Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

CNNuVrT9Dm.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.530606492954654
Filename:	CNNuVrT9Dm.exe
Filesize:	24064
MD5:	4e5a132f843257037445628396c656b9
SHA1:	378c17d0f6ed512dbe5a43cd565549a80808bd62
SHA256:	e2c457f18c1063a235f962572ee6f6d49ddfbeba92599470b94b5fa2c3c237e1
SHA512:	8252a3a38a0fe038ba06830d3c703ea93828ebca045b4f465669798cef515910239eb16e9c36b4a7ab114ac15fbc7538a92b31ff578f4cc6f7635e7fc24d6d9c
SSDEEP:	384:Vk8aSyS9gB3Y1KIay2X8cLZI6XgxsGJVPpmRvR6JZlbw8hqIusZzZIo8:N589tXvRpcnur
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................V...........t... ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation	Access Token Manipulation Software Packing
.NET source code references suspicious native API functions	HIPS / PFW / Operating System Protection Evasion	Native API
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Creates autostart registry keys with suspicious names	Boot Survival	Access Token Manipulation
Disables zone checking for all users	Lowering of HIPS / PFW / Operating System Security Settings	Access Token Manipulation
Drops PE files to the startup folder	Boot Survival	Registry Run Keys / Startup Folder Access Token Manipulation
Machine Learning detection for sample	AV Detection
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings
Protects its processes via BreakOnTermination flag	Operating System Destruction
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Access Token Manipulation Disable or Modify Tools
Abnormal high CPU Usage	System Summary	Access Token Manipulation
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains functionality to call native functions	System Summary
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a start menu entry (Start Menu\Programs\Startup)	Boot Survival	Access Token Manipulation
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation
Stores files to the Windows start menu directory	Boot Survival	Ingress Tool Transfer
Uses 32bit PE files	Compliance, System Summary	Masquerading
Yara signature match	System Summary
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates an autostart registry key	Boot Survival	Access Token Manipulation
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging
Creates mutexes	System Summary	Access Token Manipulation
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Sample reads its own file content	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses new MSVCR Dlls	Compliance, System Summary	Access Token Manipulation
Uses Microsoft Silverlight	System Summary	Access Token Manipulation

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\CNNuVrT9Dm.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\CNNuVrT9Dm.exe.log
Category:	dropped
Dump:	CNNuVrT9Dm.exe.log.4.dr
ID:	dr_3
Target ID:	4
Process:	C:\Users\user\Desktop\CNNuVrT9Dm.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.259753436570609
Encrypted:	false
Ssdeep:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
Size:	525
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09df2bd777d1a884c3a89c8a9ba5e4a2.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09df2bd777d1a884c3a89c8a9ba5e4a2.exe
Category:	dropped
Dump:	09df2bd777d1a884c3a89c8a9ba5e4a2.exe.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\CNNuVrT9Dm.exe
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.530606492954654
Encrypted:	false
Ssdeep:	384:Vk8aSyS9gB3Y1KIay2X8cLZI6XgxsGJVPpmRvR6JZlbw8hqIusZzZIo8:N589tXvRpcnur
Size:	24064
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Drops PE files to the startup folder	Boot Survival	Registry Run Keys / Startup Folder
Machine Learning detection for dropped file	AV Detection
Creates a start menu entry (Start Menu\Programs\Startup)	Boot Survival	Registry Run Keys / Startup Folder
Drops PE files	Persistence and Installation Behavior
Sigma detected: Startup Folder File Write	System Summary
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder
Creates files inside the user directory	System Summary	Masquerading

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09df2bd777d1a884c3a89c8a9ba5e4a2.exe:Zone.Identifier

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09df2bd777d1a884c3a89c8a9ba5e4a2.exe:Zone.Identifier
Category:	dropped
Dump:	09df2bd777d1a884c3a89c8a9ba5e4a2.exe_Zone.Identifier.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\CNNuVrT9Dm.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Machine Learning detection for dropped file	AV Detection

\Device\ConDrv

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.1.dr
ID:	dr_2
Target ID:	1
Process:	C:\Windows\SysWOW64\netsh.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.971939296804078
Encrypted:	false
Ssdeep:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
Size:	313
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\CNNuVrT9Dm.exe

"C:\Users\user\Desktop\CNNuVrT9Dm.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6240
Target ID:	0
Parent PID:	2580
Name:	CNNuVrT9Dm.exe
Path:	C:\Users\user\Desktop\CNNuVrT9Dm.exe
Commandline:	"C:\Users\user\Desktop\CNNuVrT9Dm.exe"
Size:	24064
MD5:	4E5A132F843257037445628396C656B9
Time:	06:46:53
Date:	27/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xbe0000
Modulesize:	49152
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sigma detected: Startup Folder File Write	System Summary
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\user\Desktop\CNNuVrT9Dm.exe" "CNNuVrT9Dm.exe" ENABLE

Details

Is windows:	true
Is dropped:	false
PID:	5808
Target ID:	1
Parent PID:	6240
Name:	netsh.exe
Path:	C:\Windows\SysWOW64\netsh.exe
Commandline:	netsh firewall add allowedprogram "C:\Users\user\Desktop\CNNuVrT9Dm.exe" "CNNuVrT9Dm.exe" ENABLE
Size:	82432
MD5:	4E89A1A088BE715D6C946E55AB07C7DF
Time:	06:46:59
Date:	27/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x1560000
Modulesize:	122880
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Spawns processes	System Summary	Process Injection

C:\Users\user\Desktop\CNNuVrT9Dm.exe

"C:\Users\user\Desktop\CNNuVrT9Dm.exe" ..

Details

Is windows:	false
Is dropped:	false
PID:	1800
Target ID:	4
Parent PID:	2580
Name:	CNNuVrT9Dm.exe
Path:	C:\Users\user\Desktop\CNNuVrT9Dm.exe
Commandline:	"C:\Users\user\Desktop\CNNuVrT9Dm.exe" ..
Size:	24064
MD5:	4E5A132F843257037445628396C656B9
Time:	06:47:12
Date:	27/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x940000
Modulesize:	49152
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sigma detected: Startup Folder File Write	System Summary
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\CNNuVrT9Dm.exe

"C:\Users\user\Desktop\CNNuVrT9Dm.exe" ..

Details

Is windows:	false
Is dropped:	false
PID:	6104
Target ID:	7
Parent PID:	2580
Name:	CNNuVrT9Dm.exe
Path:	C:\Users\user\Desktop\CNNuVrT9Dm.exe
Commandline:	"C:\Users\user\Desktop\CNNuVrT9Dm.exe" ..
Size:	24064
MD5:	4E5A132F843257037445628396C656B9
Time:	06:47:20
Date:	27/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0xb10000
Modulesize:	49152
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sigma detected: Startup Folder File Write	System Summary
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	4960
Target ID:	2
Parent PID:	5808
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	06:46:59
Date:	27/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

Domains

Name

Malicious

steam.buy-nitro.ru

176.109.107.2

Details

Name:	steam.buy-nitro.ru
IP:	176.109.107.2
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

176.109.107.2

steam.buy-nitro.ru

Russian Federation

Details

IP:	176.109.107.2
TargetID:	0
Current Path:	C:\Users\user\Desktop\CNNuVrT9Dm.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	49342
ASN name:	SPEEDYLINERU
Private:	false
Domain:	steam.buy-nitro.ru

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Registry

Path

Value

Malicious

HKEY_CURRENT_USER

Details

TargetID:	0
Path:	HKEY_CURRENT_USER
Value name:	di
Value data:	!

Signature Hits	Behavior Group	Mitre Attack
Creates autostart registry keys with suspicious names	Boot Survival	Registry Run Keys / Startup Folder
Disables zone checking for all users	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder
Reads software policies	System Summary	System Information Discovery

HKEY_CURRENT_USER\Environment

SEE_MASK_NOZONECHECKS

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

09df2bd777d1a884c3a89c8a9ba5e4a2

Details

TargetID:	0
Path:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value name:	09df2bd777d1a884c3a89c8a9ba5e4a2
Value data:	"C:\Users\user\Desktop\CNNuVrT9Dm.exe" ..

Signature Hits	Behavior Group	Mitre Attack
Creates autostart registry keys with suspicious names	Boot Survival	Registry Run Keys / Startup Folder
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run

09df2bd777d1a884c3a89c8a9ba5e4a2

Details

TargetID:	0
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Value name:	09df2bd777d1a884c3a89c8a9ba5e4a2
Value data:	"C:\Users\user\Desktop\CNNuVrT9Dm.exe" ..

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder

HKEY_CURRENT_USER\SOFTWARE\09df2bd777d1a884c3a89c8a9ba5e4a2

[kl]

HKEY_CURRENT_USER\SOFTWARE\09df2bd777d1a884c3a89c8a9ba5e4a2

[kl]

Memdumps

Base Address

Regiontype

Protect

Malicious

3231000

trusted library allocation

page read and write

BE2000

unkown

page readonly

621000

heap

page read and write

570000

heap

page read and write

5D6000

heap

page read and write

12FF000

stack

page read and write

5C8000

heap

page read and write

151B000

trusted library allocation

page execute and read and write

1120000

heap

page read and write

6A5000

heap

page read and write

EC0000

heap

page read and write

14E0000

trusted library allocation

page read and write

595000

heap

page read and write

641000

heap

page read and write

5AD000

heap

page read and write

14E7000

trusted library allocation

page execute and read and write

555F000

stack

page read and write

594000

heap

page read and write

599000

heap

page read and write

11BE000

stack

page read and write

14C2000

trusted library allocation

page execute and read and write

59D000

heap

page read and write

11D0000

heap

page read and write

14D2000

trusted library allocation

page execute and read and write

5C2000

heap

page read and write

601000

heap

page read and write

5DB000

heap

page read and write

588000

heap

page read and write

602000

heap

page read and write

EF9000

stack

page read and write

51EE000

stack

page read and write

645000

heap

page read and write

53CE000

stack

page read and write

F60000

heap

page read and write

650000

heap

page read and write

1312000

trusted library allocation

page execute and read and write

4D19000

heap

page read and write

10D0000

trusted library allocation

page read and write

5A0000

heap

page read and write

121E000

stack

page read and write

59A0000

trusted library allocation

page execute and read and write

624000

heap

page read and write

132B000

trusted library allocation

page execute and read and write

FC5000

heap

page read and write

4D11000

heap

page read and write

1700000

trusted library allocation

page read and write

594000

heap

page read and write

5450000

heap

page read and write

F60000

heap

page read and write

DC6000

heap

page read and write

58E000

heap

page read and write

348F000

trusted library allocation

page read and write

595000

heap

page read and write

621000

heap

page read and write

5C2000

heap

page read and write

59C000

heap

page read and write

17D0000

heap

page execute and read and write

F30000

heap

page read and write

547E000

stack

page read and write

59E000

heap

page read and write

5C6000

heap

page read and write

1142000

trusted library allocation

page execute and read and write

16C0000

trusted library allocation

page read and write

5DE000

heap

page read and write

5DB000

heap

page read and write

1177000

trusted library allocation

page execute and read and write

3FC4000

trusted library allocation

page read and write

59A000

heap

page read and write

150A000

trusted library allocation

page execute and read and write

515E000

stack

page read and write

5D9000

heap

page read and write

5AD000

heap

page read and write

64E000

heap

page read and write

5590000

trusted library allocation

page read and write

100E000

heap

page read and write

5BE0000

heap

page read and write

589E000

stack

page read and write

170F000

trusted library allocation

page read and write

920000

heap

page read and write

1740000

trusted library allocation

page read and write

4C8F000

stack

page read and write

54AB000

stack

page read and write

4D0C000

heap

page read and write

5BF000

heap

page read and write

5E0000

heap

page read and write

59D0000

heap

page read and write

D40000

heap

page read and write

5AD000

heap

page read and write

649000

heap

page read and write

1616000

heap

page read and write

186F000

stack

page read and write

10F0000

trusted library allocation

page read and write

601000

heap

page read and write

53DE000

stack

page read and write

5BF000

heap

page read and write

649000

heap

page read and write

1108000

heap

page read and write

14F0000

heap

page read and write

155E000

stack

page read and write

1570000

heap

page read and write

5C3000

heap

page read and write

EC5000

heap

page read and write

15CC000

stack

page read and write

624000

heap

page read and write

645000

heap

page read and write

F5E000

stack

page read and write

FC0000

heap

page read and write

5AC000

heap

page read and write

55C0000

unclassified section

page read and write

557E000

stack

page read and write

5C3000

heap

page read and write

14D0000

trusted library allocation

page read and write

16FE000

stack

page read and write

2EEF000

stack

page read and write

1512000

trusted library allocation

page read and write

16D0000

heap

page read and write

4D1A000

heap

page read and write

17C0000

trusted library allocation

page execute and read and write

59E000

heap

page read and write

1510000

trusted library allocation

page read and write

585000

heap

page read and write

546C000

stack

page read and write

5DC000

heap

page read and write

4D0D000

heap

page read and write

A06000

heap

page read and write

5DF000

heap

page read and write

5CF000

heap

page read and write

579E000

stack

page read and write

4D15000

heap

page read and write

526E000

stack

page read and write

1136000

heap

page read and write

FF0000

heap

page read and write

5AD000

heap

page read and write

D8E000

stack

page read and write

136E000

stack

page read and write

87E000

unkown

page read and write

4D0C000

heap

page read and write

4131000

trusted library allocation

page read and write

5AD000

heap

page read and write

59E000

heap

page read and write

3131000

trusted library allocation

page read and write

5A9000

heap

page read and write

1162000

trusted library allocation

page execute and read and write

14DF000

stack

page read and write

14E0000

heap

page read and write

19B000

stack

page read and write

5CF000

heap

page read and write

4D18000

heap

page read and write

1380000

heap

page execute and read and write

F76000

stack

page read and write

575E000

stack

page read and write

2DEF000

stack

page read and write

14CA000

trusted library allocation

page execute and read and write

1123000

heap

page read and write

522E000

stack

page read and write

5A7000

heap

page read and write

FE0000

heap

page read and write

541E000

stack

page read and write

152E000

stack

page read and write

595000

heap

page read and write

4D15000

heap

page read and write

597000

heap

page read and write

602000

heap

page read and write

116E000

stack

page read and write

4D19000

heap

page read and write

4D00000

heap

page read and write

5D4000

heap

page read and write

5DC000

heap

page read and write

FAE000

stack

page read and write

5A0000

heap

page read and write

5CB000

heap

page read and write

5C0000

heap

page read and write

11A0000

heap

page read and write

99D000

stack

page read and write

10DE000

stack

page read and write

4EE000

stack

page read and write

1610000

heap

page read and write

52D0000

trusted library allocation

page execute and read and write

4D0C000

heap

page read and write

14EE000

stack

page read and write

10FC000

trusted library allocation

page execute and read and write

EF6000

stack

page read and write

13CE000

stack

page read and write

1510000

heap

page read and write

55A000

heap

page read and write

DAE000

heap

page read and write

64E000

heap

page read and write

1130000

heap

page read and write

5C2000

heap

page read and write

648000

heap

page read and write

5DB000

heap

page read and write

10F6000

trusted library allocation

page execute and read and write

5CA000

heap

page read and write

565E000

stack

page read and write

5CB000

heap

page read and write

5CE0000

heap

page read and write

1517000

trusted library allocation

page execute and read and write

5BD0000

heap

page read and write

5B20000

heap

page read and write

56BE000

stack

page read and write

55B0000

heap

page read and write

562000

heap

page read and write

4D17000

heap

page read and write

BAB000

stack

page read and write

649000

heap

page read and write

4257000

trusted library allocation

page read and write

4CE1000

heap

page read and write

D98000

heap

page read and write

1502000

trusted library allocation

page execute and read and write

5DB000

heap

page read and write

CF6000

stack

page read and write

5A0000

heap

page read and write

5AE000

heap

page read and write

5529000

stack

page read and write

10F2000

trusted library allocation

page execute and read and write

5D4000

heap

page read and write

59A000

heap

page read and write

594000

heap

page read and write

64A000

heap

page read and write

5350000

trusted library allocation

page read and write

5A4000

heap

page read and write

A00000

heap

page read and write

5DE000

heap

page read and write

565000

heap

page read and write

1000000

heap

page read and write

59A000

heap

page read and write

643000

heap

page read and write

595000

heap

page read and write

4A8E000

stack

page read and write

E7A000

stack

page read and write

1320000

trusted library allocation

page read and write

570000

heap

page read and write

642000

heap

page read and write

5CF000

heap

page read and write

624000

heap

page read and write

5BF000

heap

page read and write

4CE0000

heap

page read and write

5D8000

heap

page read and write

550000

heap

page read and write

D90000

heap

page read and write

2FC1000

trusted library allocation

page read and write

7F9C0000

trusted library allocation

page execute and read and write

5A9000

heap

page read and write

10AA000

heap

page read and write

4D0C000

heap

page read and write

1078000

heap

page read and write

4FB000

stack

page read and write

117B000

trusted library allocation

page execute and read and write

5CA000

heap

page read and write

59A000

heap

page read and write

4A90000

heap

page read and write

5AB000

heap

page read and write

5238000

trusted library allocation

page read and write

1260000

heap

page execute and read and write

1710000

trusted library allocation

page execute and read and write

601000

heap

page read and write

4D0D000

heap

page read and write

537E000

stack

page read and write

1170000

trusted library allocation

page read and write

570000

heap

page read and write

111D000

heap

page read and write

4D13000

heap

page read and write

4F4000

stack

page read and write

52CF000

stack

page read and write

5DB000

heap

page read and write

59D000

heap

page read and write

5D2000

heap

page read and write

660000

heap

page read and write

E9F000

stack

page read and write

116F000

heap

page read and write

1190000

trusted library allocation

page read and write

64C000

heap

page read and write

4D0C000

heap

page read and write

F10000

heap

page read and write

5420000

trusted library allocation

page read and write

103F000

heap

page read and write

4D01000

heap

page read and write

5AC000

heap

page read and write

1120000

heap

page read and write

5C8000

heap

page read and write

649000

heap

page read and write

643000

heap

page read and write

1100000

trusted library allocation

page read and write

5CB000

heap

page read and write

4D11000

heap

page read and write

54E000

unkown

page read and write

1600000

trusted library allocation

page execute and read and write

1008000

heap

page read and write

4D0E000

heap

page read and write

13D0000

heap

page read and write

11A5000

heap

page read and write

4D07000

heap

page read and write

1146000

trusted library allocation

page execute and read and write

4D0C000

heap

page read and write

54EC000

stack

page read and write

4D0C000

heap

page read and write

58F000

heap

page read and write

3FC1000

trusted library allocation

page read and write

14DA000

trusted library allocation

page execute and read and write

6A0000

heap

page read and write

1327000

trusted library allocation

page execute and read and write

5270000

heap

page read and write

55B3000

heap

page read and write

14EA000

trusted library allocation

page execute and read and write

137E000

stack

page read and write

15F0000

trusted library allocation

page read and write

E90000

heap

page read and write

109F000

stack

page read and write

10E2000

trusted library allocation

page execute and read and write

114C000

trusted library allocation

page execute and read and write

5E0000

heap

page read and write

1220000

heap

page read and write

59C000

heap

page read and write

BE0000

unkown

page readonly

1100000

heap

page read and write

641000

heap

page read and write

10EA000

trusted library allocation

page execute and read and write

4FE000

stack

page read and write

5A9000

heap

page read and write

4231000

trusted library allocation

page read and write

4D02000

heap

page read and write

16CF000

trusted library allocation

page read and write

5A7000

heap

page read and write

5D8000

heap

page read and write

4134000

trusted library allocation

page read and write

55BE000

stack

page read and write

59A000

heap

page read and write

9DB000

stack

page read and write

643000

heap

page read and write

111A000

trusted library allocation

page execute and read and write

1112000

trusted library allocation

page execute and read and write

539E000

stack

page read and write

5E0000

heap

page read and write

500000

heap

page read and write

1140000

trusted library allocation

page read and write

There are 325 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
CNNuVrT9Dm.exe

Files

Processes

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportCNNuVrT9Dm.exe

Files

Processes

Domains

IPs

Registry

Memdumps

IOC Report
CNNuVrT9Dm.exe