Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Xirnkxhvuzwepe.cmd

ISO-8859 text, with very long lines (984), with CRLF line terminators

initial sample

Details

Filetype:	ISO-8859 text, with very long lines (984), with CRLF line terminators
Entropy:	5.168549713905825
Filename:	Xirnkxhvuzwepe.cmd
Filesize:	3228698
MD5:	41152edeb64fe66b4bbd10372223d23a
SHA1:	bc226681860e303393e335ce81aecb6d13d13d5b
SHA256:	cec24e6d4ef5928960be72f7794ee5cbe7ab4df57bd080116434724dc2ff7ebc
SHA512:	35d1189762e90bc9e41796bae629c76338e19f7e35c6249bbba5da2a291cbb0d39570d477aba3aba4740cd79503399dfdde2150c3d944cf777140fba0d5fd1a4
SSDEEP:	24576:tQa2jlXsFQaZgwQoq6JuxJ1ZQyl2Gb9+rFcHiY02St0pTKhCC7zCD8PWBZwmnO0D:tQa2J8FQQgt60xaYD8f6/ash
Preview:	COMCOM..&@cls&@set "_..=pynZVg7@tkEwvS38eBNKG4PD bxT6cLX0zsOiCfmH2jF59uMaoAq1UJhlRYrdQIW"..%_..:~7,1%%.......%%_..:~34,1%%_..:~16,1%%_..:~8,1%%_..:~24,1%"_...=%_..:~20,1%%_..:~10,1%%_..:~19,1%%_..:~54,1%%_..:~61,1%%_..:~13,1%%_..:~12,1%%.......%%_..:~22,1

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Sample is known by Antivirus	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\Public\CLEAN.GIF

ASCII text, with very long lines (65536), with no line terminators

dropped

Details

File:	C:\Users\Public\CLEAN.GIF
Category:	dropped
Dump:	CLEAN.GIF.7.dr
ID:	dr_6
Target ID:	7
Process:	C:\Users\Public\kn.exe
Type:	ASCII text, with very long lines (65536), with no line terminators
Entropy:	3.850601544644915
Encrypted:	false
Ssdeep:	24576:ytsZrhsYd5rWni2+0IOtg91Zq81Ma/PcVbXwITeWjI40FknOnNUk2dd9:Y
Size:	2120706
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Users\Public\alpha.exe

PE32+ executable (console) x86-64, for MS Windows

modified

Details

File:	C:\Users\Public\alpha.exe
Category:	modified
Dump:	alpha.exe.3.dr
ID:	dr_2
Target ID:	3
Process:	C:\Windows\System32\extrac32.exe
Type:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	6.135598950357573
Encrypted:	false
Ssdeep:	6144:k4WA1B9BxDfQWKORSqY4zOcmpdlc3gJdmtolSm:H1BhkWvSqY4zvmjOwJIT
Size:	289792
Whitelisted:	true
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Drops PE files to the user root directory	Boot Survival	Masquerading
Drops or copies cmd.exe with a different name (likely to bypass HIPS)	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Sigma detected: Execution from Suspicious Folder	System Summary
Sigma detected: Parent in Public Folder Suspicious Process	System Summary
Contains functionality to call native functions	System Summary
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to communicate with device drivers	System Summary
Contains functionality to launch a process as a different user	System Summary	Valid Accounts Access Token Manipulation
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Drops PE files to the user directory	Persistence and Installation Behavior	Masquerading
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Contains functionality for error logging	System Summary
Contains functionality to check free disk space	System Summary	System Information Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Information Discovery System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to register its own exception handler	Anti Debugging
Creates files inside the user directory	System Summary	Masquerading
Spawns processes	System Summary	Process Injection

C:\Users\Public\kn.exe

PE32+ executable (console) x86-64, for MS Windows

modified

Details

File:	C:\Users\Public\kn.exe
Category:	modified
Dump:	kn.exe.5.dr
ID:	dr_4
Target ID:	5
Process:	C:\Windows\System32\extrac32.exe
Type:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	6.144018815244304
Encrypted:	false
Ssdeep:	24576:MeiElH5YZ5cv6r3HiaZQ8p4XGwiJDgN7MaikGLIsWWi4pT/Y/7hsyDAP760MKR:Me3lZYUvmSu4XTckYD0sWWiwT/MhTzK
Size:	1651712
Whitelisted:	true
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Drops PE files to the user root directory	Boot Survival	Masquerading
Drops or copies certutil.exe with a different name (likely to bypass HIPS)	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Registers a new ROOT certificate	E-Banking Fraud	Install Root Certificate
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Valid Accounts Access Token Manipulation
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Drops PE files to the user directory	Persistence and Installation Behavior	Masquerading
Found large amount of non-executed APIs	Malware Analysis System Evasion
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	Encrypted Channel
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to import cryptographic keys (often used in ransomware)	Spam, unwanted Advertisements and Ransom Demands	Archive Collected Data Data Encrypted for Impact
Contains functionality to instantiate COM classes	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query system information	Malware Analysis System Evasion	System Information Discovery
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking

\Device\Null

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\Null
Category:	dropped
Dump:	Null.11.dr
ID:	dr_9
Target ID:	11
Process:	C:\Users\Public\alpha.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.403504238247217
Encrypted:	false
Ssdeep:	3:HnRthLK5aTRECUAdROGCOwXWnjTRrGIAOFZRMQcv:HRoAREYTOGjHVF+
Size:	104
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Xirnkxhvuzwepe.cmd" "

C:\Windows\System32\extrac32.exe

C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe

C:\Windows\System32\extrac32.exe

extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Xirnkxhvuzwepe.cmd" "C:\\Users\\Public\\CLEAN.GIF" 3

C:\Users\Public\kn.exe

C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Xirnkxhvuzwepe.cmd" "C:\\Users\\Public\\CLEAN.GIF" 3

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 10

C:\Users\Public\kn.exe

C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 10

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\CLEAN.GIF" / A / F / Q / S

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

There are 1 hidden processes, click here to show them.

URLs

Name

Malicious

https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEP

unknown

Details

Name:	https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEP
TargetID:	-1
From Memory:	true
Source:	kn.exe, 00000007.00000000.1998811698.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.2001223105.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.2005831412.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.2006855083.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.dr

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://enterpriseregistration.windows.net/EnrollmentServer/DeviceEnrollmentWebService.svc

unknown

https://login.microsoftonline.com/%s/oauth2/authorize

unknown

https://login.microsoftonline.com/%s/oauth2/token

unknown

https://login.microsoftonline.com/%s/oauth2/authorizeJoinStatusStorage::SetDefaultDiscoveryMetadatah

unknown

Details

Name:	https://login.microsoftonline.com/%s/oauth2/authorizeJoinStatusStorage::SetDefaultDiscoveryMetadatah
TargetID:	-1
From Memory:	true
Source:	kn.exe, 00000007.00000000.1998811698.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.2001223105.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.2005831412.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.2006855083.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.dr

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://%ws/%ws_%ws_%ws/service.svc/%ws

unknown

https://enterpriseregistration.windows.net/EnrollmentServer/device/

unknown

https://enterpriseregistration.windows.net/EnrollmentServer/key/

unknown

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7

Name

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7

Name

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7

Name

Memdumps

Base Address

Regiontype

Protect

Malicious

7FF6EB171000

unkown

page execute read

196C05EB000

heap

page read and write

1F8EDBE000

stack

page read and write

196C05DA000

heap

page read and write

7FF6EB1BF000

unkown

page read and write

7FF6EB1C9000

unkown

page readonly

196C05D6000

heap

page read and write

1BC4D690000

heap

page read and write

2052A537000

heap

page read and write

7FF6EB170000

unkown

page readonly

AF6667C000

stack

page read and write

2334C1C0000

heap

page read and write

7FF7FD928000

unkown

page readonly

7FF6EB1A2000

unkown

page readonly

196C07C0000

heap

page read and write

7FF6EB1CC000

unkown

page write copy

68010FE000

stack

page read and write

6800DBC000

stack

page read and write

7FF6EB171000

unkown

page execute read

2334C1F4000

heap

page read and write

AF6677F000

stack

page read and write

7FF6EB1A2000

unkown

page readonly

196C05DA000

heap

page read and write

7FF7FD790000

unkown

page readonly

7FF6EB171000

unkown

page execute read

23D99AC0000

heap

page read and write

7FF6EB170000

unkown

page readonly

2334A420000

heap

page read and write

77EBB7E000

stack

page read and write

2334A340000

heap

page read and write

21836326000

heap

page read and write

26B7D920000

heap

page read and write

1BC4D4AB000

heap

page read and write

7FF6EB1A2000

unkown

page readonly

7FF6EB1CD000

unkown

page readonly

2052A537000

heap

page read and write

7FF6EB1A2000

unkown

page readonly

196C2610000

trusted library allocation

page read and write

26B7D8D0000

heap

page read and write

77EB7DB000

stack

page read and write

196C0624000

heap

page read and write

26B7F8D0000

heap

page read and write

2052A6B0000

heap

page read and write

22F59460000

heap

page read and write

7FF6EB1CD000

unkown

page readonly

22F59450000

heap

page read and write

2334A554000

heap

page read and write

218365A0000

heap

page read and write

7FF7FD91D000

unkown

page readonly

12CA63F0000

heap

page read and write

EEF1FF000

stack

page read and write

23D99AA0000

heap

page read and write

1F8ED3F000

stack

page read and write

196C05F4000

heap

page read and write

218362F3000

heap

page read and write

AE354FF000

stack

page read and write

546D7FF000

stack

page read and write

7FF6EB171000

unkown

page execute read

7FF6EB170000

unkown

page readonly

2052A537000

heap

page read and write

196C05D3000

heap

page read and write

7FF6EB1CD000

unkown

page readonly

1BC4D4C3000

heap

page read and write

218365A4000

heap

page read and write

7FF6EB1AD000

unkown

page write copy

196C05F4000

heap

page read and write

7FF7FD90A000

unkown

page write copy

7FF7FD8AE000

unkown

page readonly

26B7D910000

heap

page read and write

7FF6EB1C9000

unkown

page readonly

2052A51B000

heap

page read and write

2183633C000

heap

page read and write

2052A3A0000

heap

page read and write

2183635B000

heap

page read and write

2334A560000

heap

page read and write

7FF7FD8AE000

unkown

page readonly

7FF6EB171000

unkown

page execute read

2052A4A0000

heap

page read and write

196C0934000

heap

page read and write

22F596B0000

heap

page read and write

7FF6EB170000

unkown

page readonly

7FF7FD90A000

unkown

page write copy

21836358000

heap

page read and write

2183634E000

heap

page read and write

1BC4D480000

heap

page read and write

2052A6B5000

heap

page read and write

12CA63D0000

heap

page read and write

7FF6EB171000

unkown

page execute read

23D999C7000

heap

page read and write

12CA6415000

heap

page read and write

7FF7FD90A000

unkown

page write copy

7FF7FD90A000

unkown

page write copy

7FF6EB1CC000

unkown

page write copy

2334C6DF000

heap

page read and write

21836337000

heap

page read and write

7FF6EB1B1000

unkown

page read and write

2052A6C0000

heap

page read and write

21836326000

heap

page read and write

7FF7FD8AE000

unkown

page readonly

7FF6EB170000

unkown

page readonly

7FF6EB1C4000

unkown

page read and write

7FF6EB171000

unkown

page execute read

680117D000

stack

page read and write

43E20FC000

stack

page read and write

2334A550000

heap

page read and write

2052A534000

heap

page read and write

7FF6EB1AD000

unkown

page write copy

2334A427000

heap

page read and write

7FF6EB1A2000

unkown

page readonly

7FF6EB1B1000

unkown

page read and write

7FF6EB1B1000

unkown

page read and write

43E22FF000

stack

page read and write

12CA61E0000

heap

page read and write

2052A6B4000

heap

page read and write

196C093C000

heap

page read and write

196C05E6000

heap

page read and write

26B7D914000

heap

page read and write

7FF7FD914000

unkown

page write copy

7FF6EB1CD000

unkown

page readonly

23D999C2000

heap

page read and write

2334C625000

heap

page read and write

2052A537000

heap

page read and write

7FF6EB1AD000

unkown

page read and write

2334C20A000

heap

page read and write

196C060F000

heap

page read and write

21837FF0000

heap

page read and write

FE6359C000

stack

page read and write

196C05F4000

heap

page read and write

21836310000

heap

page read and write

196C07A0000

heap

page read and write

7FF7FD918000

unkown

page read and write

21838110000

trusted library allocation

page read and write

7FF6EB1BF000

unkown

page read and write

26B7D8A0000

heap

page read and write

7FF6EB1BF000

unkown

page read and write

196C060C000

heap

page read and write

12CA6410000

heap

page read and write

196C060C000

heap

page read and write

23D999A7000

heap

page read and write

7FF6EB171000

unkown

page execute read

2052A537000

heap

page read and write

7FF7FD928000

unkown

page readonly

43E21FF000

stack

page read and write

EEF0FE000

stack

page read and write

1BC4D460000

heap

page read and write

22F59506000

heap

page read and write

21836373000

heap

page read and write

7FF6EB1B9000

unkown

page read and write

2334C612000

heap

page read and write

196C0930000

heap

page read and write

7FF7FD790000

unkown

page readonly

21836319000

heap

page read and write

2183632A000

heap

page read and write

7FF6EB1A2000

unkown

page readonly

7FF7FD925000

unkown

page write copy

7FF6EB1BF000

unkown

page read and write

7FF6EB1AD000

unkown

page read and write

26B7D9A9000

heap

page read and write

7FF6EB1C4000

unkown

page read and write

21836323000

heap

page read and write

7FF6EB1AD000

unkown

page write copy

7FF6EB170000

unkown

page readonly

2183634E000

heap

page read and write

546D34B000

stack

page read and write

7FF6EB1C9000

unkown

page readonly

1BC4D485000

heap

page read and write

196C05DA000

heap

page read and write

7FF7FD91D000

unkown

page readonly

21836373000

heap

page read and write

2334A520000

heap

page read and write

2183632A000

heap

page read and write

7FF7FD925000

unkown

page write copy

7FF6EB1C9000

unkown

page readonly

7FF6EB1C9000

unkown

page readonly

2052A480000

heap

page read and write

1BC4D4A0000

heap

page read and write

7FF7FD918000

unkown

page read and write

26B7F704000

heap

page read and write

7FF6EB1C9000

unkown

page readonly

7FF6EB1A2000

unkown

page readonly

22F59506000

heap

page read and write

196C060C000

heap

page read and write

12CA61E7000

heap

page read and write

1F8ECBB000

stack

page read and write

196C06C0000

heap

page read and write

7FF6EB1AD000

unkown

page write copy

26B7F816000

heap

page read and write

7FF6EB1AD000

unkown

page read and write

1BC4D670000

heap

page read and write

22F59506000

heap

page read and write

7FF7FD790000

unkown

page readonly

23D99BF4000

heap

page read and write

7FF6EB1CC000

unkown

page write copy

2334C521000

heap

page read and write

196C05E7000

heap

page read and write

7FF6EB1B9000

unkown

page read and write

AE352FC000

stack

page read and write

77EBAFE000

stack

page read and write

2052A510000

heap

page read and write

7FF7FD928000

unkown

page readonly

546D6FF000

stack

page read and write

12CA61EE000

heap

page read and write

7FF6EB1C9000

unkown

page readonly

2183635B000

heap

page read and write

7FF7FD790000

unkown

page readonly

7FF6EB1A2000

unkown

page readonly

7FF6EB1C9000

unkown

page readonly

7FF7FD926000

unkown

page readonly

7FF6EB1A2000

unkown

page readonly

196C05EB000

heap

page read and write

196C0609000

heap

page read and write

23D999A0000

heap

page read and write

196C0880000

heap

page read and write

7FF7FD928000

unkown

page readonly

680107E000

stack

page read and write

7FF6EB1BF000

unkown

page read and write

22F594A0000

heap

page read and write

196C0840000

heap

page read and write

23D99BF5000

heap

page read and write

22F594E0000

heap

page read and write

1BC4D484000

heap

page read and write

7FF7FD914000

unkown

page write copy

7FF6EB171000

unkown

page execute read

2183634D000

heap

page read and write

22F59503000

heap

page read and write

7FF6EB1A2000

unkown

page readonly

7FF7FD791000

unkown

page execute read

7FF6EB1B5000

unkown

page read and write

7FF6EB1CC000

unkown

page write copy

7FF7FD913000

unkown

page read and write

2334C070000

heap

page read and write

AF666FD000

stack

page read and write

196C0883000

heap

page read and write

7FF6EB1B1000

unkown

page read and write

2183635B000

heap

page read and write

7FF6EB171000

unkown

page execute read

26B7D7C0000

heap

page read and write

7FF7FD913000

unkown

page read and write

23D998C0000

heap

page read and write

2052A537000

heap

page read and write

196C05D6000

heap

page read and write

218362F0000

heap

page read and write

EEEDEC000

stack

page read and write

21836270000

heap

page read and write

218365AC000

heap

page read and write

2183633D000

heap

page read and write

196C05C9000

heap

page read and write

7FF7FD91D000

unkown

page readonly

7FF6EB1C9000

unkown

page readonly

7FF7FD791000

unkown

page execute read

7FF6EB170000

unkown

page readonly

23D99AE0000

heap

page read and write

1BC4D450000

heap

page read and write

7FF7FD91D000

unkown

page readonly

7FF6EB170000

unkown

page readonly

21836250000

heap

page read and write

2183632A000

heap

page read and write

196C060C000

heap

page read and write

26B7F803000

heap

page read and write

FE639FF000

stack

page read and write

7FF7FD791000

unkown

page execute read

7FF7FD8AE000

unkown

page readonly

26B7F712000

heap

page read and write

FE638FF000

stack

page read and write

77EBA7E000

stack

page read and write

21838910000

heap

page read and write

22F59480000

heap

page read and write

12CA6207000

heap

page read and write

12CA6420000

heap

page read and write

21836338000

heap

page read and write

7FF6EB170000

unkown

page readonly

7FF6EB1AD000

unkown

page read and write

7FF6EB1CC000

unkown

page write copy

12CA6414000

heap

page read and write

21836170000

heap

page read and write

7FF6EB1AD000

unkown

page read and write

AE353FE000

stack

page read and write

196C2E10000

heap

page read and write

7FF6EB1CD000

unkown

page readonly

196C05C0000

heap

page read and write

22F594EB000

heap

page read and write

7FF6EB1AD000

unkown

page write copy

2334C1F0000

heap

page read and write

7FF6EB1C9000

unkown

page readonly

26B7D9A0000

heap

page read and write

26B7F600000

heap

page read and write

1F8F07E000

stack

page read and write

7FF7FD926000

unkown

page readonly

7FF6EB1B1000

unkown

page read and write

26B7F700000

heap

page read and write

12CA62F0000

heap

page read and write

22F594A4000

heap

page read and write

7FF6EB170000

unkown

page readonly

22F594A5000

heap

page read and write

12CA6203000

heap

page read and write

7FF7FD791000

unkown

page execute read

23D99BF0000

heap

page read and write

2052A537000

heap

page read and write

There are 288 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Xirnkxhvuzwepe.cmd

Files

Processes

URLs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportXirnkxhvuzwepe.cmd

Files

Processes

URLs

Registry

Memdumps

IOC Report
Xirnkxhvuzwepe.cmd