Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.938345895501036
Filename:	MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe
Filesize:	668672
MD5:	296a91d852273bd8f8ea784f814e8e54
SHA1:	47a5391f798e645c075a074a7cddfab468e449d5
SHA256:	bdf6c1caee139afdf9122554e47a2b1f56dd5598447dced5cf81cafac1dfb7a0
SHA512:	0b801c4a4abdff47d84138600eb9db78d68591a12332e2abf00fe0da3b53e51c415a157aae9934bce63ff6ad1c6e7bb8adebcb1bfa12b91f40ec374ce53bd1a6
SSDEEP:	12288:W1Bo7KvAGZ2/IwuiwQ6CTCPuNCgHt1WH/ctA9upSNtira7Xs:W/o703ZQ5pGPuMgCH/9upTrag
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3<g..............0..(...........G... ...`....@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion
Machine Learning detection for sample	AV Detection
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)	Malware Analysis System Evasion
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information	Credentials in Registry
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to harvest and steal ftp login credentials	Stealing of Sensitive Information
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates processes with suspicious names	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary	System Information Discovery
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe.log
Category:	dropped
Dump:	MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe

"C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7360
Target ID:	0
Parent PID:	1028
Name:	MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe
Path:	C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe
Commandline:	"C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe"
Size:	668672
MD5:	296A91D852273BD8F8EA784F814E8E54
Time:	23:34:20
Date:	19/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xa80000
Modulesize:	696320
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe

"C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7540
Target ID:	3
Parent PID:	7360
Name:	MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe
Path:	C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe
Commandline:	"C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe"
Size:	668672
MD5:	296A91D852273BD8F8EA784F814E8E54
Time:	23:34:22
Date:	19/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xaa0000
Modulesize:	696320
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

https://api.ipify.org/

104.26.13.205

Details

Name:	https://api.ipify.org/
IP:	104.26.13.205
TargetID:	3
From Memory:	false
Current Path:	C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://api.ipify.org

unknown

Details

Name:	https://api.ipify.org
TargetID:	-1
From Memory:	true
Source:	MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe, 00000000.00000002.2159660073.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe, 00000003.00000002.3390398449.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe, 00000003.00000002.3388849290.0000000000402000.00000040.00000400.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://account.dyn.com/

unknown

Details

Name:	https://account.dyn.com/
TargetID:	-1
From Memory:	true
Source:	MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe, 00000000.00000002.2159660073.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe, 00000003.00000002.3388849290.0000000000402000.00000040.00000400.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://api.ipify.org/t

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://tempuri.org/project_mgtDataSet.xsdOproject_mgt_system.Properties.Resources

unknown

Details

Name:	http://tempuri.org/project_mgtDataSet.xsdOproject_mgt_system.Properties.Resources
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe
Source:	MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

api.ipify.org

104.26.13.205

Details

Name:	api.ipify.org
IP:	104.26.13.205
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

104.26.13.205

api.ipify.org

United States

Details

IP:	104.26.13.205
TargetID:	3
Current Path:	C:\Users\user\Desktop\MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

3EA9000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

12CE000

stack

page read and write

2BFB000

trusted library allocation

page execute and read and write

118E000

stack

page read and write

143A000

trusted library allocation

page execute and read and write

6B30000

trusted library allocation

page execute and read and write

1430000

trusted library allocation

page read and write

5312000

trusted library allocation

page read and write

58EE000

stack

page read and write

611E000

stack

page read and write

52EB000

trusted library allocation

page read and write

5453000

heap

page read and write

5311000

trusted library allocation

page read and write

1092000

heap

page read and write

748E000

stack

page read and write

3EB9000

trusted library allocation

page read and write

8FFF000

stack

page read and write

105E000

heap

page read and write

1510000

trusted library allocation

page read and write

A80000

unkown

page readonly

5316000

trusted library allocation

page read and write

2BE6000

trusted library allocation

page execute and read and write

6ABC000

trusted library allocation

page read and write

5340000

trusted library allocation

page read and write

1440000

trusted library allocation

page read and write

2BD0000

trusted library allocation

page read and write

52FB000

trusted library allocation

page read and write

2BE0000

trusted library allocation

page read and write

7490000

trusted library allocation

page execute and read and write

1420000

trusted library allocation

page read and write

3F1D000

trusted library allocation

page read and write

8E80000

trusted library section

page read and write

73FE000

stack

page read and write

53A0000

trusted library allocation

page read and write

5FC0000

heap

page read and write

6A9E000

stack

page read and write

5306000

trusted library allocation

page read and write

F60000

heap

page read and write

1077000

heap

page read and write

B26000

unkown

page readonly

2E3E000

stack

page read and write

14EC000

stack

page read and write

72FE000

stack

page read and write

EF8000

stack

page read and write

2F15000

trusted library allocation

page read and write

B6FE000

stack

page read and write

1423000

trusted library allocation

page read and write

2F01000

trusted library allocation

page read and write

2D90000

heap

page execute and read and write

601F000

stack

page read and write

1165000

heap

page read and write

6885000

heap

page read and write

1124000

trusted library allocation

page read and write

5301000

trusted library allocation

page read and write

52FE000

trusted library allocation

page read and write

1527000

heap

page read and write

2CD8000

trusted library allocation

page read and write

BD9000

stack

page read and write

2BF7000

trusted library allocation

page execute and read and write

56A0000

heap

page read and write

530A000

trusted library allocation

page read and write

1436000

trusted library allocation

page execute and read and write

2EB1000

trusted library allocation

page read and write

5450000

heap

page read and write

2E80000

trusted library allocation

page read and write

65DD000

stack

page read and write

5320000

trusted library allocation

page read and write

1447000

trusted library allocation

page execute and read and write

68C7000

heap

page read and write

144B000

trusted library allocation

page execute and read and write

1138000

heap

page read and write

5FD0000

heap

page read and write

2BF0000

trusted library allocation

page read and write

3EB1000

trusted library allocation

page read and write

68EE000

heap

page read and write

2EFD000

trusted library allocation

page read and write

F67000

heap

page read and write

2EE7000

trusted library allocation

page read and write

2F26000

trusted library allocation

page read and write

53C0000

heap

page read and write

2BF5000

trusted library allocation

page execute and read and write

6940000

heap

page read and write

576E000

stack

page read and write

53F0000

heap

page read and write

586E000

stack

page read and write

BF0000

heap

page read and write

6840000

heap

page read and write

54E0000

heap

page execute and read and write

BBA000

stack

page read and write

59E0000

trusted library allocation

page execute and read and write

2C5E000

stack

page read and write

2E9E000

stack

page read and write

5334000

trusted library allocation

page read and write

114E000

heap

page read and write

1413000

trusted library allocation

page execute and read and write

2EF1000

trusted library allocation

page read and write

1050000

heap

page read and write

11BF000

heap

page read and write

6850000

heap

page read and write

2D00000

heap

page read and write

11BC000

heap

page read and write

2BE2000

trusted library allocation

page read and write

3EA1000

trusted library allocation

page read and write

F40000

heap

page read and write

1130000

heap

page read and write

6B20000

heap

page read and write

13CF000

stack

page read and write

645E000

stack

page read and write

2E7C000

stack

page read and write

56B0000

trusted library allocation

page execute and read and write

635E000

stack

page read and write

6958000

trusted library allocation

page read and write

5400000

trusted library allocation

page read and write

6B00000

trusted library allocation

page read and write

52E4000

trusted library allocation

page read and write

572C000

stack

page read and write

1010000

heap

page read and write

1206000

heap

page read and write

2D80000

trusted library allocation

page read and write

F30000

heap

page read and write

70C0000

heap

page read and write

108F000

heap

page read and write

71E0000

heap

page read and write

59F0000

trusted library allocation

page read and write

2EEF000

trusted library allocation

page read and write

2C10000

trusted library allocation

page read and write

11AD000

heap

page read and write

671E000

stack

page read and write

1520000

heap

page read and write

142D000

trusted library allocation

page execute and read and write

52F0000

trusted library allocation

page read and write

58CE000

stack

page read and write

52E0000

trusted library allocation

page read and write

B73E000

stack

page read and write

F50000

heap

page read and write

5690000

heap

page read and write

121D000

heap

page read and write

1020000

heap

page read and write

4F9C000

stack

page read and write

6AB0000

trusted library allocation

page read and write

2D30000

heap

page read and write

5920000

trusted library allocation

page read and write

77C2000

trusted library allocation

page read and write

6BE0000

trusted library allocation

page execute and read and write

530E000

trusted library allocation

page read and write

13D0000

heap

page read and write

2BEA000

trusted library allocation

page execute and read and write

5940000

heap

page read and write

2F20000

trusted library allocation

page read and write

6BA0000

heap

page read and write

1123000

trusted library allocation

page execute and read and write

5945000

heap

page read and write

53B0000

trusted library allocation

page execute and read and write

55F0000

trusted library section

page readonly

F96000

heap

page read and write

5330000

trusted library allocation

page read and write

6AD0000

trusted library allocation

page read and write

58AE000

stack

page read and write

6ADA000

trusted library allocation

page read and write

5390000

heap

page read and write

7430000

trusted library allocation

page read and write

7440000

trusted library allocation

page read and write

128E000

stack

page read and write

1460000

trusted library allocation

page read and write

8E5E000

stack

page read and write

B97E000

stack

page read and write

10F6000

heap

page read and write

112D000

trusted library allocation

page execute and read and write

F90000

heap

page read and write

659E000

stack

page read and write

52FE000

trusted library allocation

page read and write

11D0000

heap

page read and write

3ED9000

trusted library allocation

page read and write

68E7000

heap

page read and write

7208000

heap

page read and write

5FFA000

heap

page read and write

2EA1000

trusted library allocation

page read and write

141D000

trusted library allocation

page execute and read and write

5350000

trusted library allocation

page read and write

1400000

trusted library allocation

page read and write

6AE0000

trusted library allocation

page read and write

A82000

unkown

page readonly

6AF0000

trusted library allocation

page execute and read and write

105B000

heap

page read and write

B83F000

stack

page read and write

2F1E000

trusted library allocation

page read and write

2D70000

trusted library allocation

page read and write

681E000

stack

page read and write

4FAD000

stack

page read and write

8E10000

trusted library allocation

page execute and read and write

2F24000

trusted library allocation

page read and write

53E0000

trusted library allocation

page read and write

1442000

trusted library allocation

page read and write

544B000

stack

page read and write

2E90000

trusted library allocation

page read and write

14F0000

trusted library allocation

page execute and read and write

66DE000

stack

page read and write

F80000

heap

page read and write

53A2000

trusted library allocation

page read and write

B87E000

stack

page read and write

5A00000

trusted library allocation

page read and write

531D000

trusted library allocation

page read and write

1110000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

14AE000

stack

page read and write

EF7000

stack

page read and write

2D20000

trusted library allocation

page execute and read and write

699E000

stack

page read and write

1085000

heap

page read and write

6AC0000

trusted library allocation

page read and write

68DB000

heap

page read and write

53B0000

heap

page read and write

649D000

stack

page read and write

5325000

trusted library allocation

page read and write

2BF2000

trusted library allocation

page read and write

BF6000

heap

page read and write

530D000

trusted library allocation

page read and write

11B8000

heap

page read and write

1124000

heap

page read and write

1410000

trusted library allocation

page read and write

7446000

trusted library allocation

page read and write

1159000

heap

page read and write

539C000

stack

page read and write

5680000

heap

page execute and read and write

6950000

trusted library allocation

page read and write

52F6000

trusted library allocation

page read and write

5330000

trusted library allocation

page read and write

53B3000

heap

page read and write

5FF0000

heap

page read and write

1500000

heap

page read and write

1414000

trusted library allocation

page read and write

2EA0000

heap

page execute and read and write

2C68000

trusted library allocation

page read and write

1163000

heap

page read and write

1120000

trusted library allocation

page read and write

7F410000

trusted library allocation

page execute and read and write

5302000

trusted library allocation

page read and write

2F28000

trusted library allocation

page read and write

1432000

trusted library allocation

page read and write

5930000

trusted library section

page read and write

2BDD000

trusted library allocation

page execute and read and write

There are 232 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportMV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe