execute and read and write

1BBF0000

heap

page read and write

1C4F4000

stack

page read and write

1794000

heap

page read and write

135B000

heap

page read and write

7FFD34770000

trusted library allocation

page read and write

7FFD34960000

trusted library allocation

page read and write

1E844FF000

unkown

page read and write

1B24F000

stack

page read and write

7FFD34764000

trusted library allocation

page read and write

990000

heap

page read and write

7FFD34902000

trusted library allocation

page read and write

32AD000

trusted library allocation

page read and write

743000

heap

page read and write

7FFD347CB000

trusted library allocation

page execute and read and write

900000

heap

page read and write

D4E000

stack

page read and write

3349000

trusted library allocation

page read and write

A5A000

heap

page read and write

7FFD34980000

trusted library allocation

page read and write

7FFD348C0000

trusted library allocation

page execute and read and write

26EE000

stack

page read and write

1B34E000

stack

page read and write

7A38B6E000

stack

page read and write

23752970000

heap

page read and write

1C1DF000

heap

page read and write

7FFD347BC000

trusted library allocation

page execute and read and write

1C100000

heap

page read and write

900000

heap

page read and write

2480000

heap

page read and write

127C1000

trusted library allocation

page read and write

1444FEF2000

heap

page read and write

7FFD347B3000

trusted library allocation

page read and write

C40000

heap

page read and write

1D273000

heap

page read and write

1E8412C000

stack

page read and write

139F000

heap

page read and write

131D1000

trusted library allocation

page read and write

1C7ED000

stack

page read and write

7FFD34983000

trusted library allocation

page read and write

1C161000

heap

page read and write

127C8000

trusted library allocation

page read and write

7FFD34856000

trusted library allocation

page execute and read and write

7FFD347A2000

trusted library allocation

page read and write

1D585000

heap

page read and write

1C96E000

stack

page read and write

7FFD34820000

trusted library allocation

page execute and read and write

7FFD34773000

trusted library allocation

page execute and read and write

1BFFD000

stack

page read and write

7FFD34860000

trusted library allocation

page execute and read and write

1E845FE000

stack

page read and write

30C0000

heap

page read and write

7FFD347AD000

trusted library allocation

page execute and read and write

7FFD34790000

trusted library allocation

page read and write

7FFD34780000

trusted library allocation

page read and write

7FFD34774000

trusted library allocation

page read and write

1444FFB0000

heap

page read and write

1C19D000

heap

page read and write

127C3000

trusted library allocation

page read and write

179E000

heap

page read and write

9D0000

heap

page read and write

7FFD34970000

trusted library allocation

page read and write

B25000

heap

page read and write

1444FEBB000

heap

page read and write

23752A50000

heap

page read and write

7A38BEE000

stack

page read and write

706000

heap

page read and write

1BCFE000

stack

page read and write

1C0FE000

stack

page read and write

7FFD34850000

trusted library allocation

page read and write

7FFD34886000

trusted library allocation

page execute and read and write

3000000

heap

page execute and read and write

14C0000

heap

page read and write

3468000

trusted library allocation

page read and write

7FFD3476D000

trusted library allocation

page execute and read and write

3430000

trusted library allocation

page read and write

1C3FA000

stack

page read and write

7FFD347CC000

trusted library allocation

page execute and read and write

131E2000

trusted library allocation

page read and write

E4F000

stack

page read and write

3070000

heap

page read and write

7FFD34784000

trusted library allocation

page read and write

5F5000

heap

page read and write

13F6000

heap

page read and write

9F8000

heap

page read and write

14450105000

heap

page read and write

3277000

trusted library allocation

page read and write

23754485000

heap

page read and write

1440000

heap

page read and write

735000

heap

page read and write

B20000

heap

page read and write

23754480000

heap

page read and write

1AE40000

heap

page read and write

27CF000

trusted library allocation

page read and write

12498000

trusted library allocation

page read and write

6D0000

heap

page read and write

12E0000

heap

page read and write

5F0000

heap

page read and write

7A38AEC000

stack

page read and write

1B54E000

stack

page read and write

3350000

trusted library allocation

page read and write

1D570000

heap

page read and write

945000

heap

page read and write

7FF47B7B0000

trusted library allocation

page execute and read and write

32FF000

trusted library allocation

page read and write

9CC000

heap

page read and write

1CF6E000

stack

page read and write

8FF000

stack

page read and write

7FFD34974000

trusted library allocation

page read and write

27C1000

trusted library allocation

page read and write

7FFD34990000

trusted library allocation

page execute and read and write

1C2FC000

stack

page read and write

7FFD34763000

trusted library allocation

page execute and read and write

960000

trusted library allocation

page read and write

1CB6C000

stack

page read and write

1CA6A000

stack

page read and write

3414000

trusted library allocation

page read and write

1AD4D000

stack

page read and write

1B14E000

stack

page read and write

3363000

trusted library allocation

page read and write

1B18E000

stack

page read and write

27A0000

heap

page execute and read and write

3412000

trusted library allocation

page read and write

14A0000

trusted library allocation

page read and write

7FFD347C0000

trusted library allocation

page read and write

C45000

heap

page read and write

7FFD34830000

trusted library allocation

page execute and read and write

930000

trusted library allocation

page read and write

7FFD3497E000

trusted library allocation

page read and write

7FFD34942000

trusted library allocation

page read and write

1C17B000

heap

page read and write

3361000

trusted library allocation

page read and write

748000

heap

page read and write

999000

heap

page read and write

1710000

trusted library allocation

page read and write

1444FFD0000

heap

page read and write

14450100000

heap

page read and write

1BEFF000

stack

page read and write

7FFD34846000

trusted library allocation

page execute and read and write

B90000

heap

page execute and read and write

1D270000

heap

page read and write

1B200000

trusted library allocation

page read and write

72D000

heap

page read and write

31CE000

stack

page read and write

23CE000

stack

page read and write

7FFD347A0000

trusted library allocation

page read and write

1C1BB000

heap

page read and write

1445000

heap

page read and write

27B0000

heap

page read and write

7FFD34950000

trusted library allocation

page execute and read and write

1200000

heap

page read and write

5C0000

heap

page read and write

131DE000

trusted library allocation

page read and write

7FFD347A4000

trusted library allocation

page read and write

1336000

heap

page read and write

1E171000

heap

page read and write

23752B30000

heap

page read and write

1CD6B000

stack

page read and write

1C82E000

stack

page read and write

72B000

heap

page read and write

1D291000

heap

page read and write

1444FDD0000

heap

page read and write

7FFD3494F000

trusted library allocation

page read and write

E60000

unkown

page readonly

8F4000

stack

page read and write

7FFD347BD000

trusted library allocation

page execute and read and write

3C0000

heap

page read and write

1AF4E000

stack

page read and write

1444FEE1000

heap

page read and write

2491000

trusted library allocation

page read and write

27D1000

trusted library allocation

page read and write

374000

stack

page read and write

7FFD3477D000

trusted library allocation

page execute and read and write

1B34E000

stack

page read and write

23752A90000

heap

page read and write

1444FFF0000

heap

page read and write

9F6000

heap

page read and write

3323000

trusted library allocation

page read and write

7FFD34810000

trusted library allocation

page read and write

1300000

heap

page read and write

7FFD347C4000

trusted library allocation

page read and write

FB4000

stack

page read and write

7FFD34780000

trusted library allocation

page read and write

220000

unkown

page readonly

2FC0000

heap

page read and write

16CB000

stack

page read and write

7FFD34912000

trusted library allocation

page read and write

16D0000

trusted library section

page read and write

13A7000

heap

page read and write

700000

heap

page read and write

134F000

heap

page read and write

76E000

heap

page read and write

1371000

heap

page read and write

1B75C000

stack

page read and write

774000

heap

page read and write

27CC000

trusted library allocation

page read and write

7FFD347FC000

trusted library allocation

page execute and read and write

33B8000

trusted library allocation

page read and write

1BBF3000

heap

page read and write

33BA000

trusted library allocation

page read and write

23752B39000

heap

page read and write

B10000

heap

page execute and read and write

1444FEE1000

heap

page read and write

12493000

trusted library allocation

page read and write

70C000

heap

page read and write

1B240000

heap

page read and write

1CC6E000

stack

page read and write

5A0000

heap

page read and write

590000

heap

page read and write

1C1BD000

heap

page read and write

32C1000

trusted library allocation

page read and write

7FFD347B0000

trusted library allocation

page read and write

13A4000

heap

page read and write

9B9000

heap

page read and write

1B040000

heap

page execute and read and write

1C92A000

stack

page read and write

1D26B000

stack

page read and write

7CE000

heap

page read and write

1330000

heap

page read and write

A60000

trusted library allocation

page read and write

7FFD34820000

trusted library allocation

page read and write

7FFD3478D000

trusted library allocation

page execute and read and write

7FFD347A3000

trusted library allocation

page execute and read and write

A4E000

stack

page read and write

1BDFF000

stack

page read and write

1C185000

heap

page read and write

344A000

trusted library allocation

page read and write

1444FEF2000

heap

page read and write

1374000

heap

page read and write

741000

heap

page read and write

16F0000

heap

page read and write

1C177000

heap

page read and write

7FFD347CD000

trusted library allocation

page execute and read and write

7C3000

heap

page read and write

3392000

trusted library allocation

page read and write

940000

trusted library allocation

page read and write

7D5000

heap

page read and write

3D0000

heap

page read and write

9CA000

heap

page read and write

7FFD34979000

trusted library allocation

page read and write

14C5000

heap

page read and write

7FFD34890000

trusted library allocation

page execute and read and write

13CA000

heap

page read and write

1444FEF1000

heap

page read and write

1B44E000

stack

page read and write

12491000

trusted library allocation

page read and write

723000

heap

page read and write

7FFD34774000

trusted library allocation

page read and write

30B0000

heap

page execute and read and write

1444FEB0000

heap

page read and write

7FFD3477D000

trusted library allocation

page execute and read and write

There are 256 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
V6363OW8Rh.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportV6363OW8Rh.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
V6363OW8Rh.exe