Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

R86BRY7DdC.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	6.5610483430148685
Filename:	R86BRY7DdC.exe
Filesize:	294400
MD5:	d747188c998cbd80a03250d578236e29
SHA1:	cb2aff28e4271a441d0e55dce58783fb224902ab
SHA256:	728aacf77f919b92f4bc04b4dec7898345dc57f0080fe09f16290ce424671767
SHA512:	569acb73c8d233d08bc5d803e19cecf9995850d85c46812a490c23360d376bf4bccc036310832b57e589bc286aa3226b035ec248ec76b35d2c10ed4074f4e205
SSDEEP:	3072:hOlcp8wD7b6DhT4PrzD8VHCydY+pkzDqVHzYdKwDdomYcQGqKfjlOj0EdZdzdAHX:ICpDGFT4QndzYdKwDdomXfjc0EH2
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p.f.................z..........^.... ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection	Process Injection
.NET source code contains potential unpacker	Data Obfuscation	Software Packing
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Enables debug privileges	Anti Debugging
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Process Injection Disable or Modify Tools Deobfuscate/Decode Files or Information
Contains functionality to download additional files from the internet	Networking	Process Injection Ingress Tool Transfer
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Process Injection Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Process Injection Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Injection Process Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\R86BRY7DdC.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\R86BRY7DdC.exe.log
Category:	dropped
Dump:	R86BRY7DdC.exe.log.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\R86BRY7DdC.exe
Type:	CSV text
Entropy:	5.357964438493834
Encrypted:	false
Ssdeep:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khav:ML9E4KQwKDE4KGKZI6Khk
Size:	425
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Victim_SID[1].bd

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Victim_SID[1].bd
Category:	dropped
Dump:	Victim_SID[1].bd.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\R86BRY7DdC.exe
Type:	data
Entropy:	7.3984749546983055
Encrypted:	false
Ssdeep:	768:bRinnuikZHazYr+sPVlc1/Sdi0bNxf6lj1rEpBdE4DYywm9Tpfb+pSuGmyZCQrUz:cnpkZHIcs1/rBLDmRBbCqZCQIsPS
Size:	47616
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Ebagelog[1].bd

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Ebagelog[1].bd
Category:	dropped
Dump:	Ebagelog[1].bd.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\R86BRY7DdC.exe
Type:	data
Entropy:	7.485818194995349
Encrypted:	false
Ssdeep:	6144:kezaT+J0CyGxSuWvmCOX0P/R5GqWtfIWcklvVvZjrJvuaG9ZlSvMhweOghtwL5mu:oayGxSz/RWfPptZjrcH9W1Map
Size:	400896
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\R86BRY7DdC.exe

"C:\Users\user\Desktop\R86BRY7DdC.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7148
Target ID:	0
Parent PID:	2580
Name:	R86BRY7DdC.exe
Path:	C:\Users\user\Desktop\R86BRY7DdC.exe
Commandline:	"C:\Users\user\Desktop\R86BRY7DdC.exe"
Size:	294400
MD5:	D747188C998CBD80A03250D578236E29
Time:	05:38:58
Date:	27/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x5d0000
Modulesize:	311296
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Generic Downloader	Networking
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6376
Target ID:	1
Parent PID:	7148
Name:	MSBuild.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Size:	262432
MD5:	8FDF47E0FF70C40ED3A17014AEEA4232
Time:	05:39:01
Date:	27/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xb0000
Modulesize:	262144
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6400
Target ID:	2
Parent PID:	7148
Name:	MSBuild.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Size:	262432
MD5:	8FDF47E0FF70C40ED3A17014AEEA4232
Time:	05:39:01
Date:	27/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xe20000
Modulesize:	262144
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://checkip.dyndns.org/

193.122.6.168

https://investdirectinsurance.com/NO

unknown

https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bdU

unknown

https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bdN

unknown

https://reallyfreegeoip.org/xml/8.46.123.33$

unknown

https://investdirectinsurance.com/assuence/litesolidCha/Ebagelog.bd

172.67.189.102

http://checkip.dyndns.comh

unknown

http://checkip.dyndns.org/q

unknown

https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bdK

unknown

http://reallyfreegeoip.org

unknown

https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bd-

unknown

https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bd

172.67.189.102

https://reallyfreegeoip.org

unknown

https://investdirectinsurance.com/zOO

unknown

http://checkip.dyndns.org

unknown

http://checkip.dyndns.com

unknown

https://investdirectinsurance.com/

unknown

https://reallyfreegeoip.org/xml/8.46.123.33

188.114.96.3

https://investdirectinsurance.com/assuence/litesolidCha/Victim_SID.bdi/certs/Micr

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://reallyfreegeoip.org/xml/

unknown

There are 11 hidden URLs, click here to show them.

Domains

Name

Malicious

reallyfreegeoip.org

188.114.96.3

Details

Name:	reallyfreegeoip.org
IP:	188.114.96.3
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Tries to detect the country of the analysis system (by using the IP)	Location Tracking
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.com

193.122.6.168

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

investdirectinsurance.com

172.67.189.102

Details

Name:	investdirectinsurance.com
IP:	172.67.189.102
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

fp2e7a.wpc.phicdn.net

192.229.221.95

IPs

Domain

Country

Malicious

193.122.6.168

checkip.dyndns.com

United States

Details

IP:	193.122.6.168
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Country:	United States
Countrycode:	USA
ASN number:	31898
ASN name:	ORACLE-BMC-31898US
Private:	false
Domain:	checkip.dyndns.com

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary

188.114.96.3

reallyfreegeoip.org

European Union

Details

IP:	188.114.96.3
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	reallyfreegeoip.org

Signature Hits	Behavior Group	Mitre Attack
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

172.67.189.102

investdirectinsurance.com

United States

Details

IP:	172.67.189.102
TargetID:	0
Current Path:	C:\Users\user\Desktop\R86BRY7DdC.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	investdirectinsurance.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

128E9000

trusted library allocation

page read and write

356B000

trusted library allocation

page read and write

33B1000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

31CF000

stack

page read and write

1680000

heap

page read and write

3320000

trusted library allocation

page read and write

6F20000

trusted library allocation

page execute and read and write

14F4000

heap

page read and write

443E000

trusted library allocation

page read and write

A90000

heap

page read and write

3050000

trusted library allocation

page read and write

7A0000

heap

page read and write

6D7E000

stack

page read and write

6D3E000

stack

page read and write

ABF000

heap

page read and write

1478000

heap

page read and write

3034000

trusted library allocation

page read and write

4417000

trusted library allocation

page read and write

A5C000

heap

page read and write

CB0000

heap

page read and write

3033000

trusted library allocation

page execute and read and write

5BD0000

heap

page execute and read and write

4447000

trusted library allocation

page read and write

C60000

heap

page execute and read and write

6A3D000

heap

page read and write

7FFD9B75D000

trusted library allocation

page execute and read and write

7FFD9B77B000

trusted library allocation

page execute and read and write

3508000

trusted library allocation

page read and write

5BA0000

trusted library allocation

page execute and read and write

348F000

trusted library allocation

page read and write

1B38E000

stack

page read and write

7FFD9B752000

trusted library allocation

page read and write

1B28B000

stack

page read and write

1519000

heap

page read and write

3056000

trusted library allocation

page execute and read and write

3330000

trusted library allocation

page read and write

54AE000

stack

page read and write

3080000

trusted library allocation

page read and write

1B790000

heap

page read and write

3519000

trusted library allocation

page read and write

363D000

trusted library allocation

page read and write

32EB000

trusted library allocation

page read and write

34B6000

trusted library allocation

page read and write

7FFD9B750000

trusted library allocation

page read and write

5E8000

unkown

page readonly

6BBE000

stack

page read and write

3462000

trusted library allocation

page read and write

FE7000

stack

page read and write

1B48E000

stack

page read and write

790000

heap

page read and write

32C0000

trusted library allocation

page execute and read and write

5BB0000

trusted library allocation

page read and write

5F30000

trusted library allocation

page read and write

C80000

heap

page read and write

35EB000

trusted library allocation

page read and write

6A2E000

heap

page read and write

B24000

heap

page read and write

7FFD9B900000

trusted library allocation

page read and write

3067000

trusted library allocation

page execute and read and write

5F40000

trusted library allocation

page read and write

5986000

trusted library allocation

page read and write

B3F000

heap

page read and write

1355000

heap

page read and write

7FFD9B76D000

trusted library allocation

page execute and read and write

5990000

heap

page read and write

3350000

trusted library allocation

page read and write

350C000

trusted library allocation

page read and write

34AE000

trusted library allocation

page read and write

597E000

trusted library allocation

page read and write

5B9E000

stack

page read and write

7FFD9B770000

trusted library allocation

page read and write

306B000

trusted library allocation

page execute and read and write

1B78E000

stack

page read and write

32FE000

trusted library allocation

page read and write

1350000

heap

page read and write

DBE000

stack

page read and write

7FFD9B754000

trusted library allocation

page read and write

7C0000

heap

page read and write

6A00000

heap

page read and write

A7C000

heap

page read and write

14A8000

heap

page read and write

35F5000

trusted library allocation

page read and write

34FB000

trusted library allocation

page read and write

AF1000

heap

page read and write

6E7F000

stack

page read and write

2822000

trusted library allocation

page read and write

3562000

trusted library allocation

page read and write

12803000

trusted library allocation

page read and write

1B68E000

stack

page read and write

68FE000

stack

page read and write

139E000

stack

page read and write

3637000

trusted library allocation

page read and write

3306000

trusted library allocation

page read and write

752000

stack

page read and write

27FE000

stack

page read and write

304D000

trusted library allocation

page execute and read and write

32D0000

trusted library allocation

page read and write

4431000

trusted library allocation

page read and write

32E0000

trusted library allocation

page read and write

35FE000

trusted library allocation

page read and write

3062000

trusted library allocation

page read and write

A84000

heap

page read and write

1BA8E000

stack

page read and write

2801000

trusted library allocation

page read and write

5993000

heap

page read and write

A56000

heap

page read and write

330D000

trusted library allocation

page read and write

6E80000

trusted library allocation

page read and write

3030000

trusted library allocation

page read and write

59A0000

heap

page read and write

3526000

trusted library allocation

page read and write

34F3000

trusted library allocation

page read and write

346B000

trusted library allocation

page read and write

305A000

trusted library allocation

page execute and read and write

A92000

heap

page read and write

1B98F000

stack

page read and write

34F7000

trusted library allocation

page read and write

7FFD9B760000

trusted library allocation

page read and write

6CFE000

stack

page read and write

5988000

trusted library allocation

page read and write

5880000

trusted library allocation

page execute and read and write

3052000

trusted library allocation

page read and write

3210000

heap

page read and write

13DE000

stack

page read and write

32F2000

trusted library allocation

page read and write

1470000

heap

page read and write

7FFD9B8F7000

trusted library allocation

page read and write

1B7C6000

heap

page read and write

345A000

trusted library allocation

page read and write

3603000

trusted library allocation

page read and write

7FF4BF6D0000

trusted library allocation

page execute and read and write

5F5000

unkown

page readonly

1250000

heap

page read and write

6CBE000

stack

page read and write

69FF000

stack

page read and write

35E5000

trusted library allocation

page read and write

43B1000

trusted library allocation

page read and write

3065000

trusted library allocation

page execute and read and write

5F20000

trusted library allocation

page execute and read and write

1B0E0000

trusted library section

page read and write

1553000

heap

page read and write

30CE000

stack

page read and write

CB5000

heap

page read and write

6B7E000

stack

page read and write

1670000

trusted library allocation

page read and write

7FFD9B77D000

trusted library allocation

page execute and read and write

32FA000

trusted library allocation

page read and write

35E0000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

26F0000

heap

page read and write

C85000

heap

page read and write

443B000

trusted library allocation

page read and write

7FFD9B836000

trusted library allocation

page execute and read and write

EEA000

stack

page read and write

3301000

trusted library allocation

page read and write

12808000

trusted library allocation

page read and write

3632000

trusted library allocation

page read and write

5BB3000

trusted library allocation

page read and write

1410000

heap

page read and write

12801000

trusted library allocation

page read and write

3040000

trusted library allocation

page read and write

5BBF000

trusted library allocation

page read and write

5D0000

unkown

page readonly

12805000

trusted library allocation

page read and write

7FFD9B800000

trusted library allocation

page read and write

A30000

trusted library allocation

page read and write

13E0000

heap

page read and write

362B000

trusted library allocation

page read and write

7FFD9B810000

trusted library allocation

page execute and read and write

3607000

trusted library allocation

page read and write

178E000

stack

page read and write

320E000

stack

page read and write

AC5000

heap

page read and write

EBE000

stack

page read and write

34A5000

trusted library allocation

page read and write

34B2000

trusted library allocation

page read and write

33A0000

heap

page execute and read and write

7FFD9B7AC000

trusted library allocation

page execute and read and write

34BA000

trusted library allocation

page read and write

6EB0000

heap

page read and write

1AD8D000

stack

page read and write

1330000

heap

page read and write

7FFD9B870000

trusted library allocation

page execute and read and write

32EE000

trusted library allocation

page read and write

1B58E000

stack

page read and write

34FF000

trusted library allocation

page read and write

7FFD9B8F0000

trusted library allocation

page read and write

7E0000

heap

page read and write

6B3D000

stack

page read and write

B02000

heap

page read and write

7400000

heap

page read and write

43D9000

trusted library allocation

page read and write

355D000

trusted library allocation

page read and write

5D0000

unkown

page readonly

582D000

stack

page read and write

5D2000

unkown

page readonly

5970000

trusted library allocation

page read and write

166E000

stack

page read and write

3060000

trusted library allocation

page read and write

3477000

trusted library allocation

page read and write

5BC0000

trusted library allocation

page execute and read and write

3474000

trusted library allocation

page read and write

5BBA000

trusted library allocation

page read and write

598B000

trusted library allocation

page read and write

5980000

trusted library allocation

page read and write

A50000

heap

page read and write

5870000

trusted library allocation

page read and write

1B180000

heap

page read and write

303D000

trusted library allocation

page execute and read and write

3504000

trusted library allocation

page read and write

A7A000

heap

page read and write

C20000

trusted library allocation

page read and write

B45000

heap

page read and write

7FFD9B764000

trusted library allocation

page read and write

There are 205 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
R86BRY7DdC.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportR86BRY7DdC.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
R86BRY7DdC.exe