Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

cANdLlHS4N.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.349238472441651
Filename:	cANdLlHS4N.exe
Filesize:	3804160
MD5:	b3139b26a2dabb9b6e728884d8fa8b33
SHA1:	de5672c7940e4fad3c8145ce9e8a5fcb1da0fcee
SHA256:	5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481
SHA512:	f6b857fdb4b393e9e80893d081c46471cb75a92289d53a8d457fe889eee46b7212c5188032aa24400da6e8ba56168716aeb3e48c77758b4fbb74817ba4b13951
SSDEEP:	98304:drzo0aM7e5O92nAv/tyE6peB1IY8CEueiSH0h292bNcx:pzo0S4yRY8tueiSUh1bCx
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........a...............x\......xL..............vA......vu.[....vt......vE......vB.....Rich....................PE..L...M..X...........

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Antivirus / Scanner detection for submitted sample	AV Detection
Submitted sample is a known malware sample	System Summary	Screen Capture
Uses 32bit PE files	Compliance, System Summary	Masquerading
Yara signature match	System Summary
Antivirus or Machine Learning detection for unpacked file	AV Detection	Software Packing
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	System Information Discovery
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Security Software Discovery
Detected potential crypto function	System Summary	System Time Discovery Process Discovery Archive Collected Data
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Masquerading Security Software Discovery Application Window Discovery
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
PE file contains strange resources	System Summary	Ingress Tool Transfer
Drops PE files	Persistence and Installation Behavior
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Queries a list of all running processes	Malware Analysis System Evasion
Sample is known by Antivirus	System Summary
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Contains functionality to query local / system time	Language, Device and Operating System Detection
Creates temporary files	System Summary	Security Software Discovery
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Contains functionality to instantiate COM classes	System Summary	Security Software Discovery
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection	System Time Discovery
Creates mutexes	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary	Security Software Discovery
PE file imports many functions	System Summary
PE file has a big raw section	System Summary
PE file contains a mix of resources often seen in goodware	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\StarBurn.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\StarBurn.dll
Category:	dropped
Dump:	StarBurn.dll.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\cANdLlHS4N.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.439912486566814
Encrypted:	false
Ssdeep:	3072:JmeUE3TxGh4MwlW7AzD7Lcv4L2ZbDdlWG/4:Jm7EUhTwljDS4LevXWGg
Size:	134244
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Drops PE files	Persistence and Installation Behavior

C:\Users\user\AppData\Local\Temp\obedience.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\obedience.exe
Category:	dropped
Dump:	obedience.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\cANdLlHS4N.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.373866112987865
Encrypted:	false
Ssdeep:	49152:fFdy58d2Bqc8Y7IDbauSVGDzhGjThGDzhmj8L5NsmCY:fFs58d2Bqc8Y7IDbauSVGDzhGjThGDzo
Size:	1616040
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Contains functionality to detect sleep reduction / modifications	Malware Analysis System Evasion	Security Software Discovery
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to call native functions	System Summary
Contains functionality to detect sandboxes (mouse cursor move detection)	Malware Analysis System Evasion	Security Software Discovery
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a start menu entry (Start Menu\Programs\Startup)	Boot Survival	Registry Run Keys / Startup Folder
Drops PE files	Persistence and Installation Behavior
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found evasive API chain (may stop execution after checking a module file name)	Malware Analysis System Evasion	Native API
Found large amount of non-executed APIs	Malware Analysis System Evasion
May check if the current machine is a sandbox (GetTickCount - Sleep)	Malware Analysis System Evasion	Security Software Discovery
Queries keyboard layouts	Malware Analysis System Evasion	System Information Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder
Contains functionality for error logging	System Summary
Contains functionality to check free disk space	System Summary	System Information Discovery
Contains functionality to query system information	Malware Analysis System Evasion	System Information Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection	System Information Discovery
Creates files inside the user directory	System Summary	Masquerading
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Enumerates the file system	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Parts of this applications are using Borland Delphi (Probably coded in Delphi)	System Summary
Reads ini files	System Summary	File and Directory Discovery
Sigma detected: Process Start From Suspicious Folder	System Summary
Spawns processes	System Summary	Process Injection
Uses an in-process (OLE) Automation server	System Summary

C:\Users\user\AppData\Local\Temp\handkerchief.dat

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\handkerchief.dat
Category:	dropped
Dump:	handkerchief.dat.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\cANdLlHS4N.exe
Type:	data
Entropy:	6.992551822422355
Encrypted:	false
Ssdeep:	6144:cMq9yyNTKrkgMEVAUtmEXlW+/xf8GQ6/Ta2QSirGf23YJKRluri9Zoqip3:Q9lNTokREm0mN+/uGQ6/O2orsKHt9Zo1
Size:	254593
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\persuasion.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Mar 10 05:21:32 2022, mtime=Thu Mar 10 05:21:44 2022, atime=Thu Mar 10 05:21:32 2022, length=1616040, window=hide

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\persuasion.lnk
Category:	dropped
Dump:	persuasion.lnk.1.dr
ID:	dr_3
Target ID:	1
Process:	C:\Users\user\AppData\Local\Temp\obedience.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Mar 10 05:21:32 2022, mtime=Thu Mar 10 05:21:44 2022, atime=Thu Mar 10 05:21:32 2022, length=1616040, window=hide
Entropy:	5.008588795039891
Encrypted:	false
Ssdeep:	24:8mrk3tHwNeRhHgKGUsAwZfaBJ9YC7aB6m:8mrk3tIeRhTrOaBJ9GB6
Size:	1118
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates a start menu entry (Start Menu\Programs\Startup)	Boot Survival	Registry Run Keys / Startup Folder
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\cANdLlHS4N.exe

"C:\Users\user\Desktop\cANdLlHS4N.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6048
Target ID:	0
Parent PID:	1796
Name:	cANdLlHS4N.exe
Path:	C:\Users\user\Desktop\cANdLlHS4N.exe
Commandline:	"C:\Users\user\Desktop\cANdLlHS4N.exe"
Size:	3804160
MD5:	B3139B26A2DABB9B6E728884D8FA8B33
Time:	07:21:31
Date:	10/03/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x9a0000
Modulesize:	3846144
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Submitted sample is a known malware sample	System Summary
PE file contains strange resources	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sigma detected: Process Start From Suspicious Folder	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file imports many functions	System Summary
PE file has a big raw section	System Summary
PE file contains a mix of resources often seen in goodware	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\obedience.exe

Details

Is windows:	false
Is dropped:	true
PID:	488
Target ID:	1
Parent PID:	6048
Name:	obedience.exe
Path:	C:\Users\user\AppData\Local\Temp\obedience.exe
Commandline:	C:\Users\user\AppData\Local\Temp\obedience.exe
Size:	1616040
MD5:	6A1C14D5F16A07BEF55943134FE618C0
Time:	07:21:33
Date:	10/03/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	1634304
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Creates temporary files	System Summary
Sigma detected: Process Start From Suspicious Folder	System Summary
Spawns processes	System Summary	Process Injection

C:\Program Files (x86)\Internet Explorer\iexplore.exe

Details

Is windows:	true
Is dropped:	false
PID:	5844
Target ID:	2
Parent PID:	488
Name:	iexplore.exe
Class:	iexplore
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Commandline:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Size:	822536
MD5:	071277CC2E3DF41EEEA8013E2AB58D5A
Time:	07:21:35
Date:	10/03/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x920000
Modulesize:	827392
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\obedience.exe

"C:\Users\user\AppData\Local\Temp\obedience.exe"

Details

Is windows:	false
Is dropped:	true
PID:	5080
Target ID:	3
Parent PID:	3616
Name:	obedience.exe
Path:	C:\Users\user\AppData\Local\Temp\obedience.exe
Commandline:	"C:\Users\user\AppData\Local\Temp\obedience.exe"
Size:	1616040
MD5:	6A1C14D5F16A07BEF55943134FE618C0
Time:	07:21:44
Date:	10/03/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	1634304
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Creates temporary files	System Summary
Sigma detected: Process Start From Suspicious Folder	System Summary
Spawns processes	System Summary	Process Injection

C:\Program Files (x86)\Internet Explorer\iexplore.exe

Details

Is windows:	true
Is dropped:	false
PID:	244
Target ID:	4
Parent PID:	5080
Name:	iexplore.exe
Class:	iexplore
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Commandline:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Size:	822536
MD5:	071277CC2E3DF41EEEA8013E2AB58D5A
Time:	07:21:46
Date:	10/03/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true

Signature Hits	Behavior Group	Mitre Attack
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://67.205.132.17:443/23I9/index.php

67.205.132.17

https://67.205.132.17:443/NEZTl2/index.php

67.205.132.17

https://67.205.132.17:443/hvnqlRD8z/index.php

67.205.132.17

https://67.205.132.17:443/M2c1Nb/index.php

67.205.132.17

https://67.205.132.17:443/3T3t/index.php

67.205.132.17

http://67.205.132.17:443

unknown

http://secure.globalsign.net/cacert/PrimObject.crt0

unknown

http://secure.globalsign.net/cacert/ObjectSign.crt09

unknown

http://www.globalsign.net/repository09

unknown

http://www.audio-tool.net

unknown

http://www.globalsign.net/repository/0

unknown

http://www.globalsign.net/repository/03

unknown

There are 2 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

67.205.132.17

unknown

United States

Details

IP:	67.205.132.17
TargetID:	2
Current Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Country:	United States
Countrycode:	USA
ASN number:	14061
ASN name:	DIGITALOCEAN-ASNUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)	Networking
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Detected non-DNS traffic on DNS port	Networking
HTTP GET or POST without a user agent	Networking
Connects to IPs without corresponding DNS lookups	Networking
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

192.168.2.1

unknown

144.168.45.116

unknown

United States

Details

IP:	144.168.45.116
TargetID:	2
Current Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Country:	United States
Countrycode:	USA
ASN number:	54540
ASN name:	INCERO-HVVCUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

3120000

heap

page read and write

242F3D64000

trusted library allocation

page read and write

1DEF8720000

trusted library allocation

page read and write

2650000

heap

page read and write

1DEF86B0000

trusted library allocation

page read and write

2DB0000

unkown

page readonly

31C5000

heap

page read and write

2880000

trusted library allocation

page read and write

7DF000

stack

page read and write

22E97A46000

unkown

page read and write

9C000

stack

page read and write

2B7F000

stack

page read and write

EAE0F7F000

stack

page read and write

44D7E7F000

stack

page read and write

6EDAF000

unkown

page read and write

44D7D7E000

stack

page read and write

31BB000

heap

page read and write

2DA0000

unkown

page readonly

242EE624000

unkown

page read and write

6A4000

heap

page read and write

242EF000000

unkown

page read and write

1DEF6C6C000

unkown

page read and write

242EFB90000

trusted library allocation

page read and write

242EFBA0000

trusted library allocation

page read and write

2A3F000

stack

page read and write

319C000

heap

page read and write

878000

heap

page read and write

22E97A13000

unkown

page read and write

3188000

heap

page read and write

6D5000

heap

page read and write

2873000

heap

page read and write

22E97A49000

unkown

page read and write

242EFB93000

trusted library allocation

page read and write

EAE10FF000

stack

page read and write

242F3D40000

trusted library allocation

page read and write

257E000

stack

page read and write

900000

unkown

page read and write

1A38BF13000

unkown

page read and write

242EE5D0000

unkown

page read and write

242EF102000

unkown

page read and write

EAE11FE000

stack

page read and write

575000

unkown

page readonly

2DB0000

unkown

page readonly

3160000

heap

page read and write

900000

unkown

page read and write

D16000

unkown

page readonly

31A6000

heap

page read and write

22E97A74000

unkown

page read and write

31A6000

heap

page read and write

8E0000

unkown

page readonly

C8D000

unkown

page write copy

575000

unkown

page readonly

AFCE37E000

stack

page read and write

242F3E49000

unkown

page read and write

6A4000

heap

page read and write

30000

heap

page read and write

845DEFE000

stack

page read and write

AFCE67F000

stack

page read and write

31BB000

heap

page read and write

2710000

trusted library allocation

page read and write

6A4000

heap

page read and write

575000

unkown

page readonly

2DB0000

unkown

page readonly

242F3D84000

trusted library allocation

page read and write

242F3E2D000

unkown

page read and write

54E000

unkown

page readonly

31A6000

heap

page read and write

21C6A82A000

unkown

page read and write

22E97A64000

unkown

page read and write

400000

unkown

page readonly

242F3BA0000

trusted library allocation

page read and write

6EE6F000

unkown

page read and write

740000

heap

page read and write

1DEF6C26000

unkown

page read and write

1A38C602000

unkown

page read and write

22E97A77000

unkown

page read and write

22E97A41000

unkown

page read and write

242F3EF6000

unkown

page read and write

2DC0000

unkown

page read and write

242EF159000

unkown

page read and write

242F3D40000

trusted library allocation

page read and write

EAE0977000

stack

page read and write

242F3E14000

unkown

page read and write

2750000

trusted library allocation

page read and write

31BB000

heap

page read and write

2A10000

heap

page read and write

29E5000

trusted library allocation

page read and write

845DBFF000

stack

page read and write

2660000

trusted library allocation

page read and write

4C76000

heap

page read and write

242EF810000

trusted library section

page readonly

AFCE3FE000

stack

page read and write

242EE6AE000

unkown

page read and write

22E97A50000

unkown

page read and write

30000

heap

page read and write

845D9FF000

stack

page read and write

4C80000

remote allocation

page read and write

35B337F000

stack

page read and write

242EE66A000

unkown

page read and write

4B9F000

trusted library allocation

page execute and read and write

546E000

stack

page read and write

22E97A45000

unkown

page read and write

56F0000

trusted library allocation

page read and write

4F1E000

stack

page read and write

54E000

unkown

page readonly

44D827C000

stack

page read and write

26DE000

stack

page read and write

6AE000

stack

page read and write

CA2000

unkown

page write copy

31C5000

heap

page read and write

3000000

remote allocation

page execute and read and write

780000

heap

page read and write

31C5000

heap

page read and write

845DDFF000

stack

page read and write

35B327E000

stack

page read and write

2DC0000

unkown

page read and write

9A1000

unkown

page execute read

4F20000

heap

page read and write

242F3EF4000

unkown

page read and write

AD6000

unkown

page readonly

21C6A760000

heap

page read and write

56A000

unkown

page readonly

54AE000

stack

page read and write

3191000

heap

page read and write

8F0000

unkown

page readonly

22E97A6D000

unkown

page read and write

242EE68E000

unkown

page read and write

6A0000

heap

page read and write

496000

unkown

page readonly

242EE6FC000

unkown

page read and write

870000

heap

page read and write

319C000

heap

page read and write

48E000

unkown

page write copy

31BB000

heap

page read and write

AFCE27E000

stack

page read and write

22E97A51000

unkown

page read and write

22E97A84000

unkown

page read and write

541000

unkown

page readonly

242F40A0000

remote allocation

page read and write

4C80000

remote allocation

page read and write

3191000

heap

page read and write

2D9C000

stack

page read and write

6ED90000

unkown

page readonly

2400000

heap

page read and write

21C6A800000

unkown

page read and write

242EF118000

unkown

page read and write

C5A000

unkown

page read and write

22E97A7A000

unkown

page read and write

2DC0000

unkown

page read and write

31C5000

heap

page read and write

1A38BDD0000

unkown

page read and write

242F3D70000

trusted library allocation

page read and write

242F3F00000

unkown

page read and write

400000

unkown

page readonly

6D0000

heap

page read and write

6EE51000

unkown

page execute read

4C90000

heap

page read and write

6ED91000

unkown

page execute read

242EF118000

unkown

page read and write

1A38BE13000

unkown

page read and write

1DEF6C02000

unkown

page read and write

C8D000

unkown

page read and write

44D807C000

stack

page read and write

900000

unkown

page read and write

242F40A0000

remote allocation

page read and write

242F4080000

trusted library allocation

page read and write

242EE665000

unkown

page read and write

1DEF6C5C000

unkown

page read and write

7CC000

heap

page read and write

A1E000

stack

page read and write

26E0000

trusted library allocation

page read and write

2DA0000

unkown

page readonly

EAE0FFE000

stack

page read and write

22D0000

trusted library allocation

page execute and read and write

31A6000

heap

page read and write

31BB000

heap

page read and write

22E98202000

unkown

page read and write

2B3F000

stack

page read and write

1DEF6D00000

unkown

page read and write

990000

trusted library allocation

page read and write

29EF000

trusted library allocation

page read and write

242EE613000

unkown

page read and write

6EE73000

unkown

page readonly

21C6A85C000

unkown

page read and write

2A11000

heap

page read and write

B5F000

stack

page read and write

A6F000

stack

page read and write

54E000

unkown

page readonly

EAE0DFA000

stack

page read and write

EAE055B000

stack

page read and write

242F3EDD000

unkown

page read and write

2DC0000

unkown

page read and write

21C6A7F0000

unkown

page read and write

2DB0000

unkown

page readonly

AFCE4FE000

stack

page read and write

242EE5A0000

heap

page read and write

2DB0000

unkown

page readonly

22E97A4B000

unkown

page read and write

31C5000

heap

page read and write

242EF800000

trusted library section

page readonly

9C000

stack

page read and write

31A6000

heap

page read and write

1A38BE69000

unkown

page read and write

29C8000

trusted library allocation

page read and write

31C5000

heap

page read and write

496000

unkown

page readonly

541000

unkown

page readonly

1A38BE00000

unkown

page read and write

401000

unkown

page execute read

22E97A7B000

unkown

page read and write

8E0000

unkown

page readonly

4C2E000

stack

page read and write

35B307E000

stack

page read and write

242F4010000

trusted library allocation

page read and write

4B9C000

trusted library allocation

page execute and read and write

242EF7F0000

trusted library section

page readonly

35B2BFB000

stack

page read and write

48F000

unkown

page write copy

EAE117E000

stack

page read and write

562000

unkown

page readonly

2A11000

heap

page read and write

1DEF6C4E000

unkown

page read and write

1DEF6C6C000

unkown

page read and write

C66000

unkown

page read and write

3000000

remote allocation

page execute and read and write

21C6B090000

remote allocation

page read and write

C83000

unkown

page read and write

22E97A67000

unkown

page read and write

845D67A000

stack

page read and write

1DEF6B90000

heap

page read and write

31CC000

heap

page read and write

242F3E3C000

unkown

page read and write

401000

unkown

page execute read

2DC0000

unkown

page read and write

242EF7D0000

trusted library section

page readonly

EAE0EFB000

stack

page read and write

242F3C30000

trusted library allocation

page read and write

242F3EEE000

unkown

page read and write

22E97A2C000

unkown

page read and write

400000

unkown

page readonly

EAE107F000

stack

page read and write

401000

unkown

page execute read

1DEF8802000

unkown

page read and write

31C5000

heap

page read and write

319D000

heap

page read and write

1DEF86E0000

trusted library allocation

page read and write

1DEF8690000

unkown

page read and write

56A000

unkown

page readonly

31C5000

heap

page read and write

48E000

unkown

page write copy

242F3E00000

unkown

page read and write

845D47B000

stack

page read and write

55AE000

stack

page read and write

31C5000

heap

page read and write

1DEF6C2A000

unkown

page read and write

2786000

heap

page read and write

242EE69F000

unkown

page read and write

56C000

stack

page read and write

2680000

heap

page read and write

242EF6F0000

trusted library allocation

page read and write

22E97A44000

unkown

page read and write

31BB000

heap

page read and write

22E97A75000

unkown

page read and write

242F3BB0000

trusted library allocation

page read and write

242EF002000

unkown

page read and write

1DEF87A0000

remote allocation

page read and write

242EE66F000

unkown

page read and write

2DA0000

unkown

page readonly

2420000

trusted library allocation

page execute and read and write

31BB000

heap

page read and write

22E97A63000

unkown

page read and write

22E97A29000

unkown

page read and write

2C8D000

stack

page read and write

22E97A4D000

unkown

page read and write

2410000

trusted library allocation

page read and write

22E97A4A000

unkown

page read and write

242EE63F000

unkown

page read and write

9A0000

unkown

page readonly

496000

unkown

page readonly

490000

unkown

page read and write

22E97A47000

unkown

page read and write

242EF159000

unkown

page read and write

AFCE87D000

stack

page read and write

845DFFE000

stack

page read and write

242EE713000

unkown

page read and write

3191000

heap

page read and write

1DEF6C00000

unkown

page read and write

6EE50000

unkown

page readonly

31C6000

heap

page read and write

1A38BC60000

heap

page read and write

84F000

stack

page read and write

3192000

heap

page read and write

242F3C20000

trusted library allocation

page read and write

EAE0AFA000

stack

page read and write

8E0000

unkown

page readonly

56EE000

stack

page read and write

6A4000

heap

page read and write

E4E000

stack

page read and write

B1E000

unkown

page read and write

8F0000

unkown

page readonly

242F3EF8000

unkown

page read and write

845DCFF000

stack

page read and write

3192000

heap

page read and write

242EE659000

unkown

page read and write

21C6B090000

remote allocation

page read and write

31BB000

heap

page read and write

21C6A902000

unkown

page read and write

EAE14FE000

stack

page read and write

2C30000

heap

page read and write

6B0000

trusted library allocation

page read and write

198000

stack

page read and write

22E97A2D000

unkown

page read and write

21C6A813000

unkown

page read and write

4B40000

trusted library allocation

page execute and read and write

490000

unkown

page read and write

242F4070000

trusted library allocation

page read and write

562000

unkown

page readonly

22E97A30000

unkown

page read and write

1DEF6D02000

unkown

page read and write

1A38BE5A000

unkown

page read and write

54E000

unkown

page readonly

3191000

heap

page read and write

6FE000

stack

page read and write

1A38BE3D000

unkown

page read and write

242F3E5F000

unkown

page read and write

AD6000

unkown

page readonly

31A6000

heap

page read and write

6DE000

stack

page read and write

7C4000

heap

page read and write

4E9F000

stack

page read and write

2780000

heap

page read and write

2730000

heap

page read and write

56A000

unkown

page readonly

6EDB3000

unkown

page readonly

318B000

heap

page read and write

91E000

stack

page read and write

575000

unkown

page readonly

1DEF6BF0000

heap

page read and write

3000000

remote allocation

page execute and read and write

21C6A837000

unkown

page read and write

21C6A802000

unkown

page read and write

242F3F02000

unkown

page read and write

22E97A3E000

unkown

page read and write

9A0000

unkown

page readonly

29BC000

trusted library allocation

page read and write

2870000

heap

page read and write

21C6B090000

remote allocation

page read and write

242F3E53000

unkown

page read and write

316A000

heap

page read and write

6EDA6000

unkown

page readonly

48E000

unkown

page read and write

1DEF6B80000

heap

page read and write

242EE693000

unkown

page read and write

22E97A2E000

unkown

page read and write

271E000

stack

page read and write

22E977A0000

heap

page read and write

4C70000

heap

page read and write

31A6000

heap

page read and write

2580000

trusted library allocation

page execute and read and write

8F0000

unkown

page readonly

22E97790000

heap

page read and write

22E97A6B000

unkown

page read and write

4EDE000

stack

page read and write

22E97A00000

unkown

page read and write

22E97A3B000

unkown

page read and write

48F000

unkown

page write copy

242F3D48000

trusted library allocation

page read and write

D16000

unkown

page readonly

242EE5E0000

trusted library section

page read and write

7EA000

heap

page read and write

242F3E90000

trusted library allocation

page read and write

6E0000

trusted library allocation

page read and write

242F4060000

trusted library allocation

page read and write

496000

unkown

page readonly

22E97A52000

unkown

page read and write

9A1000

unkown

page execute read

2B8E000

stack

page read and write

1DEF87A0000

remote allocation

page read and write

242F4050000

trusted library allocation

page read and write

3125000

heap

page read and write

1A38BE6A000

unkown

page read and write

21C6A750000

heap

page read and write

44D7AFE000

stack

page read and write

242EFB71000

trusted library allocation

page read and write

C83000

unkown

page write copy

845D8FF000

stack

page read and write

319D000

heap

page read and write

22E97A7D000

unkown

page read and write

22E97A4F000

unkown

page read and write

44D7F7D000

stack

page read and write

22E97A4E000

unkown

page read and write

541000

unkown

page readonly

25F0000

trusted library allocation

page read and write

1A38BE77000

unkown

page read and write

7E0000

heap

page read and write

31CC000

heap

page read and write

469000

stack

page read and write

22E97A2F000

unkown

page read and write

242F3EA0000

trusted library allocation

page read and write

242EE540000

heap

page read and write

31CC000

heap

page read and write

2733000

heap

page read and write

22E97A66000

unkown

page read and write

22E97800000

heap

page read and write

242EE600000

unkown

page read and write

4C80000

remote allocation

page read and write

6EE66000

unkown

page readonly

242EE702000

unkown

page read and write

35B317E000

stack

page read and write

22E97A42000

unkown

page read and write

55EE000

stack

page read and write

48E000

unkown

page read and write

22E97B02000

unkown

page read and write

400000

unkown

page readonly

242F40A0000

remote allocation

page read and write

6A4000

heap

page read and write

318B000

heap

page read and write

44D7C7E000

stack

page read and write

1DEF6C3A000

unkown

page read and write

2620000

heap

page read and write

400000

heap

page read and write

44D76CB000

stack

page read and write

CA2000

unkown

page read and write

EAE0BFA000

stack

page read and write

73E000

stack

page read and write

44D817F000

stack

page read and write

242F3E1F000

unkown

page read and write

242F3D4E000

trusted library allocation

page read and write

21C6B202000

unkown

page read and write

31A6000

heap

page read and write

4C30000

heap

page read and write

6A4000

heap

page read and write

562000

unkown

page readonly

2480000

trusted library allocation

page read and write

25F3000

heap

page read and write

6A4000

heap

page read and write

845D7FC000

stack

page read and write

1A38BF02000

unkown

page read and write

6A4000

heap

page read and write

22E97A30000

unkown

page read and write

1A38BCD0000

heap

page read and write

AFCE77D000

stack

page read and write

1DEF87A0000

remote allocation

page read and write

1DEF6C5C000

unkown

page read and write

2DA0000

unkown

page readonly

491000

unkown

page write copy

860000

trusted library allocation

page read and write

23F0000

heap

page read and write

35B2E7E000

stack

page read and write

242EF7E0000

trusted library section

page readonly

21C6A7C0000

heap

page read and write

242EF100000

unkown

page read and write

1DEF6C13000

unkown

page read and write

198000

stack

page read and write

2C9C000

stack

page read and write

491000

unkown

page write copy

502B000

stack

page read and write

35B2EFE000

stack

page read and write

C5A000

unkown

page write copy

22F0000

heap

page read and write

31BB000

heap

page read and write

242F3D60000

trusted library allocation

page read and write

1DEF6C9D000

unkown

page read and write

1A38BE29000

unkown

page read and write

1DEF6D18000

unkown

page read and write

78A000

heap

page read and write

25BE000

stack

page read and write

1DEF6D13000

unkown

page read and write

562000

unkown

page readonly

845DAFD000

stack

page read and write

1DEF6C3D000

unkown

page read and write

22E97900000

unkown

page read and write

EAE12FB000

stack

page read and write

242EF015000

unkown

page read and write

401000

unkown

page execute read

AFCDEEC000

stack

page read and write

1DEF6C59000

unkown

page read and write

2410000

trusted library allocation

page execute and read and write

EAE0CFE000

stack

page read and write

242EE530000

heap

page read and write

242EE68A000

unkown

page read and write

C66000

unkown

page write copy

31CC000

heap

page read and write

242F3EFE000

unkown

page read and write

242F3D80000

trusted library allocation

page read and write

2DA0000

unkown

page readonly

660000

trusted library allocation

page read and write

97E000

stack

page read and write

2470000

heap

page read and write

242EF113000

unkown

page read and write

242F3D61000

trusted library allocation

page read and write

22E97A69000

unkown

page read and write

3110000

trusted library allocation

page read and write

3191000

heap

page read and write

31C5000

heap

page read and write

1A38BC70000

heap

page read and write

56A000

unkown

page readonly

1DEF6C69000

unkown

page read and write

69E000

stack

page read and write

21C6A840000

unkown

page read and write

242F3D70000

trusted library allocation

page read and write

2300000

trusted library allocation

page read and write

AFCE5FD000

stack

page read and write

242F3E78000

unkown

page read and write

31A6000

heap

page read and write

3191000

heap

page read and write

B1E000

unkown

page write copy

2C7F000

stack

page read and write

541000

unkown

page readonly

242F3EAA000

unkown

page read and write

1A38BE02000

unkown

page read and write

242EF820000

trusted library section

page readonly

A5E000

stack

page read and write

25F0000

heap

page read and write

242F3EF2000

unkown

page read and write

242F3E75000

unkown

page read and write

There are 506 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
cANdLlHS4N

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportcANdLlHS4N

Files

Processes

URLs

IPs

Memdumps

IOC Report
cANdLlHS4N