Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.942546977390624
Filename:	file.exe
Filesize:	1830912
MD5:	69a44afd5f25f695f1e1fe16abf56a39
SHA1:	16db1181ec4d54a1fe2aed1f25a0bd47d53cee72
SHA256:	7f7ab62446251c1fec500e70705d6840c982351dfd8303e0ca5ddf0e40c2f6fc
SHA512:	6424e236f9e1cbbe442c99b7350d5290b828f13dfd3e333b620c843bd39d86069962b3b960124b56861ab5d6b733df3160a521817b556eeb43b0f1903c83d007
SSDEEP:	49152:Gpm+X0eqLNiWI72xmsG/rNE5R+Y8agO2UmJj:Gw7N0yxmsGDNs+Y8K2H
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b...............u^......uk......u_......{v.....fz.......{f..............uZ......uh.....Rich............PE..L...M..f...........

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Hides threads from debuggers	Anti Debugging
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)	Boot Survival
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion
Tries to detect sandboxes and other dynamic analysis tools (window names)	Anti Debugging
Tries to detect virtualization through RDTSC time measurements	Malware Analysis System Evasion
Tries to evade debugger and weak emulator (self modifying code)	Malware Analysis System Evasion	System Information Discovery
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Checks for debuggers (devices)	Anti Debugging
Checks if the current process is being debugged	Anti Debugging
Contains capabilities to detect virtual machines	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
One or more processes crash	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Queries information about the installed CPU (vendor, model number etc)	Language, Device and Operating System Detection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Uses 32bit PE files	Compliance, System Summary	Masquerading
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Queries a list of all running drivers	Malware Analysis System Evasion
Queries a list of all running processes	Malware Analysis System Evasion
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_455b5ddbe96ff1fb6e298df1c6cfe599588679_6983241a_cd0d6090-ee71-407c-9713-1cba797ca396\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_455b5ddbe96ff1fb6e298df1c6cfe599588679_6983241a_cd0d6090-ee71-407c-9713-1cba797ca396\Report.wer
Category:	dropped
Dump:	Report.wer.6.dr
ID:	dr_2
Target ID:	6
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.971582409668952
Encrypted:	false
Ssdeep:	192:QvdLK7UUv4Plh0BU/fI3juCZr+diWzuiFIZ24IO8TVB:KU4NiBU/YjW/zuiFIY4IO8X
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\EHJKJDGCGDAKFHIDBGCBKJEHIE

SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11

dropped

Details

File:	C:\ProgramData\EHJKJDGCGDAKFHIDBGCBKJEHIE
Category:	dropped
Dump:	EHJKJDGCGDAKFHIDBGCBKJEHIE.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Entropy:	2.5793180405395284
Encrypted:	false
Ssdeep:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
Size:	28672
Whitelisted:	false
Reputation:	high

C:\ProgramData\Microsoft\Windows\WER\Temp\WER19B0.tmp.dmp

Mini DuMP crash report, 14 streams, Sun Sep 1 21:04:02 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER19B0.tmp.dmp
Category:	dropped
Dump:	WER19B0.tmp.dmp.6.dr
ID:	dr_4
Target ID:	6
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Sun Sep 1 21:04:02 2024, 0x1205a4 type
Entropy:	1.4028254967951126
Encrypted:	false
Ssdeep:	384:2YIUI22eEveni+bQK8d3NnKxjwHgl69ZAyBdYG6l1iedu3l/cYM+YZZshgfN:sUIHeEyipK8ddUjwHgsTYFu1kae
Size:	271522
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B67.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B67.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER1B67.tmp.WERInternalMetadata.xml.6.dr
ID:	dr_5
Target ID:	6
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.702450459318866
Encrypted:	false
Ssdeep:	192:R6l7wVeJGC66X6Y9aSU9q/gmfBHyprHq89by5sfc+Gm:R6lXJI6X6YgSU9ygmfBcySfcW
Size:	8374
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1C04.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER1C04.tmp.xml
Category:	dropped
Dump:	WER1C04.tmp.xml.6.dr
ID:	dr_1
Target ID:	6
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.474310381861214
Encrypted:	false
Ssdeep:	48:cvIwWl8zsXJg77aI9IrWpW8VYjYm8M4JIqFB6z+q8jfZUyO+7Fd:uIjf5I7aa7VDJzcsZU6Fd
Size:	4594
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.6.dr
ID:	dr_3
Target ID:	6
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.465312369399602
Encrypted:	false
Ssdeep:	6144:EIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNPdwBCswSb3T:5XD94+WlLZMM6YFH1+3T
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2800
Target ID:	0
Parent PID:	2580
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	1830912
MD5:	69A44AFD5F25F695F1E1FE16ABF56A39
Time:	17:02:51
Date:	01/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x860000
Modulesize:	6926336
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Yara detected Stealc	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 1544

Details

Is windows:	true
Is dropped:	false
PID:	1908
Target ID:	6
Parent PID:	2800
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 1544
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	17:04:02
Date:	01/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xc10000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://185.215.113.100/e2b1563c6670f193.php

185.215.113.100

http://185.215.113.100/e2b1563c6670f193.phpi

unknown

http://185.215.113.1000d60be0de163924d/sqlite3.dllY2l8MXwwfDB8TWV0YU1hc2t8ZWpiYWxiYWtvcGxjaGxnaGVjZG

unknown

http://185.215.113.100/0d60be0de163924d/sqlite3.dll

185.215.113.100

http://185.215.113.100/0d60be0de163924d/sqlite3.dllk.

unknown

http://185.215.113.100/e2b1563c6670f193.phpo

unknown

http://185.215.113.100/0d60be0de163924d/sqlite3.dllK

unknown

http://185.215.113.100/e2b1563c6670f193.phpion:

unknown

http://185.215.113.100

unknown

http://185.215.113.100/e2b1563c6670f193.phpU

unknown

http://185.215.113.100/e2b1563c6670f193.phpser

unknown

http://185.215.113.100/e2b1563c6670f193.phpZWVta2JnY2l8MXwwfDB8TWV0YU1hc2t8ZWpiYWxiYWtvcGxjaGxnaGVjZ

unknown

http://185.215.1

unknown

http://185.215.113.100/e2b1563c6670f193.php9

unknown

http://185.215.113.100/e2b1563c6670f193.phpinit.exe

unknown

http://185.215.113.100Local

unknown

http://185.215.113.100/0d60be0de163924d/sqlite3.dll1563c6670f193.php1_

unknown

http://185.215.113.100DBG

unknown

http://185.215.113.100/

185.215.113.100

http://185.215.113.100s.exe

unknown

http://185.215.113.100/e2b1563c6670f193.php&

unknown

http://185.215.113.100/e2b1563c6670f193.phpf

unknown

http://185.215.113.100Dm

unknown

http://upx.sf.net

unknown

There are 14 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

185.215.113.100

unknown

Portugal

Details

IP:	185.215.113.100
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	Portugal
Countrycode:	PRT
ASN number:	206894
ASN name:	WHOLESALECONNECTIONSNL
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
HTTP GET or POST without a user agent	Networking
Suricata IDS alerts with low severity for network traffic	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

\REGISTRY\A\{dc0115cf-9421-8da2-70c0-727e44ac814c}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

ProgramId

\REGISTRY\A\{dc0115cf-9421-8da2-70c0-727e44ac814c}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

FileId

\REGISTRY\A\{dc0115cf-9421-8da2-70c0-727e44ac814c}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

LowerCaseLongPath

\REGISTRY\A\{dc0115cf-9421-8da2-70c0-727e44ac814c}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

LongPathHash

\REGISTRY\A\{dc0115cf-9421-8da2-70c0-727e44ac814c}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

Name

\REGISTRY\A\{dc0115cf-9421-8da2-70c0-727e44ac814c}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

OriginalFileName

\REGISTRY\A\{dc0115cf-9421-8da2-70c0-727e44ac814c}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

Publisher

\REGISTRY\A\{dc0115cf-9421-8da2-70c0-727e44ac814c}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

Version

\REGISTRY\A\{dc0115cf-9421-8da2-70c0-727e44ac814c}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

BinFileVersion

\REGISTRY\A\{dc0115cf-9421-8da2-70c0-727e44ac814c}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

BinaryType

\REGISTRY\A\{dc0115cf-9421-8da2-70c0-727e44ac814c}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

ProductName

\REGISTRY\A\{dc0115cf-9421-8da2-70c0-727e44ac814c}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

ProductVersion

\REGISTRY\A\{dc0115cf-9421-8da2-70c0-727e44ac814c}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

LinkDate

\REGISTRY\A\{dc0115cf-9421-8da2-70c0-727e44ac814c}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

BinProductVersion

\REGISTRY\A\{dc0115cf-9421-8da2-70c0-727e44ac814c}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

AppxPackageFullName

\REGISTRY\A\{dc0115cf-9421-8da2-70c0-727e44ac814c}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

AppxPackageRelativeId

\REGISTRY\A\{dc0115cf-9421-8da2-70c0-727e44ac814c}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

Size

\REGISTRY\A\{dc0115cf-9421-8da2-70c0-727e44ac814c}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

Language

\REGISTRY\A\{dc0115cf-9421-8da2-70c0-727e44ac814c}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5

Usn

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData

ClockTimeSeconds

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData

TickCount

There are 11 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

8CA000

unkown

page execute and read and write

136E000

heap

page read and write

49CF000

stack

page read and write

400E000

stack

page read and write

4B0F000

stack

page read and write

14D0000

heap

page read and write

4D91000

heap

page read and write

308F000

stack

page read and write

4D91000

heap

page read and write

534F000

stack

page read and write

3110000

direct allocation

page read and write

14D4000

heap

page read and write

4D91000

heap

page read and write

1D3FF000

stack

page read and write

4D91000

heap

page read and write

1360000

heap

page read and write

3147000

heap

page read and write

FE0000

heap

page read and write

4D91000

heap

page read and write

3110000

direct allocation

page read and write

30CB000

stack

page read and write

1D1BE000

stack

page read and write

384F000

stack

page read and write

D4F000

unkown

page execute and read and write

A8C000

unkown

page execute and read and write

324F000

stack

page read and write

4D91000

heap

page read and write

14D4000

heap

page read and write

524C000

stack

page read and write

4D91000

heap

page read and write

3E8F000

stack

page read and write

4E90000

trusted library allocation

page read and write

4D91000

heap

page read and write

338E000

stack

page read and write

14D4000

heap

page read and write

4D91000

heap

page read and write

4C4F000

stack

page read and write

4D91000

heap

page read and write

5350000

direct allocation

page execute and read and write

3ACF000

stack

page read and write

EF7000

unkown

page execute and read and write

1D7CC000

stack

page read and write

14D4000

heap

page read and write

951000

unkown

page execute and read and write

4D91000

heap

page read and write

474F000

stack

page read and write

14D4000

heap

page read and write

428E000

stack

page read and write

14D4000

heap

page read and write

14D4000

heap

page read and write

4D91000

heap

page read and write

14D4000

heap

page read and write

14D4000

heap

page read and write

14D4000

heap

page read and write

4D91000

heap

page read and write

8F3000

unkown

page execute and read and write

3140000

heap

page read and write

388E000

stack

page read and write

2F8E000

stack

page read and write

FF0000

heap

page read and write

1D17F000

stack

page read and write

464E000

stack

page read and write

4D91000

heap

page read and write

4D91000

heap

page read and write

310E000

stack

page read and write

861000

unkown

page execute and write copy

4D91000

heap

page read and write

4C8E000

stack

page read and write

53A0000

direct allocation

page execute and read and write

13B1000

heap

page read and write

4D91000

heap

page read and write

13C7000

heap

page read and write

478E000

stack

page read and write

4D91000

heap

page read and write

14D4000

heap

page read and write

4D91000

heap

page read and write

3110000

direct allocation

page read and write

1D830000

heap

page read and write

5210000

direct allocation

page read and write

1D53F000

stack

page read and write

4D91000

heap

page read and write

4D91000

heap

page read and write

4D91000

heap

page read and write

A0D000

unkown

page execute and read and write

1368000

heap

page read and write

12F5000

stack

page read and write

424F000

stack

page read and write

4D91000

heap

page read and write

314B000

heap

page read and write

4D91000

heap

page read and write

348F000

stack

page read and write

4D91000

heap

page read and write

D37000

unkown

page execute and read and write

4D91000

heap

page read and write

4D91000

heap

page read and write

1D6CD000

stack

page read and write

4D91000

heap

page read and write

14D4000

heap

page read and write

13E3000

heap

page read and write

AA0000

unkown

page execute and read and write

9E7000

unkown

page execute and read and write

14D4000

heap

page read and write

4D91000

heap

page read and write

3110000

direct allocation

page read and write

4D91000

heap

page read and write

14D4000

heap

page read and write

4D91000

heap

page read and write

3130000

direct allocation

page read and write

1D957000

heap

page read and write

1D832000

heap

page read and write

4D91000

heap

page read and write

EF8000

unkown

page execute and write copy

44CF000

stack

page read and write

4D90000

heap

page read and write

4D91000

heap

page read and write

4D91000

heap

page read and write

5380000

direct allocation

page execute and read and write

3110000

direct allocation

page read and write

14D4000

heap

page read and write

51F0000

heap

page read and write

1419000

heap

page read and write

334F000

stack

page read and write

924000

unkown

page execute and read and write

14D4000

heap

page read and write

14D4000

heap

page read and write

1D2BF000

stack

page read and write

4D91000

heap

page read and write

860000

unkown

page readonly

4D91000

heap

page read and write

14D4000

heap

page read and write

3D8E000

stack

page read and write

374E000

stack

page read and write

F8C000

stack

page read and write

14D4000

heap

page read and write

13B3000

heap

page read and write

4B4E000

stack

page read and write

4D91000

heap

page read and write

95D000

unkown

page execute and read and write

1D950000

trusted library allocation

page read and write

16AF000

stack

page read and write

43CE000

stack

page read and write

D50000

unkown

page execute and write copy

D4F000

unkown

page execute and write copy

3110000

direct allocation

page read and write

14D4000

heap

page read and write

4D91000

heap

page read and write

3C4E000

stack

page read and write

4D91000

heap

page read and write

5380000

direct allocation

page execute and read and write

4DB0000

heap

page read and write

14D4000

heap

page read and write

3110000

direct allocation

page read and write

410F000

stack

page read and write

14D4000

heap

page read and write

4DA0000

heap

page read and write

14D4000

heap

page read and write

4A0E000

stack

page read and write

4D91000

heap

page read and write

360E000

stack

page read and write

931000

unkown

page execute and read and write

4D91000

heap

page read and write

4D91000

heap

page read and write

14D4000

heap

page read and write

8FF000

unkown

page execute and read and write

61E00000

direct allocation

page execute and read and write

4D91000

heap

page read and write

14D4000

heap

page read and write

D40000

unkown

page execute and read and write

488F000

stack

page read and write

4D91000

heap

page read and write

4D91000

heap

page read and write

4D8F000

stack

page read and write

414E000

stack

page read and write

14D4000

heap

page read and write

4D91000

heap

page read and write

1D43E000

stack

page read and write

14D4000

heap

page read and write

135E000

stack

page read and write

3ECE000

stack

page read and write

A07000

unkown

page execute and read and write

35CF000

stack

page read and write

1D58E000

stack

page read and write

4D91000

heap

page read and write

4D91000

heap

page read and write

4D91000

heap

page read and write

48CE000

stack

page read and write

4D91000

heap

page read and write

3110000

direct allocation

page read and write

4D91000

heap

page read and write

861000

unkown

page execute and read and write

3130000

direct allocation

page read and write

1D68E000

stack

page read and write

14D4000

heap

page read and write

398F000

stack

page read and write

1D07E000

stack

page read and write

3110000

direct allocation

page read and write

14D4000

heap

page read and write

4D91000

heap

page read and write

450E000

stack

page read and write

370F000

stack

page read and write

14D4000

heap

page read and write

4D91000

heap

page read and write

3D4F000

stack

page read and write

12FD000

stack

page read and write

C34000

unkown

page execute and read and write

5370000

direct allocation

page execute and read and write

4D91000

heap

page read and write

14D4000

heap

page read and write

3110000

direct allocation

page read and write

3110000

direct allocation

page read and write

14D4000

heap

page read and write

4D91000

heap

page read and write

860000

unkown

page read and write

D12000

unkown

page execute and read and write

34CE000

stack

page read and write

1D2FE000

stack

page read and write

89C000

unkown

page execute and read and write

39CE000

stack

page read and write

14D4000

heap

page read and write

3110000

direct allocation

page read and write

3B0E000

stack

page read and write

4D91000

heap

page read and write

5390000

direct allocation

page execute and read and write

460F000

stack

page read and write

3C0F000

stack

page read and write

14C0000

heap

page read and write

14D4000

heap

page read and write

14D4000

heap

page read and write

14D4000

heap

page read and write

4D91000

heap

page read and write

4D91000

heap

page read and write

3FCF000

stack

page read and write

438F000

stack

page read and write

4D91000

heap

page read and write

4D94000

heap

page read and write

14D4000

heap

page read and write

4D91000

heap

page read and write

3110000

direct allocation

page read and write

3110000

direct allocation

page read and write

There are 229 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
file.exe