Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.946015742389872
Filename:	file.exe
Filesize:	1751552
MD5:	e327e97714aa25537fde40f3c48efde7
SHA1:	428bbb6bf12584eda0e0d9c7ba8451e792e08507
SHA256:	2d4680a8ec9567082b77baef594ca11f2a509c4bae189a239855e00d357c7a34
SHA512:	786d9fc5f79a180eb94353cacc9e2eacf12c25d41634807abd9fb161dda33112e7847ceef0b6ca6d884886c1065fbf27f3ae6a6161d10329d9c0b4722b23706e
SSDEEP:	49152:5yuGkFQgUAXfRldRSNc67YugyTIbuna1e:IBkFQW5RJu6unaQ
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b...............u^......uk......u_......{v.....fz.......{f..............uZ......uh.....Rich............PE..L...M..f...........

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation
Multi AV Scanner detection for submitted file	AV Detection
Hides threads from debuggers	Anti Debugging
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)	Boot Survival
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion	Security Software Discovery
Tries to detect sandboxes and other dynamic analysis tools (window names)	Anti Debugging
Tries to detect virtualization through RDTSC time measurements	Malware Analysis System Evasion	Security Software Discovery
Tries to evade debugger and weak emulator (self modifying code)	Malware Analysis System Evasion
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Security Software Discovery Data from Local System
Checks for debuggers (devices)	Anti Debugging	Security Software Discovery
Checks if the current process is being debugged	Anti Debugging
Contains capabilities to detect virtual machines	Malware Analysis System Evasion
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion Security Software Discovery
One or more processes crash	System Summary
PE file contains an invalid checksum	Data Obfuscation	Security Software Discovery
PE file contains sections with non-standard names	Data Obfuscation
Queries information about the installed CPU (vendor, model number etc)	Language, Device and Operating System Detection	Security Software Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Security Software Discovery
Uses 32bit PE files	Compliance, System Summary	Masquerading
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing Security Software Discovery
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Queries a list of all running drivers	Malware Analysis System Evasion	System Information Discovery
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary	Security Software Discovery
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking	Security Software Discovery
Uses an in-process (OLE) Automation server	System Summary
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_d6eca444034557dbadee3a9b8c12d3885e1caed_6983241a_16bd15ca-eeb6-4121-8ba8-a24a92496132\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_d6eca444034557dbadee3a9b8c12d3885e1caed_6983241a_16bd15ca-eeb6-4121-8ba8-a24a92496132\Report.wer
Category:	dropped
Dump:	Report.wer.6.dr
ID:	dr_3
Target ID:	6
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.9715733055531203
Encrypted:	false
Ssdeep:	192:WhsHhjvnPlD0BU/7E3juCZr+dqWzuiFqZ24IO8ThB:NnNwBU/AjWXzuiFqY4IO8r
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\IJECAEHJJJKJKFIDGCBGIJJJEH

SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4

dropped

Details

File:	C:\ProgramData\IJECAEHJJJKJKFIDGCBGIJJJEH
Category:	dropped
Dump:	IJECAEHJJJKJKFIDGCBGIJJJEH.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Entropy:	0.8439810553697228
Encrypted:	false
Ssdeep:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
Size:	20480
Whitelisted:	false
Reputation:	high

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6CDF.tmp.dmp

Mini DuMP crash report, 14 streams, Sun Sep 1 18:54:59 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER6CDF.tmp.dmp
Category:	dropped
Dump:	WER6CDF.tmp.dmp.6.dr
ID:	dr_5
Target ID:	6
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Sun Sep 1 18:54:59 2024, 0x1205a4 type
Entropy:	1.3620113564109735
Encrypted:	false
Ssdeep:	384:A/gNeEdU8kkcoVPrTX3Cnl9XkxJUYhVVLB:2gNeEdgP6/wpeB
Size:	285582
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6E47.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER6E47.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER6E47.tmp.WERInternalMetadata.xml.6.dr
ID:	dr_1
Target ID:	6
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.6992016403699743
Encrypted:	false
Ssdeep:	192:R6l7wVeJjCI6r6YEIHSU92gmfBtmprP89bCzsf7Wm:R6lXJ56r6YEISU92gmfbrCYfz
Size:	8374
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6E87.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER6E87.tmp.xml
Category:	dropped
Dump:	WER6E87.tmp.xml.6.dr
ID:	dr_2
Target ID:	6
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.469461811840022
Encrypted:	false
Ssdeep:	48:cvIwWl8zs8NJg77aI9JWWpW8VYjYm8M4JIgFw+q8jH2uHUd:uIjf8nI7j37VjJUw2uHUd
Size:	4594
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.6.dr
ID:	dr_4
Target ID:	6
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.421341949076065
Encrypted:	false
Ssdeep:	6144:0Svfpi6ceLP/9skLmb0OTKWSPHaJG8nAgeMZMMhA2fX4WABlEnN20uhiTw9:/vloTKW+EZMM6DFy403w9
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3424
Target ID:	0
Parent PID:	1028
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	1751552
MD5:	E327E97714AA25537FDE40F3C48EFDE7
Time:	14:53:54
Date:	01/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x320000
Modulesize:	6746112
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Yara detected Stealc	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 1600

Details

Is windows:	true
Is dropped:	false
PID:	4292
Target ID:	6
Parent PID:	3424
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 1600
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	14:54:59
Date:	01/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xf30000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://185.215.113.100/e2b1563c6670f193.phpUser

unknown

http://185.215.113.100/e2b1563c6670f193.php

185.215.113.100

http://185.215.113.1000d60be0de163924d/sqlite3.dllY2l8MXwwfDB8TWV0YU1hc2t8ZWpiYWxiYWtvcGxjaGxnaGVjZG

unknown

http://185.215.113.100/0d60be0de163924d/sqlite3.dll

185.215.113.100

http://185.215.113.100/e2b1563c6670f193.phpion:

unknown

http://185.215.113.100

unknown

http://185.215.113.100/0d60be0de163924d/sqlite3.dllq

unknown

http://185.215.113.100/e2b1563c6670f193.phpWm

unknown

http://185.215.113.100/e2b1563c6670f193.phpZWVta2JnY2l8MXwwfDB8TWV0YU1hc2t8ZWpiYWxiYWtvcGxjaGxnaGVjZ

unknown

http://185.215.113.100/e2b1563c6670f193.phpx

unknown

http://185.215.113.100/e2b1563c6670f193.phpinit.exe

unknown

http://185.215.113.100GIJ

unknown

http://185.215.113.100:

unknown

http://185.215.113.100/

185.215.113.100

http://185.215.113.100s.exe

unknown

http://185.215.113.100/e2b1563c6670f193.php7mH

unknown

http://185.215.113.100/0d60be0de163924d/sqlite3.dllc

unknown

http://upx.sf.net

unknown

http://www.sqlite.org/copyright.html.

unknown

There are 9 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

185.215.113.100

unknown

Portugal

Details

IP:	185.215.113.100
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	Portugal
Countrycode:	PRT
ASN number:	206894
ASN name:	WHOLESALECONNECTIONSNL
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
HTTP GET or POST without a user agent	Networking
Suricata IDS alerts with low severity for network traffic	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

\REGISTRY\A\{df3247ab-d77f-6d22-8e35-e26e2549d3a2}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

ProgramId

\REGISTRY\A\{df3247ab-d77f-6d22-8e35-e26e2549d3a2}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

FileId

\REGISTRY\A\{df3247ab-d77f-6d22-8e35-e26e2549d3a2}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

LowerCaseLongPath

\REGISTRY\A\{df3247ab-d77f-6d22-8e35-e26e2549d3a2}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

LongPathHash

\REGISTRY\A\{df3247ab-d77f-6d22-8e35-e26e2549d3a2}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

Name

\REGISTRY\A\{df3247ab-d77f-6d22-8e35-e26e2549d3a2}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

OriginalFileName

\REGISTRY\A\{df3247ab-d77f-6d22-8e35-e26e2549d3a2}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

Publisher

\REGISTRY\A\{df3247ab-d77f-6d22-8e35-e26e2549d3a2}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

Version

\REGISTRY\A\{df3247ab-d77f-6d22-8e35-e26e2549d3a2}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

BinFileVersion

\REGISTRY\A\{df3247ab-d77f-6d22-8e35-e26e2549d3a2}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

BinaryType

\REGISTRY\A\{df3247ab-d77f-6d22-8e35-e26e2549d3a2}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

ProductName

\REGISTRY\A\{df3247ab-d77f-6d22-8e35-e26e2549d3a2}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

ProductVersion

\REGISTRY\A\{df3247ab-d77f-6d22-8e35-e26e2549d3a2}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

LinkDate

\REGISTRY\A\{df3247ab-d77f-6d22-8e35-e26e2549d3a2}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

BinProductVersion

\REGISTRY\A\{df3247ab-d77f-6d22-8e35-e26e2549d3a2}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

AppxPackageFullName

\REGISTRY\A\{df3247ab-d77f-6d22-8e35-e26e2549d3a2}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

AppxPackageRelativeId

\REGISTRY\A\{df3247ab-d77f-6d22-8e35-e26e2549d3a2}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

Size

\REGISTRY\A\{df3247ab-d77f-6d22-8e35-e26e2549d3a2}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

Language

\REGISTRY\A\{df3247ab-d77f-6d22-8e35-e26e2549d3a2}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

Usn

There are 9 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

38A000

unkown

page execute and read and write

119E000

heap

page read and write

4B51000

heap

page read and write

4B51000

heap

page read and write

4B51000

heap

page read and write

1D2FF000

stack

page read and write

41D000

unkown

page execute and read and write

4B51000

heap

page read and write

4B51000

heap

page read and write

7BD000

unkown

page execute and read and write

4B51000

heap

page read and write

4B51000

heap

page read and write

4B51000

heap

page read and write

4B51000

heap

page read and write

4FE0000

direct allocation

page read and write

4B70000

heap

page read and write

1D72E000

stack

page read and write

560000

unkown

page execute and read and write

61E00000

direct allocation

page execute and read and write

4B51000

heap

page read and write

4B51000

heap

page read and write

4B51000

heap

page read and write

4B40000

direct allocation

page read and write

4B51000

heap

page read and write

DB0000

heap

page read and write

7F7000

unkown

page execute and write copy

3B1E000

stack

page read and write

3F1000

unkown

page execute and read and write

4B51000

heap

page read and write

4B51000

heap

page read and write

2ED7000

heap

page read and write

1D62E000

stack

page read and write

4B51000

heap

page read and write

61ECD000

direct allocation

page execute and read and write

4B51000

heap

page read and write

D4C000

stack

page read and write

30DF000

stack

page read and write

4B51000

heap

page read and write

98B000

unkown

page execute and read and write

3BF000

unkown

page execute and read and write

13B6000

heap

page read and write

4B51000

heap

page read and write

4B40000

direct allocation

page read and write

4B51000

heap

page read and write

4B60000

heap

page read and write

1D48E000

stack

page read and write

4B1F000

stack

page read and write

4B51000

heap

page read and write

511F000

stack

page read and write

4B51000

heap

page read and write

4B51000

heap

page read and write

4B51000

heap

page read and write

4B51000

heap

page read and write

311E000

stack

page read and write

4B51000

heap

page read and write

5160000

direct allocation

page execute and read and write

1190000

heap

page read and write

4B51000

heap

page read and write

2ECE000

stack

page read and write

4A1E000

stack

page read and write

4B51000

heap

page read and write

43DE000

stack

page read and write

3B3000

unkown

page execute and read and write

4FE0000

direct allocation

page read and write

6E5000

unkown

page execute and read and write

4B51000

heap

page read and write

10FD000

stack

page read and write

4B51000

heap

page read and write

7F6000

unkown

page execute and write copy

12D0000

heap

page read and write

3ADF000

stack

page read and write

3D5F000

stack

page read and write

145B000

heap

page read and write

4B51000

heap

page read and write

1D730000

heap

page read and write

335F000

stack

page read and write

321F000

stack

page read and write

4B51000

heap

page read and write

4B40000

direct allocation

page read and write

501B000

stack

page read and write

4B51000

heap

page read and write

439F000

stack

page read and write

1D34D000

stack

page read and write

389E000

stack

page read and write

385F000

stack

page read and write

1D736000

heap

page read and write

4B51000

heap

page read and write

4B51000

heap

page read and write

4B51000

heap

page read and write

48DE000

stack

page read and write

4B51000

heap

page read and write

2E8C000

stack

page read and write

321000

unkown

page execute and read and write

1D09E000

stack

page read and write

320000

unkown

page readonly

10F5000

stack

page read and write

4B51000

heap

page read and write

4B51000

heap

page read and write

49DF000

stack

page read and write

4B51000

heap

page read and write

4B40000

direct allocation

page read and write

61ED3000

direct allocation

page execute and read and write

35C000

unkown

page execute and read and write

12CE000

stack

page read and write

4B40000

direct allocation

page read and write

3C1F000

stack

page read and write

349F000

stack

page read and write

4B51000

heap

page read and write

98C000

unkown

page execute and write copy

4B51000

heap

page read and write

411000

unkown

page execute and read and write

2ED0000

heap

page read and write

3E9F000

stack

page read and write

3C5E000

stack

page read and write

320000

unkown

page read and write

238CF000

stack

page read and write

2FDF000

stack

page read and write

411F000

stack

page read and write

5150000

direct allocation

page execute and read and write

1227000

heap

page read and write

4B40000

direct allocation

page read and write

4B40000

direct allocation

page read and write

479E000

stack

page read and write

4C7000

unkown

page execute and read and write

34DE000

stack

page read and write

1D58C000

stack

page read and write

4B51000

heap

page read and write

4B51000

heap

page read and write

4B20000

heap

page read and write

4B51000

heap

page read and write

4B51000

heap

page read and write

361E000

stack

page read and write

371F000

stack

page read and write

489F000

stack

page read and write

11F6000

heap

page read and write

4B40000

direct allocation

page read and write

44DF000

stack

page read and write

7F6000

unkown

page execute and read and write

4CD000

unkown

page execute and read and write

DA0000

heap

page read and write

54C000

unkown

page execute and read and write

4B51000

heap

page read and write

4B40000

direct allocation

page read and write

415E000

stack

page read and write

4B51000

heap

page read and write

4B51000

heap

page read and write

4FE0000

direct allocation

page read and write

3EDE000

stack

page read and write

4B51000

heap

page read and write

11E1000

heap

page read and write

321000

unkown

page execute and write copy

475F000

stack

page read and write

4B51000

heap

page read and write

1D853000

heap

page read and write

4B51000

heap

page read and write

39DE000

stack

page read and write

4B50000

heap

page read and write

461F000

stack

page read and write

4B51000

heap

page read and write

1D44D000

stack

page read and write

4A7000

unkown

page execute and read and write

4C50000

trusted library allocation

page read and write

4B51000

heap

page read and write

3E4000

unkown

page execute and read and write

4B51000

heap

page read and write

1CF5E000

stack

page read and write

2E4F000

stack

page read and write

4B51000

heap

page read and write

113E000

stack

page read and write

119A000

heap

page read and write

4B51000

heap

page read and write

325E000

stack

page read and write

4B40000

direct allocation

page read and write

4B51000

heap

page read and write

4B51000

heap

page read and write

465E000

stack

page read and write

4B51000

heap

page read and write

5160000

direct allocation

page execute and read and write

4B51000

heap

page read and write

375E000

stack

page read and write

4B40000

direct allocation

page read and write

2EDB000

heap

page read and write

339E000

stack

page read and write

4B40000

direct allocation

page read and write

1D19F000

stack

page read and write

3D9E000

stack

page read and write

7DF000

unkown

page execute and read and write

4B51000

heap

page read and write

401E000

stack

page read and write

451E000

stack

page read and write

399F000

stack

page read and write

425E000

stack

page read and write

4B51000

heap

page read and write

4B51000

heap

page read and write

5170000

direct allocation

page execute and read and write

1CF1F000

stack

page read and write

4B51000

heap

page read and write

1180000

heap

page read and write

1D850000

trusted library allocation

page read and write

4B40000

direct allocation

page read and write

1D05F000

stack

page read and write

5180000

direct allocation

page execute and read and write

3FDF000

stack

page read and write

4B65000

heap

page read and write

4B51000

heap

page read and write

12D5000

heap

page read and write

4B51000

heap

page read and write

1212000

heap

page read and write

1D1FE000

stack

page read and write

7E7000

unkown

page execute and read and write

429E000

stack

page read and write

4B51000

heap

page read and write

35DF000

stack

page read and write

516E000

stack

page read and write

4B51000

heap

page read and write

5130000

direct allocation

page execute and read and write

4B40000

direct allocation

page read and write

4B51000

heap

page read and write

11E3000

heap

page read and write

There are 209 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
file.exe