Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

nuCc19sDOl.exe

PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	6.725005035511834
Filename:	nuCc19sDOl.exe
Filesize:	625152
MD5:	01e059b3901bd579fb8ea4ebc34009f9
SHA1:	19b0a2db06db2afbef2b95221d2c11fe4107aa43
SHA256:	05e5cab97709be490b7216163e29d326f43d4f273bdfccf93a485212064b4aca
SHA512:	05883c1f726dfba182b7d9cfa290d77ba74d3ce2985a1718f16a22744edadab2e3afc1793c4a3f54368d5ef7cdacb9e1babd31f38d493fbbc01d853c9a2be3af
SSDEEP:	12288:4JP/raKAKMPNmB+owvLgT9DBGZLZ9i9OurXl5AFy7t9kHtFn7S9F+nI7WU15TOY1:4/AHPQB+hIBG1kOH6
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....(.f.................~..........^.... ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation	Software Packing
.NET source code contains very large array initializations	System Summary	Disable or Modify Tools
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion
Contains functionality to inject code into remote processes	HIPS / PFW / Operating System Protection Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains functionality to call native functions	System Summary
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Contains functionality to modify the execution of threads in other processes
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nuCc19sDOl.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nuCc19sDOl.exe.log
Category:	dropped
Dump:	nuCc19sDOl.exe.log.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\nuCc19sDOl.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.0050635535766075
Encrypted:	false
Ssdeep:	3:QHXMKa/xwwUy:Q3La/xwQ
Size:	42
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Roaming\d3d9.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\d3d9.dll
Category:	dropped
Dump:	d3d9.dll.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\nuCc19sDOl.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.079874930357952
Encrypted:	false
Ssdeep:	12288:ftPYiCgkpxunuWo1jrKrAahMAFfyUImDCjN:ftPYiCX0IjrKrAahzvImDC
Size:	474112
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Machine Learning detection for dropped file	AV Detection
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log
Category:	dropped
Dump:	MSBuild.exe.log.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.33145931749415
Encrypted:	false
Ssdeep:	96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
Size:	3094
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\nuCc19sDOl.exe

"C:\Users\user\Desktop\nuCc19sDOl.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6652
Target ID:	0
Parent PID:	2580
Name:	nuCc19sDOl.exe
Path:	C:\Users\user\Desktop\nuCc19sDOl.exe
Commandline:	"C:\Users\user\Desktop\nuCc19sDOl.exe"
Size:	625152
MD5:	01E059B3901BD579FB8EA4EBC34009F9
Time:	06:11:56
Date:	27/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xd70000
Modulesize:	647168
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6864
Target ID:	2
Parent PID:	6652
Name:	MSBuild.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Size:	262432
MD5:	8FDF47E0FF70C40ED3A17014AEEA4232
Time:	06:11:57
Date:	27/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x4e0000
Modulesize:	262144
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6672
Target ID:	1
Parent PID:	6652
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	06:11:56
Date:	27/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/sct

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk

unknown

http://tempuri.org/Entity/Id14ResponseD

unknown

http://tempuri.org/Entity/Id23ResponseD

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary

unknown

http://tempuri.org/Entity/Id12Response

unknown

http://tempuri.org/

unknown

http://tempuri.org/Entity/Id2Response

unknown

http://tempuri.org/Entity/Id15V

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1

unknown

http://tempuri.org/Entity/Id21Response

unknown

http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap

unknown

http://tempuri.org/Entity/Id9

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID

unknown

http://tempuri.org/Entity/Id8

unknown

http://tempuri.org/Entity/Id6ResponseD

unknown

http://tempuri.org/Entity/Id5

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare

unknown

http://tempuri.org/Entity/Id4

unknown

http://tempuri.org/Entity/Id7

unknown

http://tempuri.org/Entity/Id6

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret

unknown

http://tempuri.org/Entity/Id19Response

unknown

http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence

unknown

http://tempuri.org/Entity/Id13ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/fault

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat

unknown

http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey

unknown

http://tempuri.org/Entity/Id15Response

unknown

http://tempuri.org/Entity/Id5ResponseD

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register

unknown

http://tempuri.org/Entity/Id6Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey

unknown

https://api.ip.sb/ip

unknown

http://schemas.xmlsoap.org/ws/2004/04/sc

unknown

http://tempuri.org/Entity/Id1ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel

unknown

http://tempuri.org/Entity/Id9Response

unknown

http://tempuri.org/Entity/Id20

unknown

http://tempuri.org/Entity/Id21

unknown

http://tempuri.org/Entity/Id22

unknown

http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1

unknown

http://tempuri.org/Entity/Id23

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1

unknown

http://tempuri.org/Entity/Id24

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue

unknown

http://tempuri.org/Entity/Id24Response

unknown

http://tempuri.org/Entity/Id1Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey

unknown

http://tempuri.org/Entity/Id21ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust

unknown

http://tempuri.org/Entity/Id10

unknown

http://tempuri.org/Entity/Id11

unknown

http://tempuri.org/Entity/Id10ResponseD

unknown

http://tempuri.org/Entity/Id12

unknown

http://tempuri.org/Entity/Id16Response

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel

unknown

http://tempuri.org/Entity/Id13

unknown

http://tempuri.org/Entity/Id14

unknown

http://tempuri.org/Entity/Id15

unknown

http://tempuri.org/Entity/Id16

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce

unknown

http://tempuri.org/Entity/Id17

unknown

http://tempuri.org/Entity/Id18

unknown

http://tempuri.org/Entity/Id5Response

unknown

http://tempuri.org/Entity/Id19

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns

unknown

http://tempuri.org/Entity/Id15ResponseD

unknown

http://tempuri.org/Entity/Id10Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Renew

unknown

http://tempuri.org/Entity/Id11ResponseD

unknown

http://tempuri.org/Entity/Id8Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT

unknown

http://schemas.xmlsoap.org/ws/2006/02/addressingidentity

unknown

http://tempuri.org/Entity/Id17ResponseD

unknown

http://schemas.xmlsoap.org/soap/envelope/

unknown

http://tempuri.org/Entity/Id8ResponseD

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey

unknown

http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust

unknown

There are 90 hidden URLs, click here to show them.

Domains

Name

Malicious

bg.microsoft.map.fastly.net

199.232.214.172

fp2e7a.wpc.phicdn.net

192.229.221.95

IPs

Domain

Country

Malicious

5.42.92.213

unknown

Russian Federation

Details

IP:	5.42.92.213
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	39493
ASN name:	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Owner

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

SessionHash

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Sequence

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFiles0000

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFilesHash

Memdumps

Base Address

Regiontype

Protect

Malicious

402000

remote allocation

page execute and read and write

2884000

trusted library allocation

page read and write

6CF79000

unkown

page read and write

27F1000

trusted library allocation

page read and write

910000

heap

page read and write

68BF000

heap

page read and write

A80000

heap

page read and write

498B000

stack

page read and write

67A6000

trusted library allocation

page read and write

4B56000

trusted library allocation

page read and write

6030000

trusted library allocation

page read and write

47F8000

trusted library allocation

page read and write

4DB0000

heap

page read and write

12E7000

heap

page read and write

68B8000

heap

page read and write

B80000

heap

page read and write

4E75000

trusted library allocation

page read and write

534D000

heap

page read and write

52C0000

heap

page read and write

3271000

trusted library allocation

page read and write

67A0000

trusted library allocation

page read and write

4D90000

heap

page read and write

D20000

trusted library allocation

page read and write

1363000

heap

page read and write

D32000

trusted library allocation

page read and write

1707000

trusted library allocation

page execute and read and write

50C0000

trusted library allocation

page execute and read and write

6B0E000

stack

page read and write

266E000

stack

page read and write

6A28000

trusted library allocation

page read and write

602E000

stack

page read and write

16D4000

trusted library allocation

page read and write

2AF7000

trusted library allocation

page read and write

7180000

heap

page read and write

5070000

trusted library allocation

page read and write

125E000

stack

page read and write

2620000

heap

page execute and read and write

6B20000

trusted library allocation

page read and write

4D50000

trusted library allocation

page read and write

12C8000

heap

page read and write

6B50000

trusted library allocation

page read and write

AD9000

heap

page read and write

2A1F000

trusted library allocation

page read and write

2944000

trusted library allocation

page read and write

AA0000

heap

page read and write

7BD0000

trusted library section

page read and write

2947000

trusted library allocation

page read and write

6A10000

trusted library allocation

page read and write

A00000

heap

page read and write

16E0000

trusted library allocation

page read and write

9F5000

heap

page read and write

2A6D000

trusted library allocation

page read and write

67A3000

trusted library allocation

page read and write

5B1E000

stack

page read and write

37FF000

trusted library allocation

page read and write

3B8C000

trusted library allocation

page read and write

6033000

trusted library allocation

page read and write

7170000

trusted library allocation

page read and write

6A19000

trusted library allocation

page read and write

500E000

trusted library allocation

page read and write

435000

remote allocation

page execute and read and write

560E000

stack

page read and write

400000

remote allocation

page execute and read and write

5348000

heap

page read and write

444000

remote allocation

page execute and read and write

B9E000

heap

page read and write

294A000

trusted library allocation

page read and write

AC0000

heap

page read and write

4FBB000

trusted library allocation

page read and write

50A0000

trusted library allocation

page read and write

13D0000

heap

page read and write

6A50000

trusted library allocation

page read and write

ACB000

heap

page read and write

5170000

trusted library allocation

page execute and read and write

3811000

trusted library allocation

page read and write

1200000

heap

page read and write

5FCC000

stack

page read and write

4FF1000

trusted library allocation

page read and write

675D000

stack

page read and write

2992000

trusted library allocation

page read and write

7190000

heap

page read and write

4CD0000

trusted library allocation

page read and write

29A8000

trusted library allocation

page read and write

298E000

trusted library allocation

page read and write

6847000

heap

page read and write

546E000

stack

page read and write

6800000

heap

page read and write

4EB3000

heap

page read and write

D10000

trusted library allocation

page read and write

5ECE000

stack

page read and write

17C0000

heap

page read and write

17B0000

trusted library allocation

page execute and read and write

C9E000

stack

page read and write

6A15000

trusted library allocation

page read and write

5110000

trusted library allocation

page execute and read and write

5090000

trusted library allocation

page execute and read and write

2A6F000

trusted library allocation

page read and write

38C8000

trusted library allocation

page read and write

393F000

trusted library allocation

page read and write

6A2A000

trusted library allocation

page read and write

CDE000

stack

page read and write

4FDE000

trusted library allocation

page read and write

D26000

trusted library allocation

page execute and read and write

2B79000

trusted library allocation

page read and write

1393000

heap

page read and write

4D02000

trusted library allocation

page read and write

4CDB000

trusted library allocation

page read and write

4C68000

trusted library allocation

page read and write

38E6000

trusted library allocation

page read and write

5080000

heap

page execute and read and write

16C0000

trusted library allocation

page read and write

6804000

heap

page read and write

5E7C000

stack

page read and write

5302000

heap

page read and write

5D70000

trusted library allocation

page execute and read and write

4D30000

trusted library allocation

page read and write

537A000

heap

page read and write

2600000

trusted library allocation

page read and write

68CB000

heap

page read and write

4A75000

trusted library allocation

page read and write

5180000

heap

page execute and read and write

1210000

heap

page read and write

4D10000

trusted library allocation

page read and write

5130000

trusted library allocation

page read and write

D1D000

trusted library allocation

page execute and read and write

6BDE000

stack

page read and write

53A6000

heap

page read and write

D35000

trusted library allocation

page execute and read and write

6A2F000

trusted library allocation

page read and write

4B6A000

trusted library allocation

page read and write

7ACE000

stack

page read and write

4E78000

trusted library allocation

page read and write

15AF000

stack

page read and write

299C000

trusted library allocation

page read and write

390E000

trusted library allocation

page read and write

50B0000

trusted library allocation

page read and write

2B66000

trusted library allocation

page read and write

7290000

trusted library allocation

page read and write

4FD2000

trusted library allocation

page read and write

9F0000

heap

page read and write

29FC000

trusted library allocation

page read and write

5388000

heap

page read and write

4CF1000

trusted library allocation

page read and write

A7E000

stack

page read and write

17AD000

stack

page read and write

3241000

trusted library allocation

page read and write

6CF50000

unkown

page readonly

27B0000

trusted library allocation

page read and write

B87000

heap

page read and write

47F0000

trusted library allocation

page read and write

4FC1000

trusted library allocation

page read and write

4FEA000

trusted library allocation

page read and write

6B9E000

stack

page read and write

716E000

stack

page read and write

5160000

trusted library allocation

page read and write

6ACD000

stack

page read and write

17E0000

heap

page read and write

72DE000

stack

page read and write

6A12000

trusted library allocation

page read and write

4E7A000

trusted library allocation

page read and write

13D5000

heap

page read and write

5AA000

stack

page read and write

3250000

trusted library allocation

page read and write

6A44000

trusted library allocation

page read and write

B60000

heap

page read and write

4C8F000

trusted library allocation

page read and write

538F000

heap

page read and write

4DA0000

trusted library allocation

page read and write

176E000

stack

page read and write

688D000

heap

page read and write

D70000

unkown

page readonly

542E000

stack

page read and write

52B0000

heap

page read and write

6A00000

trusted library allocation

page execute and read and write

5083000

heap

page execute and read and write

397E000

trusted library allocation

page read and write

170B000

trusted library allocation

page execute and read and write

6CFBA000

unkown

page read and write

706B000

unkown

page read and write

5D5C000

stack

page read and write

5190000

trusted library allocation

page execute and read and write

27E0000

heap

page read and write

68A6000

heap

page read and write

D37000

trusted library allocation

page execute and read and write

CF0000

trusted library allocation

page read and write

E5E000

stack

page read and write

6825000

heap

page read and write

16D0000

trusted library allocation

page read and write

500B000

trusted library allocation

page read and write

5150000

trusted library allocation

page read and write

2983000

trusted library allocation

page read and write

824D000

stack

page read and write

E9C000

stack

page read and write

ABE0000

trusted library allocation

page read and write

D22000

trusted library allocation

page read and write

7010000

trusted library allocation

page execute and read and write

5FD0000

trusted library allocation

page read and write

5381000

heap

page read and write

4271000

trusted library allocation

page read and write

D5A000

heap

page read and write

27D0000

trusted library allocation

page read and write

4E90000

trusted library allocation

page read and write

6A55000

trusted library allocation

page read and write

4DA2000

trusted library allocation

page read and write

28C7000

trusted library allocation

page read and write

327C000

trusted library allocation

page read and write

3B91000

trusted library allocation

page read and write

5395000

heap

page read and write

5D1E000

stack

page read and write

12CE000

heap

page read and write

12C0000

heap

page read and write

D2A000

trusted library allocation

page execute and read and write

6835000

heap

page read and write

4FE1000

trusted library allocation

page read and write

430000

remote allocation

page execute and read and write

B64000

heap

page read and write

6B40000

trusted library allocation

page execute and read and write

6B30000

trusted library allocation

page execute and read and write

6878000

heap

page read and write

38C1000

trusted library allocation

page read and write

2956000

trusted library allocation

page read and write

1388000

heap

page read and write

12EC000

heap

page read and write

D0D000

trusted library allocation

page execute and read and write

16D3000

trusted library allocation

page execute and read and write

29BD000

trusted library allocation

page read and write

12B0000

heap

page read and write

5361000

heap

page read and write

FF290000

trusted library allocation

page execute and read and write

5304000

heap

page read and write

D50000

heap

page read and write

536D000

heap

page read and write

D72000

unkown

page readonly

B6E000

heap

page read and write

4E70000

trusted library allocation

page read and write

4EB0000

heap

page read and write

D5E000

heap

page read and write

16AE000

stack

page read and write

7000000

heap

page read and write

5140000

trusted library allocation

page execute and read and write

4D25000

trusted library allocation

page read and write

6FF0000

trusted library allocation

page read and write

6865000

heap

page read and write

6CFC5000

unkown

page readonly

5120000

trusted library allocation

page read and write

1384000

heap

page read and write

6CF72000

unkown

page readonly

6B10000

trusted library allocation

page read and write

6A40000

trusted library allocation

page read and write

323E000

stack

page read and write

6A35000

trusted library allocation

page read and write

D03000

trusted library allocation

page execute and read and write

7294000

trusted library allocation

page read and write

8F7000

stack

page read and write

5040000

trusted library allocation

page read and write

AEF0000

trusted library allocation

page execute and read and write

5010000

trusted library allocation

page read and write

2A67000

trusted library allocation

page read and write

3260000

heap

page execute and read and write

3A7E000

trusted library allocation

page read and write

4FC6000

trusted library allocation

page read and write

D00000

trusted library allocation

page read and write

2953000

trusted library allocation

page read and write

6A60000

trusted library allocation

page read and write

6F00000

heap

page read and write

D3B000

trusted library allocation

page execute and read and write

1301000

heap

page read and write

4E60000

trusted library allocation

page execute and read and write

71A6000

heap

page read and write

3090000

heap

page read and write

A30000

heap

page read and write

2610000

trusted library allocation

page execute and read and write

6EF0000

heap

page read and write

4D20000

trusted library allocation

page read and write

4CEE000

trusted library allocation

page read and write

308F000

stack

page read and write

29B6000

trusted library allocation

page read and write

55C0000

heap

page execute and read and write

6EEF000

stack

page read and write

880F000

stack

page read and write

27AC000

stack

page read and write

2994000

trusted library allocation

page read and write

2B5D000

trusted library allocation

page read and write

5030000

trusted library allocation

page read and write

4FB0000

trusted library allocation

page read and write

276E000

stack

page read and write

5338000

heap

page read and write

D30000

trusted library allocation

page read and write

6A3F000

trusted library allocation

page read and write

132B000

heap

page read and write

53EE000

stack

page read and write

5000000

trusted library allocation

page read and write

52CC000

heap

page read and write

129E000

stack

page read and write

38CD000

trusted library allocation

page read and write

3B7F000

trusted library allocation

page read and write

16E4000

trusted library allocation

page read and write

F9B000

stack

page read and write

1378000

heap

page read and write

6CF51000

unkown

page execute read

4CFD000

trusted library allocation

page read and write

6A3A000

trusted library allocation

page read and write

53AB000

heap

page read and write

5005000

trusted library allocation

page read and write

D04000

trusted library allocation

page read and write

38D4000

trusted library allocation

page read and write

5020000

trusted library allocation

page read and write

3278000

trusted library allocation

page read and write

682D000

heap

page read and write

37F1000

trusted library allocation

page read and write

D57000

heap

page read and write

7BCE000

stack

page read and write

4CD4000

trusted library allocation

page read and write

539C000

heap

page read and write

27C0000

trusted library allocation

page read and write

4CF6000

trusted library allocation

page read and write

570F000

stack

page read and write

2A77000

trusted library allocation

page read and write

834E000

stack

page read and write

6A52000

trusted library allocation

page read and write

535D000

heap

page read and write

AA8000

heap

page read and write

5C1E000

stack

page read and write

6EAE000

stack

page read and write

5351000

heap

page read and write

4EA0000

trusted library allocation

page read and write

There are 316 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
nuCc19sDOl.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportnuCc19sDOl.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
nuCc19sDOl.exe