Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

XCS1lNZ26O.exe

PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy:	1.3150665040622804
Filename:	XCS1lNZ26O.exe
Filesize:	4384832
MD5:	81b91fcc443627c1f93f38451cd55079
SHA1:	45678692d8ae0e7398d99ff14089ca286b4d0d4c
SHA256:	af93dec8d543cfcb877a0d511e995e6988519f21174c63f2bfd623495f34cbc9
SHA512:	a3b5d646de324a5d1e9d06aa9f02daef8c076660155f252f96a14c26886379c28a5d4c8a46cac843e21d53bddc535e3f256c7423e885fc8929649768f5b88d74
SSDEEP:	1536:56OKjiCxtfTRVp/G/3W9hKBJjAqQCe1nwdsmZ45TT4MZ1zztxZ:EjjnRVJogh4ydDeuw49T4KzpxZ
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....u............"...0...A..,........... .....@..... ........................C.......C...`...@......@............... .....

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
PE / OLE file has an invalid certificate	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XCS1lNZ26O.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XCS1lNZ26O.exe.log
Category:	dropped
Dump:	XCS1lNZ26O.exe.log.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\XCS1lNZ26O.exe
Type:	CSV text
Entropy:	5.389928136181357
Encrypted:	false
Ssdeep:	24:ML9E4KQwKDE4KGKZI6Kh6+84xp3/Vcll1qE4GIs0E4KD:MxHKQwYHKGSI6o6+vxp3/ell1qHGIs0K
Size:	1088
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
PE / OLE file has an invalid certificate	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file does not import any functions	System Summary
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Microsoft\MyApp.exe

PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\MyApp.exe
Category:	dropped
Dump:	MyApp.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\XCS1lNZ26O.exe
Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy:	1.3150665040622804
Encrypted:	false
Ssdeep:	1536:56OKjiCxtfTRVp/G/3W9hKBJjAqQCe1nwdsmZ45TT4MZ1zztxZ:EjjnRVJogh4ydDeuw49T4KzpxZ
Size:	4384832
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for dropped file	AV Detection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a start menu entry (Start Menu\Programs\Startup)	Boot Survival	Registry Run Keys / Startup Folder
Drops PE files	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: Startup Folder File Write	System Summary
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Local\Microsoft\MyApp.exe:Zone.Identifier

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\MyApp.exe:Zone.Identifier
Category:	dropped
Dump:	MyApp.exe_Zone.Identifier.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\XCS1lNZ26O.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for dropped file	AV Detection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a start menu entry (Start Menu\Programs\Startup)	Boot Survival	Registry Run Keys / Startup Folder
Enables debug privileges	Anti Debugging
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MyApp.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MyApp.exe.log
Category:	dropped
Dump:	MyApp.exe.log.5.dr
ID:	dr_4
Target ID:	5
Process:	C:\Users\user\AppData\Local\Microsoft\MyApp.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.390238876397219
Encrypted:	false
Ssdeep:	24:ML9E4KQwKDE4KGKZI6Kh6+84xp3/Vcll1qE4GIs0E4KRLE4qE4j:MxHKQwYHKGSI6o6+vxp3/ell1qHGIs0D
Size:	1268
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AnyDesk.lnk

MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hidenormalshowminimized

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AnyDesk.lnk
Category:	dropped
Dump:	AnyDesk.lnk.5.dr
ID:	dr_3
Target ID:	5
Process:	C:\Users\user\AppData\Local\Microsoft\MyApp.exe
Type:	MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hidenormalshowminimized
Entropy:	3.3153320316747497
Encrypted:	false
Ssdeep:	12:8AlXFm/3BVSXvk44X3ojsqzKtnWNjW+UcCsvXfrUMMlWlhf2iTEEtAkMAAiNL4tK:8A4/BHYVKVWA+/CWvrUMkWDnECx5qy
Size:	1118
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates a start menu entry (Start Menu\Programs\Startup)	Boot Survival	Registry Run Keys / Startup Folder
Sigma detected: Startup Folder File Write	System Summary
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\XCS1lNZ26O.exe

"C:\Users\user\Desktop\XCS1lNZ26O.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4268
Target ID:	0
Parent PID:	2580
Name:	XCS1lNZ26O.exe
Path:	C:\Users\user\Desktop\XCS1lNZ26O.exe
Commandline:	"C:\Users\user\Desktop\XCS1lNZ26O.exe"
Size:	4384832
MD5:	81B91FCC443627C1F93F38451CD55079
Time:	01:12:02
Date:	30/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x28714700000
Modulesize:	4390912
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
PE / OLE file has an invalid certificate	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Microsoft\MyApp.exe

"C:\Users\user\AppData\Local\Microsoft\MyApp.exe"

Details

Is windows:	false
Is dropped:	true
PID:	7100
Target ID:	5
Parent PID:	4268
Name:	MyApp.exe
Path:	C:\Users\user\AppData\Local\Microsoft\MyApp.exe
Commandline:	"C:\Users\user\AppData\Local\Microsoft\MyApp.exe"
Size:	4384832
MD5:	81B91FCC443627C1F93F38451CD55079
Time:	01:13:04
Date:	30/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x2a3eb300000
Modulesize:	4390912
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected AsyncRAT	Key, Mouse, Clipboard, Microphone and Screen Capturing, Boot Survival, Malware Analysis System Evasion, Lowering of HIPS / PFW / Operating System Security Settings	Scheduled Task/Job Obfuscated Files or Information
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: Startup Folder File Write	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6740
Target ID:	7
Parent PID:	7100
Name:	cvtres.exe
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
Size:	46832
MD5:	70D838A7DC5B359C3F938A71FAD77DB0
Time:	01:14:05
Date:	30/09/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xe00000
Modulesize:	45056
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AsyncRAT	Key, Mouse, Clipboard, Microphone and Screen Capturing, Boot Survival, Malware Analysis System Evasion, Lowering of HIPS / PFW / Operating System Security Settings	Scheduled Task/Job Obfuscated Files or Information
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

dox2025.serveirc.com

Details

Name:	dox2025.serveirc.com
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\XCS1lNZ26O.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

Domains

Name

Malicious

198.187.3.20.in-addr.arpa

unknown

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\AnyDesk

AnyDesk

Memdumps

Base Address

Regiontype

Protect

Malicious

402000

remote allocation

page execute and read and write

2A3801BB000

trusted library allocation

page read and write

2A380001000

trusted library allocation

page read and write

7FFD9B890000

trusted library allocation

page execute and read and write

7FFD9B773000

trusted library allocation

page execute and read and write

2A391033000

trusted library allocation

page read and write

2A391B75000

trusted library allocation

page read and write

7FFD9B910000

trusted library allocation

page read and write

7FFD9B806000

trusted library allocation

page read and write

F28B3FF000

stack

page read and write

28714D4E000

heap

page read and write

E0045FD000

stack

page read and write

496E000

stack

page read and write

28728110000

trusted library allocation

page read and write

28714B06000

unkown

page readonly

7FFD9B870000

trusted library allocation

page execute and read and write

2A39175F000

trusted library allocation

page read and write

C20000

trusted library allocation

page read and write

E0065FF000

stack

page read and write

28716C2B000

trusted library allocation

page read and write

2A391342000

trusted library allocation

page read and write

7FFD9B79B000

trusted library allocation

page execute and read and write

7FFD9B8F0000

trusted library allocation

page read and write

28727AE7000

trusted library allocation

page read and write

E0049FE000

stack

page read and write

28726DCB000

trusted library allocation

page read and write

E0061FE000

stack

page read and write

2A39051E000

trusted library allocation

page read and write

2872F170000

heap

page read and write

2A3EB9E0000

heap

page read and write

10B0000

heap

page read and write

2A380549000

trusted library allocation

page read and write

28727EFE000

trusted library allocation

page read and write

28714C90000

heap

page read and write

2A391E7F000

trusted library allocation

page read and write

7FFD9B940000

trusted library allocation

page read and write

2A3EB890000

heap

page read and write

2872EFF0000

heap

page execute and read and write

2872EE70000

trusted library section

page read and write

F28B7FE000

stack

page read and write

4CEE000

stack

page read and write

28727DFF000

trusted library allocation

page read and write

2A391A70000

trusted library allocation

page read and write

2A390420000

trusted library allocation

page read and write

F28C3FF000

stack

page read and write

C40000

heap

page read and write

2A380567000

trusted library allocation

page read and write

2A390D27000

trusted library allocation

page read and write

F28CFFF000

stack

page read and write

7FFD9B92D000

trusted library allocation

page read and write

2872E6D0000

trusted library allocation

page read and write

287271BC000

trusted library allocation

page read and write

4E2E000

stack

page read and write

9E0000

heap

page read and write

28714AFE000

unkown

page readonly

287166A1000

trusted library allocation

page read and write

2A390464000

trusted library allocation

page read and write

F28BBFD000

stack

page read and write

28714CBD000

heap

page read and write

BF0000

trusted library allocation

page execute and read and write

7FFD9B810000

trusted library allocation

page execute and read and write

28714E55000

heap

page read and write

2A3EDDC0000

heap

page read and write

BC0000

heap

page read and write

2A390001000

trusted library allocation

page read and write

B0E000

stack

page read and write

28726DC9000

trusted library allocation

page read and write

AC5000

heap

page read and write

28728210000

trusted library allocation

page read and write

C10000

trusted library allocation

page read and write

7FFD9B910000

trusted library allocation

page read and write

7FFD9B750000

trusted library allocation

page read and write

2A3EBA95000

heap

page read and write

C19000

trusted library allocation

page read and write

B90000

trusted library allocation

page read and write

28726FAA000

trusted library allocation

page read and write

2A3923A2000

trusted library allocation

page read and write

2A391D81000

trusted library allocation

page read and write

7FFD9B780000

trusted library allocation

page read and write

27D1000

trusted library allocation

page read and write

28716BF4000

trusted library allocation

page read and write

D7E000

stack

page read and write

2A391031000

trusted library allocation

page read and write

C20000

trusted library allocation

page read and write

2A3924A1000

trusted library allocation

page read and write

28726AA3000

trusted library allocation

page read and write

DBD000

stack

page read and write

7FFD9B790000

trusted library allocation

page read and write

28728256000

trusted library allocation

page read and write

28714CD0000

heap

page read and write

2A3801CF000

trusted library allocation

page read and write

2A390520000

trusted library allocation

page read and write

B84000

trusted library allocation

page read and write

2872EA24000

heap

page read and write

7FFD9B77D000

trusted library allocation

page execute and read and write

2871483A000

unkown

page readonly

2A3EB7B0000

heap

page read and write

2A3EBA20000

trusted library allocation

page read and write

2A390B1C000

trusted library allocation

page read and write

F28C7FF000

stack

page read and write

28714DD0000

heap

page read and write

7FFD9B943000

trusted library allocation

page read and write

28716BE4000

trusted library allocation

page read and write

28714DB0000

heap

page read and write

7FFD9B836000

trusted library allocation

page execute and read and write

2A3EB909000

heap

page read and write

28714702000

unkown

page readonly

2A3EB8B0000

heap

page read and write

2A392192000

trusted library allocation

page read and write

C91000

heap

page read and write

2A38050B000

trusted library allocation

page read and write

2A392190000

trusted library allocation

page read and write

28714CBB000

heap

page read and write

2A3EB922000

heap

page read and write

2A380509000

trusted library allocation

page read and write

2A3EB94F000

heap

page read and write

28727BEF000

trusted library allocation

page read and write

2A3EBB70000

heap

page execute and read and write

28716C1D000

trusted library allocation

page read and write

28714EF0000

heap

page read and write

2872EEEF000

heap

page read and write

7FFD9B856000

trusted library allocation

page execute and read and write

2A390423000

trusted library allocation

page read and write

2A3ED360000

trusted library allocation

page read and write

28714EE0000

heap

page read and write

28726AAB000

trusted library allocation

page read and write

2A390F32000

trusted library allocation

page read and write

7FFD9B820000

trusted library allocation

page read and write

28726EA9000

trusted library allocation

page read and write

4F4E000

stack

page read and write

7FFD9B7AC000

trusted library allocation

page execute and read and write

2A3EDE01000

heap

page read and write

F0F000

stack

page read and write

28714CC1000

heap

page read and write

B30000

heap

page read and write

B83000

trusted library allocation

page execute and read and write

28714700000

unkown

page readonly

C77000

heap

page read and write

2A3805A6000

trusted library allocation

page read and write

28714CFC000

heap

page read and write

7FFD9B800000

trusted library allocation

page read and write

28714BB0000

heap

page read and write

4E40000

heap

page execute and read and write

2A3EB8E0000

heap

page read and write

2A390008000

trusted library allocation

page read and write

7FFD9B830000

trusted library allocation

page execute and read and write

28726CCB000

trusted library allocation

page read and write

7FFD9B754000

trusted library allocation

page read and write

7FFD9B762000

trusted library allocation

page read and write

2A39080B000

trusted library allocation

page read and write

287279E9000

trusted library allocation

page read and write

7FFD9B76D000

trusted library allocation

page execute and read and write

2A380513000

trusted library allocation

page read and write

F28BFF7000

stack

page read and write

37D1000

trusted library allocation

page read and write

7FF444D00000

trusted library allocation

page execute and read and write

C20000

trusted library allocation

page read and write

E0039F2000

stack

page read and write

E0059FF000

stack

page read and write

2A3EBA90000

heap

page read and write

2A3EDCD0000

heap

page execute and read and write

287267DF000

trusted library allocation

page read and write

2A3EB91F000

heap

page read and write

28727AE9000

trusted library allocation

page read and write

2872820E000

trusted library allocation

page read and write

2A380530000

trusted library allocation

page read and write

28714CD3000

heap

page read and write

B94000

trusted library allocation

page read and write

2A3EDDFF000

heap

page read and write

28714B1C000

unkown

page readonly

2A3EB949000

heap

page read and write

7FFD9B82C000

trusted library allocation

page execute and read and write

7FFD9B770000

trusted library allocation

page read and write

2A380520000

trusted library allocation

page read and write

2A380507000

trusted library allocation

page read and write

7FFD9B77B000

trusted library allocation

page execute and read and write

F28D3FD000

stack

page read and write

C5E000

heap

page read and write

287266A8000

trusted library allocation

page read and write

7FFD9B78D000

trusted library allocation

page execute and read and write

7FFD9B753000

trusted library allocation

page execute and read and write

2A380511000

trusted library allocation

page read and write

28714E20000

trusted library allocation

page read and write

28714E50000

heap

page read and write

28726E26000

trusted library allocation

page read and write

87C000

stack

page read and write

F28AFFD000

stack

page read and write

2A390C22000

trusted library allocation

page read and write

2A391E81000

trusted library allocation

page read and write

E005DFE000

stack

page read and write

7FFD9B900000

trusted library allocation

page read and write

7FFD9B7CC000

trusted library allocation

page execute and read and write

28714D90000

heap

page read and write

27CE000

stack

page read and write

28726FAC000

trusted library allocation

page read and write

2A391243000

trusted library allocation

page read and write

2A3EB94B000

heap

page read and write

DD0000

heap

page read and write

2A3EB8E6000

heap

page read and write

28726AC8000

trusted library allocation

page read and write

2A380515000

trusted library allocation

page read and write

287272BC000

trusted library allocation

page read and write

7FFD9B950000

trusted library allocation

page read and write

2A3EB902000

heap

page read and write

E003DFE000

stack

page read and write

7FFD9B752000

trusted library allocation

page read and write

7FFD9B920000

trusted library allocation

page read and write

C6A000

heap

page read and write

7FFD9B75D000

trusted library allocation

page execute and read and write

2A3924A3000

trusted library allocation

page read and write

F28D7FE000

stack

page read and write

7FFD9B774000

trusted library allocation

page read and write

E004DFD000

stack

page read and write

28714C9C000

heap

page read and write

7FFD9B782000

trusted library allocation

page read and write

BBB000

trusted library allocation

page execute and read and write

2A380559000

trusted library allocation

page read and write

C63000

heap

page read and write

400000

remote allocation

page execute and read and write

28727BED000

trusted library allocation

page read and write

287272BA000

trusted library allocation

page read and write

97C000

stack

page read and write

28714CFA000

heap

page read and write

7FFD9B774000

trusted library allocation

page read and write

2A38050D000

trusted library allocation

page read and write

2872EF04000

heap

page read and write

2872EEC9000

heap

page read and write

2A3EBB80000

heap

page read and write

2A391344000

trusted library allocation

page read and write

F28ABF3000

stack

page read and write

28714CC3000

heap

page read and write

28714EA0000

heap

page execute and read and write

2A38050F000

trusted library allocation

page read and write

AC0000

heap

page read and write

2A3EDDB0000

heap

page read and write

2A3EBA80000

heap

page read and write

28727F00000

trusted library allocation

page read and write

2A3ED6B8000

heap

page read and write

B70000

trusted library allocation

page read and write

7FFD9B80C000

trusted library allocation

page execute and read and write

28714D06000

heap

page read and write

2A392092000

trusted library allocation

page read and write

2A3801B2000

trusted library allocation

page read and write

2A390788000

trusted library allocation

page read and write

7FFD9B79D000

trusted library allocation

page execute and read and write

287273C0000

trusted library allocation

page read and write

E0055FE000

stack

page read and write

2872EF12000

heap

page read and write

E0069FB000

stack

page read and write

7FFD9B930000

trusted library allocation

page read and write

7FFD9B949000

trusted library allocation

page read and write

B10000

heap

page read and write

2872EEB0000

trusted library section

page read and write

4DEF000

stack

page read and write

28714E40000

trusted library allocation

page read and write

28714CC5000

heap

page read and write

C00000

heap

page execute and read and write

2A390428000

trusted library allocation

page read and write

2872EEC5000

heap

page read and write

7FFD9B76A000

trusted library allocation

page read and write

287266A1000

trusted library allocation

page read and write

F28CBFE000

stack

page read and write

2A3EBA40000

trusted library allocation

page read and write

2A3EBB85000

heap

page read and write

28714EF5000

heap

page read and write

28714C96000

heap

page read and write

7FFD9B960000

trusted library allocation

page execute and read and write

E0051FD000

stack

page read and write

287273C2000

trusted library allocation

page read and write

C48000

heap

page read and write

2872EEC0000

heap

page read and write

7FFD9B77D000

trusted library allocation

page execute and read and write

7FFD9B760000

trusted library allocation

page read and write

There are 263 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
XCS1lNZ26O.exe

Files

Processes

URLs

Domains

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportXCS1lNZ26O.exe

Files

Processes

URLs

Domains

Registry

Memdumps

IOC Report
XCS1lNZ26O.exe