Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

VBEhHxyHpJ.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	6.25000326436593
Filename:	VBEhHxyHpJ.exe
Filesize:	1367040
MD5:	f8296e0f8d3011b6655fe5baa9152b85
SHA1:	2be45b7523ce8acb97eda3822c63060f4849daec
SHA256:	48ef0b4fe2be5a3b34b2189b18e55e3da3c7b70a7d4dde814f7c4c8a5c314d20
SHA512:	e40e264292f95cdb5d21d2a0381408891c4b593aaf51c66bcf0f5211cd1e22abfc857b137ab94b081f662249e459507d0dee47ca82df583765ec851dc4ebf1d4
SSDEEP:	24576:uYHkJKcS6UH2qACNssMLuKCYUeM9eJr7TaQNf/Fduzy32:wZS12Ossveldy
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bd.................*...........H... ...`....@.. .......................@............`................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion
Encrypted powershell cmdline option found	HIPS / PFW / Operating System Protection Evasion	PowerShell Security Software Discovery
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Access Token Manipulation
Machine Learning detection for sample	AV Detection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Security Software Discovery
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Access Token Manipulation System Time Discovery Archive Collected Data
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Native API
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation Security Software Discovery
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Security Software Discovery
Yara signature match	System Summary
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Contains functionality to modify the execution of threads in other processes		Access Token Manipulation Security Software Discovery
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Public key (encryption) found	Cryptography	Account Discovery Security Software Discovery System Owner/User Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	Access Token Manipulation
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary	Security Software Discovery
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary
Uses Microsoft Silverlight	System Summary	Access Token Manipulation

C:\ProgramData\remcos\logs.dat

data

dropped

Details

File:	C:\ProgramData\remcos\logs.dat
Category:	dropped
Dump:	logs.dat.6.dr
ID:	dr_5
Target ID:	6
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Type:	data
Entropy:	3.3934082720720298
Encrypted:	false
Ssdeep:	3:rhlKlVEl7x5JWRal2Jl+7R0DAlBG45klovDl6v:6lVM15YcIeeDAlOWAv
Size:	144
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Remcos	Stealing of Sensitive Information
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VBEhHxyHpJ.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VBEhHxyHpJ.exe.log
Category:	dropped
Dump:	VBEhHxyHpJ.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\VBEhHxyHpJ.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.354626312265129
Encrypted:	false
Ssdeep:	48:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HOHKU57UjHKtHKMRr:Pq5qHwCYqh3oPtI6eqzxuqU57UjqtqMZ
Size:	1771
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Category:	dropped
Dump:	ModuleAnalysisCache.3.dr
ID:	dr_4
Target ID:	3
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	4.901113710259376
Encrypted:	false
Ssdeep:	96:ZCJ2Woe5H2k6Lm5emmXIGLgyg12jDs+un/iQLEYFjDaeWJ6KGcmXlQ9smpFRLcUn:Uxoe5HVsm5emdQgkjDt4iWN3yBGHVQ9v
Size:	5829
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Category:	dropped
Dump:	StartupProfileData-NonInteractive.3.dr
ID:	dr_1
Target ID:	3
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	1.1510207563435464
Encrypted:	false
Ssdeep:	3:Nlllul9kLZ:NllUG
Size:	64
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4kkhf3d3.2cw.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4kkhf3d3.2cw.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_4kkhf3d3.2cw.psm1.3.dr
ID:	dr_3
Target ID:	3
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	high

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iejrnzk4.p0x.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iejrnzk4.p0x.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_iejrnzk4.p0x.ps1.3.dr
ID:	dr_2
Target ID:	3
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\VBEhHxyHpJ.exe

"C:\Users\user\Desktop\VBEhHxyHpJ.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7564
Target ID:	0
Parent PID:	3504
Name:	VBEhHxyHpJ.exe
Path:	C:\Users\user\Desktop\VBEhHxyHpJ.exe
Commandline:	"C:\Users\user\Desktop\VBEhHxyHpJ.exe"
Size:	1367040
MD5:	F8296E0F8D3011B6655FE5BAA9152B85
Time:	09:41:03
Date:	03/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x640000
Modulesize:	1392640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Machine Learning detection for sample	AV Detection
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments	System Summary
Sigma detected: Suspicious Encoded PowerShell Command Line	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Execution of Powershell with Base64	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

Details

Is windows:	true
Is dropped:	false
PID:	7736
Target ID:	3
Parent PID:	7564
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
Size:	433152
MD5:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Time:	09:41:04
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x240000
Modulesize:	446464
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Suspicious Encoded PowerShell Command Line	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Execution of Powershell with Base64	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Details

Is windows:	true
Is dropped:	false
PID:	8180
Target ID:	6
Parent PID:	7564
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	09:41:25
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xab0000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Remcos	Stealing of Sensitive Information
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments	System Summary
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7764
Target ID:	4
Parent PID:	7736
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	09:41:04
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff70f010000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

103.212.81.159

Details

Name:	103.212.81.159
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\VBEhHxyHpJ.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
IP address seen in connection with other malware	Networking
Connects to IPs without corresponding DNS lookups	Networking

http://geoplugin.net/json.gp

unknown

https://api.telegram.org/bot

unknown

http://geoplugin.net/json.gp/C

unknown

Details

Name:	http://geoplugin.net/json.gp/C
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\VBEhHxyHpJ.exe
Source:	VBEhHxyHpJ.exe, 00000000.00000002.1596002036.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, VBEhHxyHpJ.exe, 00000000.00000002.1595727475.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, VBEhHxyHpJ.exe, 00000000.00000002.1596002036.0000000003CFB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

103.212.81.159

unknown

Bangladesh

Details

IP:	103.212.81.159
TargetID:	6
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	Bangladesh
Countrycode:	BGD
ASN number:	133923
ASN name:	KANTIPUR-AS-APKantipurPublicationPvtLtdNP
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Rmc-RLNEHU

exepath

HKEY_CURRENT_USER\SOFTWARE\Rmc-RLNEHU

licence

HKEY_CURRENT_USER\SOFTWARE\Rmc-RLNEHU

time

Memdumps

Base Address

Regiontype

Protect

Malicious

3C19000

trusted library allocation

page read and write

2A31000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

F8A000

heap

page read and write

3CFB000

trusted library allocation

page read and write

2C9E000

stack

page read and write

4FD0000

trusted library allocation

page read and write

E8F000

heap

page read and write

642000

unkown

page readonly

10CE000

stack

page read and write

DDE000

heap

page read and write

F80000

heap

page read and write

E04000

heap

page read and write

DC0000

trusted library allocation

page read and write

2DDF000

stack

page read and write

D53000

trusted library allocation

page execute and read and write

D0E000

stack

page read and write

4F4E000

trusted library allocation

page read and write

DD8000

heap

page read and write

6F80000

heap

page read and write

C75000

heap

page read and write

4FA0000

heap

page read and write

4F80000

trusted library allocation

page read and write

DA2000

trusted library allocation

page read and write

2A0B000

stack

page read and write

2A20000

heap

page read and write

DAB000

trusted library allocation

page execute and read and write

DA5000

trusted library allocation

page execute and read and write

D54000

trusted library allocation

page read and write

7840000

trusted library allocation

page execute and read and write

4F34000

trusted library allocation

page read and write

2CDB000

stack

page read and write

6C6C000

heap

page read and write

5540000

trusted library allocation

page read and write

BD0000

heap

page read and write

D67000

heap

page read and write

472000

remote allocation

page execute and read and write

7DDE000

stack

page read and write

4FA3000

heap

page read and write

51F5000

heap

page read and write

1300000

heap

page read and write

A39000

stack

page read and write

4F95000

trusted library allocation

page read and write

5390000

heap

page read and write

5360000

heap

page read and write

829C000

stack

page read and write

FCE000

stack

page read and write

4F62000

trusted library allocation

page read and write

D50000

trusted library allocation

page read and write

6C84000

heap

page read and write

6F60000

trusted library allocation

page execute and read and write

BE0000

heap

page read and write

5500000

heap

page read and write

4F3E000

trusted library allocation

page read and write

4F30000

trusted library allocation

page read and write

E0F000

heap

page read and write

640000

unkown

page readonly

7830000

trusted library allocation

page execute and read and write

2F5E000

stack

page read and write

B90000

heap

page read and write

4F56000

trusted library allocation

page read and write

29C0000

heap

page execute and read and write

3070000

heap

page read and write

6F70000

trusted library allocation

page execute and read and write

305F000

stack

page read and write

54F0000

heap

page read and write

7AFE000

stack

page read and write

799E000

stack

page read and write

D70000

trusted library allocation

page read and write

4A38000

trusted library allocation

page read and write

7850000

trusted library allocation

page read and write

BC0000

heap

page read and write

5000000

heap

page read and write

D96000

trusted library allocation

page execute and read and write

4F8F000

trusted library allocation

page read and write

E7F000

heap

page read and write

7820000

trusted library allocation

page read and write

D40000

trusted library allocation

page read and write

4F51000

trusted library allocation

page read and write

2F1F000

stack

page read and write

D92000

trusted library allocation

page read and write

7212000

trusted library allocation

page read and write

2A10000

trusted library allocation

page read and write

D5D000

trusted library allocation

page execute and read and write

5020000

trusted library allocation

page read and write

EB5000

heap

page read and write

5370000

heap

page read and write

2E1C000

stack

page read and write

6C20000

heap

page read and write

D90000

trusted library allocation

page read and write

5030000

trusted library allocation

page execute and read and write

6E5E000

stack

page read and write

4F5D000

trusted library allocation

page read and write

5040000

trusted library allocation

page read and write

5510000

trusted library allocation

page execute and read and write

51F0000

heap

page read and write

3A31000

trusted library allocation

page read and write

EFC000

stack

page read and write

6C10000

heap

page read and write

775E000

stack

page read and write

535D000

stack

page read and write

801F000

stack

page read and write

4F3B000

trusted library allocation

page read and write

5530000

trusted library allocation

page read and write

79FE000

stack

page read and write

3060000

heap

page read and write

6F51000

trusted library allocation

page read and write

DF7000

heap

page read and write

D60000

heap

page read and write

295E000

stack

page read and write

5532000

trusted library allocation

page read and write

B5C000

stack

page read and write

70BE000

stack

page read and write

7D9E000

stack

page read and write

4BCC000

stack

page read and write

6B1E000

heap

page read and write

5010000

heap

page read and write

4F70000

trusted library allocation

page read and write

815E000

stack

page read and write

2A28000

heap

page read and write

BD5000

heap

page read and write

28AE000

stack

page read and write

7F1E000

stack

page read and write

C80000

heap

page read and write

2B9E000

stack

page read and write

F50000

heap

page read and write

B37000

stack

page read and write

D80000

heap

page read and write

819C000

stack

page read and write

4F90000

trusted library allocation

page read and write

3B5B000

trusted library allocation

page read and write

77F0000

trusted library allocation

page read and write

789E000

stack

page read and write

DD0000

heap

page read and write

DA7000

trusted library allocation

page execute and read and write

2A5F000

stack

page read and write

6D5E000

stack

page read and write

7800000

trusted library allocation

page read and write

7C9D000

stack

page read and write

C70000

heap

page read and write

5200000

heap

page execute and read and write

786000

unkown

page readonly

E63000

heap

page read and write

29B0000

trusted library allocation

page execute and read and write

3A39000

trusted library allocation

page read and write

7EDE000

stack

page read and write

4FB0000

trusted library allocation

page read and write

805E000

stack

page read and write

476000

remote allocation

page execute and read and write

D9A000

trusted library allocation

page execute and read and write

5460000

trusted library section

page readonly

4F10000

heap

page read and write

E11000

heap

page read and write

6B10000

heap

page read and write

29AE000

stack

page read and write

525B000

stack

page read and write

CCE000

stack

page read and write

D7D000

trusted library allocation

page execute and read and write

There are 148 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
VBEhHxyHpJ.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportVBEhHxyHpJ.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
VBEhHxyHpJ.exe