Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Set-up.exe

PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy:	2.7843977183147035
Filename:	Set-up.exe
Filesize:	9991168
MD5:	fb481c39ea41b8bd7743bf3a9d730e76
SHA1:	57fb93e92efa53e80fb196d5fbb3717783c54809
SHA256:	ec23c516e7dcc1783530369419e6ce7333a228f4e5209216d70e8489048e3ab4
SHA512:	e96cb92d7025078b552b0078250c696a21ccee97d4391ef9b821a1bbe3f30da25590c2f836bc77bf6017fc97213155a6dd0d27d2bea50e3881f57e451fd7b853
SSDEEP:	49152:k76FrZK4K+1biTX+KZJqe2eO+3nXn0E1Qt5JhGWH/v27LIYoMRBW:fFroh+1biTXNZge
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...1N.f...............(.J,..p...............`,...@.......................................@... ......................`..B..

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Drops large PE files	System Summary
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information	Data from Local System
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings
Contains capabilities to detect virtual machines	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
PE file contains sections with non-standard names	Data Obfuscation
Queries information about the installed CPU (vendor, model number etc)	Language, Device and Operating System Detection	Native API
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Creates files inside the user directory	System Summary	Masquerading
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Enumerates the file system	Spreading, Malware Analysis System Evasion
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\service123.exe

PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\service123.exe
Category:	dropped
Dump:	service123.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Set-up.exe
Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy:	0.002340573114054652
Encrypted:	false
Size:	314617856
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Found evasive API chain (may stop execution after checking mutex)	Malware Analysis System Evasion	Native API
Found stalling execution ending in API Sleep call	Malware Analysis System Evasion
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities	Obfuscated Files or Information
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	Encrypted Channel
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to register its own exception handler	Anti Debugging
Creates mutexes	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Local\Temp\UwGCIJbIlmBudMOlckMv.dll

PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\UwGCIJbIlmBudMOlckMv.dll
Category:	dropped
Dump:	UwGCIJbIlmBudMOlckMv.dll.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\Set-up.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy:	0.05438264962050686
Encrypted:	false
Ssdeep:	24576:EcPTcBW/JcVKWdJ8ajn0+jUcChQ5d0Wcn/5IfGSVVDpGlBVE:MHC24WcnmfdVd8lBVE
Size:	315803136
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Set-up.exe

"C:\Users\user\Desktop\Set-up.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4816
Target ID:	0
Parent PID:	1028
Name:	Set-up.exe
Path:	C:\Users\user\Desktop\Set-up.exe
Commandline:	"C:\Users\user\Desktop\Set-up.exe"
Size:	9991168
MD5:	FB481C39EA41B8BD7743BF3A9D730E76
Time:	09:17:03
Date:	30/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xea0000
Modulesize:	10018816
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Clipboard Hijacker	Stealing of Sensitive Information
Yara detected Cryptbot	Stealing of Sensitive Information, Remote Access Functionality
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information	Data from Local System
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\service123.exe

"C:\Users\user\AppData\Local\Temp\service123.exe"

Details

Is windows:	false
Is dropped:	true
PID:	5440
Target ID:	5
Parent PID:	4816
Name:	service123.exe
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Commandline:	"C:\Users\user\AppData\Local\Temp\service123.exe"
Size:	314617856
MD5:	6959DF077AFAD94D152558F4AAE964E4
Time:	09:18:05
Date:	30/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x10000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Clipboard Hijacker	Stealing of Sensitive Information
Drops large PE files	System Summary
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f

Details

Is windows:	true
Is dropped:	false
PID:	3780
Target ID:	6
Parent PID:	4816
Name:	schtasks.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\schtasks.exe
Commandline:	"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Size:	187904
MD5:	48C2FE20575769DE916F48EF0676A965
Time:	09:18:05
Date:	30/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xa40000
Modulesize:	204800
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\service123.exe

C:\Users\user\AppData\Local\Temp\/service123.exe

Details

Is windows:	false
Is dropped:	true
PID:	5844
Target ID:	8
Parent PID:	1068
Name:	service123.exe
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Size:	314617856
MD5:	6959DF077AFAD94D152558F4AAE964E4
Time:	09:18:08
Date:	30/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x10000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Clipboard Hijacker	Stealing of Sensitive Information
Drops large PE files	System Summary
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\service123.exe

C:\Users\user\AppData\Local\Temp\/service123.exe

Details

Is windows:	false
Is dropped:	true
PID:	2452
Target ID:	9
Parent PID:	1068
Name:	service123.exe
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Size:	314617856
MD5:	6959DF077AFAD94D152558F4AAE964E4
Time:	09:19:02
Date:	30/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x10000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Clipboard Hijacker	Stealing of Sensitive Information
Drops large PE files	System Summary
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	1888
Target ID:	7
Parent PID:	3780
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	09:18:05
Date:	30/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

twelvevx12vs.top

+twelvevx12vs.top

analforeverlovyu.top

s.top

LRPCtwelvevx12vs.top

@twelvevx12vs.top

upload.phps.top

https://ac.ecosia.org/autocomplete?q=

unknown

https://duckduckgo.com/chrome_newtab

unknown

https://gcc.gnu.org/bugs/):

unknown

https://duckduckgo.com/ac/?q=

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

https://serviceupdate32.com/update

unknown

http://twelvevx12vs.top/O

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

http://twelvevx12vs.top/G

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

http://twelvevx12vs.top/

unknown

https://www.ecosia.org/newtab/

unknown

http://twelvevx12vs.top/d

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

http://twelvevx12vs.top/?

unknown

http://twelvevx12vs.top/v1/upload.php

unknown

There are 14 hidden URLs, click here to show them.

Domains

Name

Malicious

twelvevx12vs.top

84.38.182.221

Details

Name:	twelvevx12vs.top
IP:	84.38.182.221
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

84.38.182.221

twelvevx12vs.top

Russian Federation

Details

IP:	84.38.182.221
TargetID:	0
Current Path:	C:\Users\user\Desktop\Set-up.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	49505
ASN name:	SELECTELRU
Private:	false
Domain:	twelvevx12vs.top

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

451B000

heap

page read and write

7FD000

stack

page read and write

5FC000

stack

page read and write

928000

heap

page read and write

323E000

unkown

page read and write

3A2E000

heap

page read and write

3ABE000

heap

page read and write

1920000

heap

page read and write

340F000

stack

page read and write

EA1000

unkown

page execute read

1968000

heap

page read and write

DB70000

heap

page read and write

1166000

unkown

page read and write

1983000

heap

page read and write

1983000

heap

page read and write

3ABE000

heap

page read and write

17EA000

unkown

page readonly

176D000

unkown

page read and write

1999000

heap

page read and write

3D0D000

stack

page read and write

11000

unkown

page execute read

1A000

unkown

page readonly

1A000

unkown

page readonly

11000

unkown

page execute read

4B0C000

stack

page read and write

394C000

stack

page read and write

3A91000

heap

page read and write

1050000

heap

page read and write

E5F000

stack

page read and write

17E7000

unkown

page read and write

3AD8000

heap

page read and write

6C468000

unkown

page readonly

1915000

heap

page read and write

E7E000

stack

page read and write

14AC000

unkown

page read and write

152C000

unkown

page read and write

3AC0000

heap

page read and write

1963000

heap

page read and write

1870000

remote allocation

page read and write

14C8000

unkown

page read and write

640000

heap

page read and write

1E000

unkown

page read and write

193A000

heap

page read and write

3A3B000

heap

page read and write

3D0000

heap

page read and write

1983000

heap

page read and write

1963000

heap

page read and write

1910000

heap

page read and write

1E000

unkown

page read and write

327F000

unkown

page read and write

305D000

stack

page read and write

3A7B000

heap

page read and write

1BC000

stack

page read and write

1A000

unkown

page readonly

410F000

stack

page read and write

1968000

heap

page read and write

FA0000

heap

page read and write

10000

unkown

page readonly

3AC5000

heap

page read and write

90E000

stack

page read and write

309A000

stack

page read and write

10000

unkown

page readonly

3A11000

heap

page read and write

1A000

unkown

page readonly

1978000

heap

page read and write

186E000

stack

page read and write

E5C000

stack

page read and write

17EA000

unkown

page readonly

620000

heap

page read and write

199C000

heap

page read and write

1267000

unkown

page read and write

EA0000

unkown

page readonly

430F000

stack

page read and write

C6E000

stack

page read and write

CA0000

heap

page read and write

1A000

unkown

page readonly

DE52000

heap

page read and write

1980000

heap

page read and write

1870000

remote allocation

page read and write

DC4D000

heap

page read and write

1E000

unkown

page write copy

3ABA000

heap

page read and write

3AB3000

heap

page read and write

3F0D000

stack

page read and write

3420000

heap

page read and write

32DA000

heap

page read and write

19A6000

heap

page read and write

C90000

heap

page read and write

18CD000

stack

page read and write

10000

unkown

page readonly

11000

unkown

page execute read

7BB000

stack

page read and write

3AB3000

heap

page read and write

3AB3000

heap

page read and write

193E000

heap

page read and write

14BD000

unkown

page read and write

1900000

heap

page read and write

C10000

heap

page read and write

3E0000

heap

page read and write

6C469000

unkown

page read and write

1C2F000

stack

page read and write

3A91000

heap

page read and write

DE30000

heap

page read and write

21000

unkown

page readonly

F80000

heap

page read and write

19A1000

heap

page read and write

1A000

unkown

page readonly

3A8F000

heap

page read and write

36C000

stack

page read and write

17D7000

unkown

page readonly

1930000

heap

page read and write

3AB3000

heap

page read and write

CA5000

heap

page read and write

BF1000

stack

page read and write

195C000

heap

page read and write

21000

unkown

page readonly

1999000

heap

page read and write

11000

unkown

page execute read

450E000

stack

page read and write

10000

unkown

page readonly

21000

unkown

page readonly

3AAF000

heap

page read and write

DE3A000

heap

page read and write

3AB9000

heap

page read and write

610000

heap

page read and write

3ACF000

heap

page read and write

3A10000

heap

page read and write

3A91000

heap

page read and write

11AE000

heap

page read and write

10000

unkown

page readonly

3A19000

heap

page read and write

C80000

heap

page read and write

21000

unkown

page readonly

21000

unkown

page readonly

470F000

stack

page read and write

11000

unkown

page execute read

3A11000

heap

page read and write

195E000

heap

page read and write

11A0000

heap

page read and write

EA0000

heap

page read and write

3AC6000

heap

page read and write

3AD3000

heap

page read and write

490F000

stack

page read and write

3A80000

heap

page read and write

19A0000

heap

page read and write

3A80000

heap

page read and write

3AAE000

heap

page read and write

17E7000

unkown

page write copy

3AB8000

heap

page read and write

6C341000

unkown

page execute read

3120000

heap

page read and write

6C41F000

unkown

page readonly

1999000

heap

page read and write

1914000

heap

page read and write

146C000

unkown

page read and write

DFD000

stack

page read and write

3A8F000

heap

page read and write

1968000

heap

page read and write

1978000

heap

page read and write

3AB9000

heap

page read and write

1978000

heap

page read and write

BED000

stack

page read and write

3110000

heap

page read and write

E54D000

heap

page read and write

1870000

remote allocation

page read and write

BF5000

stack

page read and write

1C6E000

unkown

page read and write

199D000

heap

page read and write

6C340000

unkown

page readonly

3AB8000

heap

page read and write

10000

unkown

page readonly

C5C000

stack

page read and write

E3D000

stack

page read and write

1983000

heap

page read and write

1963000

heap

page read and write

C20000

heap

page read and write

7D7000

heap

page read and write

3AD5000

heap

page read and write

6C41D000

unkown

page read and write

1E000

unkown

page write copy

D96D000

heap

page read and write

3A11000

heap

page read and write

1DFE000

stack

page read and write

3A91000

heap

page read and write

C5E000

stack

page read and write

7D0000

heap

page read and write

EA1000

unkown

page execute read

EA0000

unkown

page readonly

11000

unkown

page execute read

1980000

heap

page read and write

14B3000

unkown

page read and write

1166000

unkown

page write copy

C1F000

stack

page read and write

14CE000

unkown

page read and write

1996000

heap

page read and write

195E000

heap

page read and write

14AF000

unkown

page read and write

12A7000

unkown

page read and write

17D7000

unkown

page readonly

21000

unkown

page readonly

11AA000

heap

page read and write

3A29000

heap

page read and write

BCF000

stack

page read and write

3100000

heap

page read and write

6C46C000

unkown

page readonly

DBAF000

heap

page read and write

1980000

heap

page read and write

3ACA000

heap

page read and write

1E000

unkown

page write copy

3C0000

heap

page read and write

3ACB000

heap

page read and write

3ABA000

heap

page read and write

3ADE000

heap

page read and write

1190000

heap

page read and write

1963000

heap

page read and write

1E000

unkown

page read and write

920000

heap

page read and write

1968000

heap

page read and write

32D0000

heap

page read and write

1978000

heap

page read and write

DB77000

heap

page read and write

14BB000

unkown

page read and write

32BE000

stack

page read and write

14B6000

unkown

page read and write

DB70000

heap

page read and write

There are 215 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Set-up.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSet-up.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
Set-up.exe