Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Details.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.345062038205206
Filename:	Details.exe
Filesize:	493056
MD5:	a8a7ded2a82dc5650d018a55944ed7f6
SHA1:	78ea0f8f73c8533b21900e20242df96ec1c56ce0
SHA256:	cdb27cbc1e485ca7b7c3f4f2eb90015befdf7991cb5742814ccf0c18bea2af11
SHA512:	3e2878b6cc46a71556e0f57e5b92c51595e39fe069d16974ee79f9f7ea9cbe9d073d2c467049862b6f23fff404bb8714e1919e39621606e4052e01e50e8cbce7
SSDEEP:	6144:ZXuAPKbl6eAs+AYJAmp1sWosos1kKBY0SQBhhASbOF7HAAPq/XtLMfFUYK8tvlC8:ZXuBxOukAVzAAylLMfCYK8tv
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o................0..\|..........~.... ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code references suspicious native API functions	HIPS / PFW / Operating System Protection Evasion	Native API
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion
Machine Learning detection for sample	AV Detection
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	File Deletion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Software Packing
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
.NET source code contains long base64-encoded strings	System Summary	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Details.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Details.exe.log
Category:	dropped
Dump:	Details.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Details.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.353332853270839
Encrypted:	false
Ssdeep:	24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
Size:	1039
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Details.exe

"C:\Users\user\Desktop\Details.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6464
Target ID:	0
Parent PID:	4004
Name:	Details.exe
Path:	C:\Users\user\Desktop\Details.exe
Commandline:	"C:\Users\user\Desktop\Details.exe"
Size:	493056
MD5:	A8A7DED2A82DC5650D018A55944ED7F6
Time:	22:16:51
Date:	01/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x790000
Modulesize:	516096
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	File Deletion
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\Details.exe

"C:\Users\user\Desktop\Details.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2276
Target ID:	2
Parent PID:	6464
Name:	Details.exe
Path:	C:\Users\user\Desktop\Details.exe
Commandline:	"C:\Users\user\Desktop\Details.exe"
Size:	493056
MD5:	A8A7DED2A82DC5650D018A55944ED7F6
Time:	22:16:51
Date:	01/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x2c0000
Modulesize:	516096
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	File Deletion
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Details.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6276
Target ID:	5
Parent PID:	2276
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\Details.exe"
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	22:17:12
Date:	01/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x1c0000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	File Deletion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6464
Target ID:	6
Parent PID:	6276
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	22:17:12
Date:	01/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff66e660000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

Details

Is windows:	true
Is dropped:	false
PID:	3536
Target ID:	7
Parent PID:	6276
Name:	choice.exe
Path:	C:\Windows\SysWOW64\choice.exe
Commandline:	choice /C Y /N /D Y /T 3
Size:	28160
MD5:	FCE0E41C87DC4ABBE976998AD26C27E4
Time:	22:17:12
Date:	01/07/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x8a0000
Modulesize:	40960
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://checkip.dyndns.org/

132.226.8.169

https://aka.ms/dotnet-warnings/

unknown

https://reallyfreegeoip.org/xml/8.46.123.33$

unknown

http://checkip.dyndns.org/q

unknown

https://aka.ms/serializationformat-binary-obsolete

unknown

http://reallyfreegeoip.org

unknown

https://reallyfreegeoip.org

unknown

https://aka.ms/binaryformatter

unknown

http://checkip.dyndns.org

unknown

http://checkip.dyndns.com

unknown

https://reallyfreegeoip.org/xml/8.46.123.33

188.114.96.3

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://reallyfreegeoip.org/xml/

unknown

There are 3 hidden URLs, click here to show them.

Domains

Name

Malicious

reallyfreegeoip.org

188.114.96.3

Details

Name:	reallyfreegeoip.org
IP:	188.114.96.3
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Tries to detect the country of the analysis system (by using the IP)	Location Tracking
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.com

132.226.8.169

IPs

Domain

Country

Malicious

188.114.96.3

reallyfreegeoip.org

European Union

Details

IP:	188.114.96.3
TargetID:	2
Current Path:	C:\Users\user\Desktop\Details.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	reallyfreegeoip.org

Signature Hits	Behavior Group	Mitre Attack
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

132.226.8.169

checkip.dyndns.com

United States

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Details_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Details_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Details_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Details_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Details_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Details_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Details_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Details_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Details_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Details_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Details_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Details_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Details_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Details_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

702000

remote allocation

page execute and read and write

2751000

trusted library allocation

page read and write

3B79000

trusted library allocation

page read and write

2BB4000

heap

page read and write

2400000

trusted library allocation

page read and write

111A000

trusted library allocation

page execute and read and write

2809000

trusted library allocation

page read and write

50E7000

trusted library allocation

page read and write

B4D000

stack

page read and write

1110000

trusted library allocation

page read and write

735000

heap

page read and write

65C0000

heap

page read and write

282D000

trusted library allocation

page read and write

3700000

heap

page read and write

3410000

heap

page read and write

50EC000

trusted library allocation

page read and write

11A0000

trusted library allocation

page read and write

51DE000

stack

page read and write

484C000

stack

page read and write

3751000

trusted library allocation

page read and write

D97000

heap

page read and write

C00000

heap

page read and write

4CC0000

heap

page read and write

622E000

stack

page read and write

2A6E000

stack

page read and write

285D000

stack

page read and write

521E000

stack

page read and write

2403000

trusted library allocation

page execute and read and write

745E000

stack

page read and write

2690000

trusted library allocation

page execute and read and write

4C6C000

stack

page read and write

997000

stack

page read and write

26D6000

trusted library allocation

page read and write

26F0000

trusted library allocation

page read and write

5E70000

trusted library allocation

page execute and read and write

65BC000

stack

page read and write

50F3000

heap

page read and write

27F8000

trusted library allocation

page read and write

2858000

trusted library allocation

page read and write

2854000

trusted library allocation

page read and write

10A0000

heap

page read and write

731E000

stack

page read and write

5020000

trusted library allocation

page read and write

2850000

trusted library allocation

page read and write

500F000

trusted library allocation

page read and write

2B9C000

heap

page read and write

28C3000

trusted library allocation

page read and write

26F4000

trusted library allocation

page read and write

5EB0000

heap

page read and write

5FED000

stack

page read and write

2BB5000

heap

page read and write

525E000

stack

page read and write

6F7000

stack

page read and write

519D000

stack

page read and write

26E5000

trusted library allocation

page read and write

56A0000

trusted library section

page readonly

118E000

stack

page read and write

28A0000

trusted library allocation

page read and write

88E000

stack

page read and write

291C000

trusted library allocation

page read and write

309C000

stack

page read and write

2E90000

heap

page read and write

DE4000

heap

page read and write

D58000

heap

page read and write

2842000

trusted library allocation

page read and write

C70000

heap

page read and write

28A8000

trusted library allocation

page read and write

2A10000

heap

page read and write

284C000

trusted library allocation

page read and write

5CC0000

trusted library allocation

page execute and read and write

899000

stack

page read and write

AE7000

heap

page read and write

4FDD000

trusted library allocation

page read and write

8B8000

heap

page read and write

10F3000

trusted library allocation

page execute and read and write

4FE2000

trusted library allocation

page read and write

5680000

trusted library allocation

page read and write

26F6000

trusted library allocation

page read and write

C5E000

stack

page read and write

7A90000

trusted library allocation

page read and write

1100000

trusted library allocation

page read and write

515E000

stack

page read and write

5D6E000

stack

page read and write

C75000

heap

page read and write

2430000

trusted library allocation

page read and write

602F000

stack

page read and write

4F10000

heap

page execute and read and write

26C4000

trusted library allocation

page read and write

5C6E000

stack

page read and write

3418000

heap

page read and write

2B90000

heap

page read and write

2806000

trusted library allocation

page read and write

71DE000

stack

page read and write

1140000

trusted library allocation

page read and write

2740000

heap

page execute and read and write

890000

heap

page read and write

1120000

trusted library allocation

page read and write

70DD000

stack

page read and write

5CA0000

heap

page read and write

5436000

heap

page read and write

4FCE000

trusted library allocation

page read and write

5226000

trusted library allocation

page read and write

B00000

heap

page read and write

2422000

trusted library allocation

page read and write

4FF0000

trusted library allocation

page read and write

5230000

trusted library section

page read and write

10F0000

trusted library allocation

page read and write

2894000

trusted library allocation

page read and write

5210000

trusted library allocation

page read and write

2D8F000

unkown

page read and write

10E0000

trusted library allocation

page read and write

730000

heap

page read and write

D86000

heap

page read and write

721E000

stack

page read and write

99D000

heap

page read and write

2720000

trusted library allocation

page read and write

592F000

stack

page read and write

32EF000

stack

page read and write

4B90000

heap

page read and write

2B30000

heap

page read and write

2437000

trusted library allocation

page execute and read and write

289C000

trusted library allocation

page read and write

112B000

trusted library allocation

page execute and read and write

25A0000

heap

page read and write

5010000

trusted library allocation

page read and write

32F0000

heap

page read and write

AAE000

stack

page read and write

5EA0000

heap

page read and write

2450000

trusted library allocation

page read and write

4FB0000

trusted library allocation

page read and write

5C9C000

stack

page read and write

259E000

stack

page read and write

5040000

trusted library allocation

page read and write

2B50000

trusted library allocation

page read and write

3CB000

stack

page read and write

27F5000

trusted library allocation

page read and write

76A2000

trusted library allocation

page read and write

61AE000

stack

page read and write

AE0000

heap

page read and write

295D000

stack

page read and write

8B0000

heap

page read and write

4EED000

stack

page read and write

4FBB000

trusted library allocation

page read and write

4EF0000

trusted library allocation

page read and write

5290000

trusted library section

page read and write

2B60000

heap

page execute and read and write

F50000

heap

page read and write

50EE000

trusted library allocation

page read and write

508C000

trusted library allocation

page read and write

53E0000

heap

page read and write

DFC000

heap

page read and write

5CB0000

heap

page read and write

109E000

stack

page read and write

2890000

trusted library allocation

page read and write

790000

unkown

page readonly

11C7000

heap

page read and write

4FD1000

trusted library allocation

page read and write

770000

heap

page read and write

2815000

trusted library allocation

page read and write

2FB0000

heap

page read and write

759E000

stack

page read and write

29C0000

heap

page read and write

28B5000

trusted library allocation

page read and write

27FD000

trusted library allocation

page read and write

D50000

heap

page read and write

8E7000

heap

page read and write

240D000

trusted library allocation

page execute and read and write

4FD6000

trusted library allocation

page read and write

50F0000

heap

page read and write

5EB0000

heap

page read and write

660E000

stack

page read and write

5EFC000

heap

page read and write

10FD000

trusted library allocation

page execute and read and write

C10000

heap

page read and write

26A0000

trusted library allocation

page read and write

2432000

trusted library allocation

page read and write

268C000

stack

page read and write

326E000

stack

page read and write

1127000

trusted library allocation

page execute and read and write

5000000

trusted library allocation

page read and write

670E000

stack

page read and write

242A000

trusted library allocation

page execute and read and write

2C80000

trusted library allocation

page read and write

2700000

trusted library allocation

page read and write

606E000

stack

page read and write

28FA000

trusted library allocation

page read and write

110D000

trusted library allocation

page execute and read and write

2B2E000

stack

page read and write

2800000

trusted library allocation

page read and write

5015000

trusted library allocation

page read and write

5080000

trusted library allocation

page read and write

5EF1000

heap

page read and write

528E000

stack

page read and write

1190000

trusted library allocation

page execute and read and write

26BE000

trusted library allocation

page read and write

5E95000

heap

page read and write

32AE000

stack

page read and write

5C2E000

stack

page read and write

D93000

heap

page read and write

700000

remote allocation

page execute and read and write

2B4C000

stack

page read and write

28FF000

trusted library allocation

page read and write

5070000

heap

page read and write

1112000

trusted library allocation

page read and write

1122000

trusted library allocation

page read and write

2B71000

trusted library allocation

page read and write

2812000

trusted library allocation

page read and write

26D9000

trusted library allocation

page read and write

55DE000

stack

page read and write

5E80000

trusted library allocation

page read and write

28D1000

trusted library allocation

page read and write

5B2F000

stack

page read and write

321E000

stack

page read and write

5221000

trusted library allocation

page read and write

2E8F000

stack

page read and write

AB0000

heap

page read and write

8C4000

heap

page read and write

2915000

trusted library allocation

page read and write

28A4000

trusted library allocation

page read and write

50A0000

trusted library allocation

page execute and read and write

735E000

stack

page read and write

5A2F000

stack

page read and write

2A0E000

unkown

page read and write

963000

heap

page read and write

5EDF000

heap

page read and write

F4E000

stack

page read and write

616E000

stack

page read and write

6FA0000

heap

page read and write

632E000

stack

page read and write

5240000

trusted library allocation

page read and write

3757000

trusted library allocation

page read and write

5E90000

heap

page read and write

508F000

trusted library allocation

page read and write

2898000

trusted library allocation

page read and write

749E000

stack

page read and write

11C0000

heap

page read and write

2410000

trusted library allocation

page read and write

2844000

trusted library allocation

page read and write

3779000

trusted library allocation

page read and write

243B000

trusted library allocation

page execute and read and write

C4E000

stack

page read and write

10F4000

trusted library allocation

page read and write

5223000

trusted library allocation

page read and write

3100000

heap

page read and write

2404000

trusted library allocation

page read and write

501E000

stack

page read and write

1103000

trusted library allocation

page read and write

305C000

stack

page read and write

50D0000

trusted library allocation

page read and write

505E000

stack

page read and write

2426000

trusted library allocation

page execute and read and write

5ED4000

heap

page read and write

5DAE000

stack

page read and write

5DCD000

stack

page read and write

5090000

heap

page execute and read and write

792000

unkown

page readonly

F9E000

stack

page read and write

3220000

heap

page read and write

64BC000

stack

page read and write

11B0000

heap

page read and write

3B71000

trusted library allocation

page read and write

249E000

stack

page read and write

5EAE000

stack

page read and write

26B4000

trusted library allocation

page read and write

508A000

trusted library allocation

page read and write

52E0000

heap

page read and write

D5E000

heap

page read and write

50E0000

trusted library allocation

page read and write

2420000

trusted library allocation

page read and write

23F0000

trusted library allocation

page read and write

1116000

trusted library allocation

page execute and read and write

61EE000

stack

page read and write

There are 262 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Details.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportDetails.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
Details.exe