Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

systemms.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	6.0967781653239665
Filename:	systemms.exe
Filesize:	3333120
MD5:	b9a90c673713f61195b6e695d5f57ba4
SHA1:	17831341f6b113bb3da1ffe536c1861c96839180
SHA256:	1b55754dc53235978759ae3474e144a3e3ebd0b43d5cd1a722372408bf982b51
SHA512:	9a4a6eea5604f08b71367ebfb59ceb05cc518d545f869360082817de9b86625975e81751a25adba2e4b7faf2da95d0f98bc79e95180060a66e9677257c3ca78c
SSDEEP:	49152:0vht62XlaSFNWPjljiFa2RoUYIZKt86oGdSTHHB72eh2NT:0vL62XlaSFNWPjljiFXRoUYIZKtJ
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1...........1.. ........@.. .......................@3...........@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Antivirus detection for dropped file	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for dropped file	AV Detection	Masquerading Security Software Discovery
Multi AV Scanner detection for submitted file	AV Detection
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for dropped file	AV Detection
Machine Learning detection for sample	AV Detection
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\systemms.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\systemms.exe.log
Category:	dropped
Dump:	systemms.exe.log.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\systemms.exe
Type:	CSV text
Entropy:	5.370111951859942
Encrypted:	false
Ssdeep:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
Size:	1281
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Roaming\Systemms\systemms.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\Systemms\systemms.exe
Category:	dropped
Dump:	systemms.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\systemms.exe
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	6.0967781653239665
Encrypted:	false
Ssdeep:	49152:0vht62XlaSFNWPjljiFa2RoUYIZKt86oGdSTHHB72eh2NT:0vL62XlaSFNWPjljiFXRoUYIZKtJ
Size:	3333120
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Antivirus detection for dropped file	AV Detection
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Quasar RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for dropped file	AV Detection
Machine Learning detection for sample	AV Detection
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Yara detected Generic Downloader	Networking
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Add Scheduled Task Parent	System Summary
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\systemms.exe

"C:\Users\user\Desktop\systemms.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6180
Target ID:	0
Parent PID:	2580
Name:	systemms.exe
Path:	C:\Users\user\Desktop\systemms.exe
Commandline:	"C:\Users\user\Desktop\systemms.exe"
Size:	3333120
MD5:	B9A90C673713F61195B6E695D5F57BA4
Time:	08:02:57
Date:	26/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xee0000
Modulesize:	3358720
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Quasar RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Add Scheduled Task Parent	System Summary
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\System32\schtasks.exe

"schtasks" /create /tn "Systemmso" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Systemms\systemms.exe" /rl HIGHEST /f

Details

Is windows:	true
Is dropped:	false
PID:	6548
Target ID:	1
Parent PID:	6180
Name:	schtasks.exe
Class:	system-tools
Path:	C:\Windows\System32\schtasks.exe
Commandline:	"schtasks" /create /tn "Systemmso" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Systemms\systemms.exe" /rl HIGHEST /f
Size:	235008
MD5:	76CD6626DD8834BD4A42E6A565104DC2
Time:	08:02:59
Date:	26/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff76f990000
Modulesize:	253952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Add Scheduled Task Parent	System Summary
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\Systemms\systemms.exe

"C:\Users\user\AppData\Roaming\Systemms\systemms.exe"

Details

Is windows:	false
Is dropped:	true
PID:	3612
Target ID:	3
Parent PID:	6180
Name:	systemms.exe
Path:	C:\Users\user\AppData\Roaming\Systemms\systemms.exe
Commandline:	"C:\Users\user\AppData\Roaming\Systemms\systemms.exe"
Size:	3333120
MD5:	B9A90C673713F61195B6E695D5F57BA4
Time:	08:02:59
Date:	26/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x440000
Modulesize:	3358720
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Quasar RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Add Scheduled Task Parent	System Summary
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\System32\schtasks.exe

"schtasks" /create /tn "Systemmso" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Systemms\systemms.exe" /rl HIGHEST /f

Details

Is windows:	true
Is dropped:	false
PID:	3668
Target ID:	4
Parent PID:	3612
Name:	schtasks.exe
Class:	system-tools
Path:	C:\Windows\System32\schtasks.exe
Commandline:	"schtasks" /create /tn "Systemmso" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Systemms\systemms.exe" /rl HIGHEST /f
Size:	235008
MD5:	76CD6626DD8834BD4A42E6A565104DC2
Time:	08:03:00
Date:	26/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff76f990000
Modulesize:	253952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Add Scheduled Task Parent	System Summary
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\Systemms\systemms.exe

Details

Is windows:	false
Is dropped:	true
PID:	6160
Target ID:	6
Parent PID:	1044
Name:	systemms.exe
Path:	C:\Users\user\AppData\Roaming\Systemms\systemms.exe
Commandline:	C:\Users\user\AppData\Roaming\Systemms\systemms.exe
Size:	3333120
MD5:	B9A90C673713F61195B6E695D5F57BA4
Time:	08:03:00
Date:	26/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x750000
Modulesize:	3358720
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Quasar RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Add Scheduled Task Parent	System Summary
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	5480
Target ID:	2
Parent PID:	6548
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	08:02:59
Date:	26/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	980
Target ID:	5
Parent PID:	3668
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	08:03:00
Date:	26/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

192.168.18.54

Details

Name:	192.168.18.54
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\systemms.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

https://api.ipify.org/

unknown

https://stackoverflow.com/q/14436606/23354

unknown

https://stackoverflow.com/q/2152978/23354sCannot

unknown

https://ipwho.is/

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://stackoverflow.com/q/11564914/23354;

unknown

IPs

Domain

Country

Malicious

192.168.18.54

unknown

Details

IP:	192.168.18.54
TargetID:	3
Current Path:	C:\Users\user\AppData\Roaming\Systemms\systemms.exe
Private:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

Memdumps

Base Address

Regiontype

Protect

Malicious

2929000

trusted library allocation

page read and write

EE2000

unkown

page readonly

7FFD9B79D000

trusted library allocation

page execute and read and write

C00000

heap

page read and write

3490000

heap

page read and write

1BE5000

heap

page read and write

7FFD9B970000

trusted library allocation

page read and write

7FFD9B9B0000

trusted library allocation

page read and write

C20000

heap

page read and write

EFC000

heap

page read and write

12D25000

trusted library allocation

page read and write

7FFD9BA10000

trusted library allocation

page read and write

7FFD9B880000

trusted library allocation

page execute and read and write

1C31F000

heap

page read and write

27AE000

stack

page read and write

1600000

heap

page read and write

7FFD9B951000

trusted library allocation

page read and write

A4A293E000

unkown

page read and write

7FFD9B77D000

trusted library allocation

page execute and read and write

7FFD9BBD5000

trusted library allocation

page read and write

7FFD9BBB2000

trusted library allocation

page read and write

1865000

heap

page read and write

7FFD9B7BC000

trusted library allocation

page execute and read and write

7FFD9B866000

trusted library allocation

page execute and read and write

F7F000

heap

page read and write

16B8000

heap

page read and write

7FFD9B925000

trusted library allocation

page read and write

F28000

heap

page read and write

13585000

trusted library allocation

page read and write

2A50000

heap

page read and write

1B299000

stack

page read and write

1B26C000

heap

page read and write

27B1CFA5000

heap

page read and write

7FFD9B763000

trusted library allocation

page execute and read and write

1B347000

heap

page read and write

7FFD9B96B000

trusted library allocation

page read and write

EE7000

heap

page read and write

1C5DE000

stack

page read and write

7FFD9B7DC000

trusted library allocation

page execute and read and write

BE0000

heap

page read and write

7FFD9B83C000

trusted library allocation

page execute and read and write

1C30C000

heap

page read and write

1B260000

heap

page read and write

2900000

trusted library allocation

page read and write

7FFD9BB92000

trusted library allocation

page read and write

7FFD9B783000

trusted library allocation

page execute and read and write

7FFD9B948000

trusted library allocation

page read and write

7FFD9B9B4000

trusted library allocation

page read and write

1B250000

heap

page read and write

253542C0000

heap

page read and write

1B800000

heap

page read and write

EEF000

heap

page read and write

1B5E0000

heap

page read and write

1BE82000

heap

page read and write

7FFD9B866000

trusted library allocation

page execute and read and write

389A000

trusted library allocation

page read and write

7FFD9B780000

trusted library allocation

page read and write

7FFD9B78D000

trusted library allocation

page execute and read and write

128FE000

trusted library allocation

page read and write

27B1CBB0000

heap

page read and write

3560000

heap

page read and write

7FFD9B955000

trusted library allocation

page read and write

7FFD9B9A0000

trusted library allocation

page execute and read and write

169E000

heap

page read and write

7FFD9B968000

trusted library allocation

page read and write

7FFD9B79D000

trusted library allocation

page execute and read and write

1C4DE000

stack

page read and write

3898000

trusted library allocation

page read and write

28EE000

stack

page read and write

7FFD9BB90000

trusted library allocation

page read and write

C70000

trusted library allocation

page read and write

7FFD9B76D000

trusted library allocation

page execute and read and write

2B5F000

stack

page read and write

7FFD9B8A0000

trusted library allocation

page execute and read and write

7FFD9B784000

trusted library allocation

page read and write

13C0000

heap

page read and write

12D19000

trusted library allocation

page read and write

7FFD9B782000

trusted library allocation

page read and write

2926000

trusted library allocation

page read and write

1200000

unkown

page readonly

1C1D0000

heap

page execute and read and write

1C6DF000

stack

page read and write

1AE7D000

stack

page read and write

25354320000

heap

page read and write

7FFD9B840000

trusted library allocation

page execute and read and write

1B8A3000

heap

page read and write

7FFD9BAD0000

trusted library allocation

page read and write

7FFD9B980000

trusted library allocation

page read and write

7FFD9BA60000

trusted library allocation

page read and write

7FFD9B99F000

trusted library allocation

page read and write

A708B3F000

unkown

page read and write

7FFD9BB00000

trusted library allocation

page read and write

EB0000

trusted library allocation

page read and write

3034000

trusted library allocation

page read and write

7FFD9B81C000

trusted library allocation

page execute and read and write

7FFD9B990000

trusted library allocation

page read and write

7FFD9B900000

trusted library allocation

page read and write

7FFD9B9A0000

trusted library allocation

page read and write

164B000

heap

page read and write

7FFD9BA80000

trusted library allocation

page read and write

1357E000

trusted library allocation

page read and write

27B1CC00000

heap

page read and write

7FFD9BAA0000

trusted library allocation

page read and write

EB0000

heap

page read and write

27B1CFA0000

heap

page read and write

7FFD9B9F0000

trusted library allocation

page read and write

1BF6A000

stack

page read and write

1B5A0000

trusted library allocation

page read and write

1B8F4000

heap

page read and write

1B1E0000

heap

page read and write

1BAFE000

stack

page read and write

25354328000

heap

page read and write

29F0000

heap

page read and write

27E0000

heap

page execute and read and write

F26000

heap

page read and write

7FFD9B773000

trusted library allocation

page read and write

3036000

trusted library allocation

page read and write

1B6E000

stack

page read and write

7FFD9BAC0000

trusted library allocation

page read and write

1C1E1000

heap

page read and write

A4A28B9000

stack

page read and write

27B1CBA0000

heap

page read and write

7FFD9B782000

trusted library allocation

page read and write

2CA8000

trusted library allocation

page read and write

2932000

trusted library allocation

page read and write

7FFD9BA90000

trusted library allocation

page read and write

EC0000

heap

page read and write

7FFD9B920000

trusted library allocation

page read and write

7FFD9B816000

trusted library allocation

page read and write

7FFD9B994000

trusted library allocation

page read and write

7FFD9BB10000

trusted library allocation

page execute and read and write

1AC71000

heap

page read and write

BC4000

stack

page read and write

166D000

heap

page read and write

13B0000

heap

page read and write

7FF4AB620000

trusted library allocation

page execute and read and write

7FFD9B960000

trusted library allocation

page read and write

7FFD9B830000

trusted library allocation

page read and write

1BE50000

heap

page read and write

AF1000

stack

page read and write

7FFD9B784000

trusted library allocation

page read and write

3571000

trusted library allocation

page read and write

7FFD9B810000

trusted library allocation

page read and write

7FFD9B762000

trusted library allocation

page read and write

1B700000

heap

page execute and read and write

1C268000

heap

page read and write

CA6000

heap

page read and write

13579000

trusted library allocation

page read and write

1210000

unkown

page readonly

2D11000

trusted library allocation

page read and write

7FFD9B820000

trusted library allocation

page execute and read and write

7FFD9B764000

trusted library allocation

page read and write

CBC000

heap

page read and write

7FFD9B836000

trusted library allocation

page read and write

E40000

heap

page read and write

7FFD9B94B000

trusted library allocation

page read and write

7FFD9B9D0000

trusted library allocation

page read and write

13573000

trusted library allocation

page read and write

1A920000

trusted library allocation

page read and write

11A0000

trusted library allocation

page read and write

7FFD9B846000

trusted library allocation

page execute and read and write

E90000

trusted library allocation

page read and write

C88000

heap

page read and write

7FFD9B7A4000

trusted library allocation

page read and write

1095000

heap

page read and write

1BE0000

heap

page read and write

7FFD9B7AD000

trusted library allocation

page execute and read and write

7FFD9B9B4000

trusted library allocation

page read and write

7FFD9B786000

trusted library allocation

page read and write

7FFD9BBA0000

trusted library allocation

page read and write

1B450000

heap

page read and write

1C003000

heap

page read and write

EE0000

unkown

page readonly

7FFD9B78D000

trusted library allocation

page execute and read and write

7FFD9BBF0000

trusted library allocation

page read and write

7FFD9B990000

trusted library allocation

page read and write

7FFD9B90C000

trusted library allocation

page read and write

EA0000

trusted library allocation

page read and write

CAB000

heap

page read and write

7FFD9B7DC000

trusted library allocation

page execute and read and write

7FFD9B7A0000

trusted library allocation

page read and write

1C000000

heap

page read and write

7FFD9BC10000

trusted library allocation

page execute and read and write

27B1CC08000

heap

page read and write

1291D000

trusted library allocation

page read and write

7FFD9B9B0000

trusted library allocation

page read and write

13A0000

heap

page read and write

1BA8E000

stack

page read and write

7FFD9BAF0000

trusted library allocation

page read and write

7FFD9B836000

trusted library allocation

page read and write

7FFD9B980000

trusted library allocation

page read and write

7FFD9BA30000

trusted library allocation

page read and write

7FFD9B8A0000

trusted library allocation

page execute and read and write

28F1000

trusted library allocation

page read and write

13571000

trusted library allocation

page read and write

1810000

trusted library allocation

page read and write

7FFD9B840000

trusted library allocation

page execute and read and write

7FFD9BAE0000

trusted library allocation

page read and write

2BE0000

heap

page read and write

7FFD9B9A0000

trusted library allocation

page read and write

12D11000

trusted library allocation

page read and write

7FFD9B7AD000

trusted library allocation

page execute and read and write

1B5FC000

heap

page read and write

253542B0000

heap

page read and write

1630000

heap

page read and write

1639000

heap

page read and write

7FFD9B9C0000

trusted library allocation

page execute and read and write

7FFD9BAB0000

trusted library allocation

page read and write

EF9000

heap

page read and write

118F000

stack

page read and write

7FFD9B9BB000

trusted library allocation

page read and write

7FFD9B78D000

trusted library allocation

page execute and read and write

1BE64000

stack

page read and write

1BE40000

heap

page read and write

CBF000

heap

page read and write

1BD6E000

stack

page read and write

E60000

heap

page read and write

DBE000

stack

page read and write

2D0F000

stack

page read and write

7FFD9BA70000

trusted library allocation

page read and write

12909000

trusted library allocation

page read and write

1060000

heap

page read and write

7FFD9BA50000

trusted library allocation

page read and write

7FFD9BBB7000

trusted library allocation

page read and write

128F1000

trusted library allocation

page read and write

1090000

heap

page read and write

7FFD9BBDC000

trusted library allocation

page read and write

253542F5000

heap

page read and write

7FFD9BA20000

trusted library allocation

page read and write

A708AB9000

stack

page read and write

7FFD9B9C0000

trusted library allocation

page execute and read and write

12D13000

trusted library allocation

page read and write

1B622000

heap

page read and write

1840000

heap

page execute and read and write

1BDFE000

stack

page read and write

7FFD9B968000

trusted library allocation

page read and write

13C5000

heap

page read and write

7FFD9B920000

trusted library allocation

page read and write

7FFD9B9E0000

trusted library allocation

page read and write

7FFD9B905000

trusted library allocation

page read and write

1830000

trusted library allocation

page read and write

11D0000

heap

page read and write

7FFD9B7A0000

trusted library allocation

page read and write

E10000

heap

page read and write

13D0000

heap

page read and write

1BBFF000

stack

page read and write

EE0000

unkown

page readonly

1C7DE000

stack

page read and write

CB3000

heap

page read and write

1B091000

heap

page read and write

7FFD9B950000

trusted library allocation

page read and write

7FFD9BC00000

trusted library allocation

page read and write

7FFD9B7A4000

trusted library allocation

page read and write

7FFD9B783000

trusted library allocation

page execute and read and write

7FFD9B975000

trusted library allocation

page read and write

11D5000

heap

page read and write

A4A29BE000

stack

page read and write

1A6F000

stack

page read and write

7FFD9B97A000

trusted library allocation

page read and write

EC8000

heap

page read and write

EE5000

heap

page read and write

A708BBF000

stack

page read and write

7FFD9B7AB000

trusted library allocation

page execute and read and write

1080000

heap

page execute and read and write

B00000

heap

page read and write

27B1CBD0000

heap

page read and write

1B2A2000

heap

page read and write

7FFD9B931000

trusted library allocation

page read and write

1B253000

heap

page read and write

25354300000

heap

page read and write

1BAF9000

stack

page read and write

7FFD9BBE0000

trusted library allocation

page execute and read and write

7FFD9B780000

trusted library allocation

page read and write

12D1E000

trusted library allocation

page read and write

1BA47000

stack

page read and write

166F000

heap

page read and write

E20000

heap

page read and write

2C00000

heap

page execute and read and write

7FFD9B793000

trusted library allocation

page read and write

EB5000

heap

page read and write

7FFD9B784000

trusted library allocation

page read and write

2BE3000

heap

page read and write

7FFD9B970000

trusted library allocation

page read and write

166A000

heap

page read and write

7FFD9B830000

trusted library allocation

page read and write

196E000

stack

page read and write

1BCFF000

stack

page read and write

1354000

stack

page read and write

7FFD9B975000

trusted library allocation

page read and write

7FFD9BBD0000

trusted library allocation

page read and write

1860000

heap

page read and write

7FFD9B83C000

trusted library allocation

page execute and read and write

EA3000

trusted library allocation

page read and write

7FFD9BA00000

trusted library allocation

page read and write

1658000

heap

page read and write

2CB0000

trusted library allocation

page read and write

1B74F000

stack

page read and write

7FFD9B793000

trusted library allocation

page read and write

FAC000

heap

page read and write

1AD40000

trusted library allocation

page read and write

CE9000

heap

page read and write

253542F0000

heap

page read and write

348E000

stack

page read and write

7FFD9BA40000

trusted library allocation

page read and write

1C324000

heap

page read and write

C80000

heap

page read and write

There are 296 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
systemms.exe

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportsystemms.exe

Files

Processes

URLs

IPs

Memdumps

IOC Report
systemms.exe