Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

calc.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.508684875713569
Filename:	calc.exe
Filesize:	432169
MD5:	4bf28f0b6a5b20681a1378a0d8afe694
SHA1:	f606479738c2e8dbb67cd9998dc35c830425c559
SHA256:	cf6b9d70a6b10490407df35b3fb8968de048328614171ab5c9de51d7638eed3a
SHA512:	73dd9e42e0e8489435b96776df67adb8729c47d06fecb4555447975a8f40c68980c9792446dfad2967888b45e69bbab58c29950d2089097c37ac3cb8477171ae
SSDEEP:	6144:94v4sIND/AB4jYWoyGN2Ik5AfPjFWFNAy/7+dOYG+/Wi+3I:WABhABEXotkI0A8AyzKOce4
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........H+..)E..)E..)E..!,..)E.\>%..)E.\>J..)E.\>..\|)E.Q!...)E...Y..)E..!...)E...(..)E.(.\..)E.Q!...)E..)D..(E.\>!..)E.>"...)E.\>...)E

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Masquerading Application Window Discovery
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation Access Token Manipulation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Access Token Manipulation
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	Access Token Manipulation System Shutdown/Reboot
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion	Masquerading
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data Encrypted Channel
Found evasive API chain (date check)	Malware Analysis System Evasion	Access Token Manipulation
Found evasive API chain (may stop execution after checking a module file name)	Malware Analysis System Evasion	Access Token Manipulation
Found large amount of non-executed APIs	Malware Analysis System Evasion	Access Token Manipulation
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Contains functionality for error logging	System Summary	Access Token Manipulation
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to check free disk space	System Summary	System Information Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary	Access Token Manipulation
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection	Access Token Manipulation
Contains functionality to query windows version	Language, Device and Operating System Detection	System Information Discovery
Creates files inside the user directory	System Summary	Masquerading
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Reads ini files	System Summary
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Sample reads its own file content	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation

C:\Users\user\Desktop\JzM4PpnOtP.jse

data

dropped

Details

File:	C:\Users\user\Desktop\JzM4PpnOtP.jse
Category:	dropped
Dump:	JzM4PpnOtP.jse.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\calc.exe
Type:	data
Entropy:	6.202615493257142
Encrypted:	false
Ssdeep:	24:GPGG/rOmDyEA/lgQhs9O/E0+JSaywxBv/7DiNVkvzksm5qWdB:GPGuKmDBylgQ69OsZd1/CNavVWb
Size:	905
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\calc.exe

"C:\Users\user\Desktop\calc.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6940
Target ID:	0
Parent PID:	2580
Name:	calc.exe
Path:	C:\Users\user\Desktop\calc.exe
Commandline:	"C:\Users\user\Desktop\calc.exe"
Size:	432169
MD5:	4BF28F0B6A5B20681A1378A0D8AFE694
Time:	00:21:26
Date:	02/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	548864
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sigma detected: Suspicious Calculator Usage	System Summary
Sigma detected: Suspicious Process Parents	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Uses 32bit PE files	Compliance, System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" JzM4PpnOtP.jse

Details

Is windows:	true
Is dropped:	false
PID:	7140
Target ID:	1
Parent PID:	6940
Name:	wscript.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\wscript.exe
Commandline:	"C:\Windows\System32\wscript.exe" JzM4PpnOtP.jse
Size:	147456
MD5:	FF00E0480075B095948000BDC66E81F0
Time:	00:21:27
Date:	02/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x890000
Modulesize:	159744
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Suspicious Process Parents	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Add User to Local Administrators Group	System Summary
Sigma detected: New User Created Via Net.EXE	System Summary
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sigma detected: Net.exe Execution	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" user LocalAdministrator /add

Details

Is windows:	true
Is dropped:	false
PID:	6276
Target ID:	2
Parent PID:	7140
Name:	net.exe
Path:	C:\Windows\SysWOW64\net.exe
Commandline:	"C:\Windows\System32\net.exe" user LocalAdministrator /add
Size:	47104
MD5:	31890A7DE89936F922D44D677F681A7F
Time:	00:21:27
Date:	02/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xc90000
Modulesize:	106496
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Adds a new user with administrator rights	Persistence and Installation Behavior	Create Account
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Add User to Local Administrators Group	System Summary
Sigma detected: New User Created Via Net.EXE	System Summary
Sigma detected: Net.exe Execution	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add

Details

Is windows:	true
Is dropped:	false
PID:	6320
Target ID:	4
Parent PID:	7140
Name:	net.exe
Path:	C:\Windows\SysWOW64\net.exe
Commandline:	"C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Size:	47104
MD5:	31890A7DE89936F922D44D677F681A7F
Time:	00:21:27
Date:	02/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xc90000
Modulesize:	106496
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Adds a new user with administrator rights	Persistence and Installation Behavior	Create Account
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Add User to Local Administrators Group	System Summary
Sigma detected: New User Created Via Net.EXE	System Summary
Sigma detected: Net.exe Execution	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\Desktop\calc.exe

"C:\Users\user\Desktop\calc.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3488
Target ID:	6
Parent PID:	7140
Name:	calc.exe
Path:	C:\Users\user\Desktop\calc.exe
Commandline:	"C:\Users\user\Desktop\calc.exe"
Size:	432169
MD5:	4BF28F0B6A5B20681A1378A0D8AFE694
Time:	00:21:27
Date:	02/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	548864
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sigma detected: Suspicious Calculator Usage	System Summary
Sigma detected: Suspicious Process Parents	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Uses 32bit PE files	Compliance, System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6296
Target ID:	3
Parent PID:	6276
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	00:21:27
Date:	02/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	4548
Target ID:	5
Parent PID:	6320
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	00:21:27
Date:	02/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 user LocalAdministrator /add

Details

Is windows:	true
Is dropped:	false
PID:	1700
Target ID:	7
Parent PID:	6276
Name:	net1.exe
Path:	C:\Windows\SysWOW64\net1.exe
Commandline:	C:\Windows\system32\net1 user LocalAdministrator /add
Size:	139776
MD5:	2EFE6ED4C294AB8A39EB59C80813FEC1
Time:	00:21:27
Date:	02/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xfb0000
Modulesize:	200704
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add

Details

Is windows:	true
Is dropped:	false
PID:	5856
Target ID:	8
Parent PID:	6320
Name:	net1.exe
Path:	C:\Windows\SysWOW64\net1.exe
Commandline:	C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Size:	139776
MD5:	2EFE6ED4C294AB8A39EB59C80813FEC1
Time:	00:21:27
Date:	02/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xfb0000
Modulesize:	200704
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\calc.exe

JScriptSetScriptStateStarted

Details

TargetID:	0
Path:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\calc.exe
Value name:	JScriptSetScriptStateStarted
Value data:	D8 99 43 00 00 00 00 00

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings

JITDebug

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe

JScriptSetScriptStateStarted

Memdumps

Base Address

Regiontype

Protect

Malicious

29DD000

heap

page read and write

935000

heap

page read and write

591000

heap

page read and write

29A0000

heap

page read and write

593000

heap

page read and write

585000

heap

page read and write

29BE000

heap

page read and write

2510000

heap

page read and write

12D000

stack

page read and write

2256000

heap

page read and write

B3E000

stack

page read and write

2C1F000

stack

page read and write

7D0000

heap

page read and write

26A7000

heap

page read and write

4F5000

heap

page read and write

29C2000

heap

page read and write

47E000

unkown

page read and write

4CE000

heap

page read and write

2530000

heap

page read and write

29A2000

heap

page read and write

225A000

heap

page read and write

4F5000

heap

page read and write

680000

heap

page read and write

580000

heap

page read and write

459000

unkown

page readonly

B40000

heap

page read and write

A60000

heap

page read and write

2984000

heap

page read and write

2999000

heap

page read and write

1F0000

heap

page read and write

86E000

stack

page read and write

58E000

heap

page read and write

585000

heap

page read and write

620000

heap

page read and write

7F9000

heap

page read and write

AE0000

heap

page read and write

58A000

heap

page read and write

547000

heap

page read and write

5A0000

heap

page read and write

297F000

stack

page read and write

21AE000

stack

page read and write

213E000

stack

page read and write

401000

unkown

page execute read

2950000

heap

page read and write

B4C000

heap

page read and write

50C0000

heap

page read and write

4FE000

stack

page read and write

2989000

heap

page read and write

2E35000

heap

page read and write

51E000

heap

page read and write

297C000

heap

page read and write

4BD000

stack

page read and write

CF8000

heap

page read and write

586000

heap

page read and write

685000

heap

page read and write

4D2E000

stack

page read and write

26A6000

heap

page read and write

29AD000

heap

page read and write

93F000

stack

page read and write

547000

heap

page read and write

BB0000

heap

page read and write

29A4000

heap

page read and write

9A0000

heap

page read and write

465000

unkown

page write copy

59A000

heap

page read and write

29A2000

heap

page read and write

18C000

stack

page read and write

76B000

stack

page read and write

670000

heap

page read and write

299E000

heap

page read and write

18C000

stack

page read and write

B46000

heap

page read and write

5A3000

heap

page read and write

5AE000

stack

page read and write

26B9000

heap

page read and write

30AE000

stack

page read and write

2980000

heap

page read and write

5BF000

heap

page read and write

5BF000

heap

page read and write

B1E000

stack

page read and write

29B6000

heap

page read and write

4D8000

heap

page read and write

CD0000

heap

page read and write

2230000

heap

page read and write

99E000

stack

page read and write

29B7000

heap

page read and write

26A7000

heap

page read and write

4750000

heap

page read and write

1E0000

heap

page read and write

53D000

stack

page read and write

7CF000

stack

page read and write

4CA000

heap

page read and write

26BA000

heap

page read and write

29AA000

heap

page read and write

518000

heap

page read and write

5BF000

heap

page read and write

482000

unkown

page readonly

29DD000

heap

page read and write

5EE000

stack

page read and write

2958000

heap

page read and write

29C9000

heap

page read and write

299F000

heap

page read and write

540000

heap

page read and write

AD0000

heap

page read and write

7F5000

heap

page read and write

56F000

stack

page read and write

2F6E000

stack

page read and write

FD000

stack

page read and write

56A000

heap

page read and write

5A7000

heap

page read and write

7DD000

stack

page read and write

7AF000

stack

page read and write

BE0000

heap

page read and write

47E000

unkown

page read and write

543000

heap

page read and write

29C1000

heap

page read and write

26A9000

heap

page read and write

1F0000

heap

page read and write

2DEF000

stack

page read and write

299A000

heap

page read and write

2998000

heap

page read and write

4FAE000

stack

page read and write

68F000

stack

page read and write

297D000

heap

page read and write

299D000

heap

page read and write

558000

heap

page read and write

50AE000

stack

page read and write

81E000

stack

page read and write

94F000

stack

page read and write

71D000

stack

page read and write

477000

unkown

page read and write

5B9000

heap

page read and write

56A000

heap

page read and write

29A5000

heap

page read and write

54AC000

stack

page read and write

1F0000

heap

page read and write

5F0000

heap

page read and write

459000

unkown

page readonly

83E000

stack

page read and write

17F000

stack

page read and write

2250000

heap

page read and write

400000

unkown

page readonly

299A000

heap

page read and write

81E000

stack

page read and write

4D8000

heap

page read and write

4A0000

heap

page read and write

400000

unkown

page readonly

29A6000

heap

page read and write

473E000

stack

page read and write

2D1F000

stack

page read and write

2150000

heap

page read and write

482000

unkown

page readonly

2224000

heap

page read and write

29A6000

heap

page read and write

2978000

heap

page read and write

2E60000

heap

page read and write

29AF000

heap

page read and write

29CA000

heap

page read and write

950000

heap

page read and write

26A4000

heap

page read and write

306F000

stack

page read and write

29B9000

heap

page read and write

6A0000

heap

page read and write

4BAF000

stack

page read and write

5A8000

heap

page read and write

2999000

heap

page read and write

5A0000

heap

page read and write

5A5000

heap

page read and write

57F000

heap

page read and write

4DF000

heap

page read and write

CF0000

heap

page read and write

29A8000

heap

page read and write

2987000

heap

page read and write

4A0000

heap

page read and write

2534000

heap

page read and write

29C3000

heap

page read and write

2E6C000

heap

page read and write

459000

unkown

page readonly

4D8000

heap

page read and write

CD5000

heap

page read and write

625000

heap

page read and write

630000

heap

page read and write

2CEE000

stack

page read and write

BEC000

heap

page read and write

5A3000

heap

page read and write

559000

heap

page read and write

401000

unkown

page execute read

4E0000

heap

page read and write

2987000

heap

page read and write

190000

heap

page read and write

5B7000

heap

page read and write

6A8000

heap

page read and write

5A4000

heap

page read and write

7E0000

heap

page read and write

2998000

heap

page read and write

29B2000

heap

page read and write

2989000

heap

page read and write

354C000

stack

page read and write

490000

heap

page read and write

4E2F000

stack

page read and write

1F5000

heap

page read and write

29BB000

heap

page read and write

26A9000

heap

page read and write

870000

heap

page read and write

540000

heap

page read and write

477000

unkown

page read and write

D05000

heap

page read and write

4F6E000

stack

page read and write

465000

unkown

page read and write

B4A000

heap

page read and write

401000

unkown

page execute read

825000

heap

page read and write

29DD000

heap

page read and write

79E000

stack

page read and write

400000

unkown

page readonly

299D000

heap

page read and write

1E0000

heap

page read and write

BAF000

stack

page read and write

29B5000

heap

page read and write

17D000

stack

page read and write

29AC000

heap

page read and write

4CEF000

stack

page read and write

2F2F000

stack

page read and write

A00000

heap

page read and write

26B8000

heap

page read and write

6CE000

stack

page read and write

585000

heap

page read and write

248E000

stack

page read and write

26B8000

heap

page read and write

482000

unkown

page readonly

4B0000

heap

page read and write

17F000

stack

page read and write

482000

unkown

page readonly

1DE000

stack

page read and write

289F000

stack

page read and write

A5F000

stack

page read and write

269E000

stack

page read and write

4D2000

heap

page read and write

29AA000

heap

page read and write

401000

unkown

page execute read

588000

heap

page read and write

BFE000

stack

page read and write

930000

heap

page read and write

4C7000

heap

page read and write

66B000

stack

page read and write

26A0000

heap

page read and write

225C000

heap

page read and write

4D9000

heap

page read and write

5A0000

heap

page read and write

4CE000

heap

page read and write

2E30000

heap

page read and write

59D000

heap

page read and write

5CE000

stack

page read and write

26A9000

heap

page read and write

2220000

heap

page read and write

7F0000

heap

page read and write

4E2000

heap

page read and write

4A8000

heap

page read and write

5A1000

heap

page read and write

4760000

heap

page read and write

58B000

heap

page read and write

4D2000

heap

page read and write

400000

unkown

page readonly

2989000

heap

page read and write

60E000

stack

page read and write

299D000

heap

page read and write

344C000

stack

page read and write

4BEE000

stack

page read and write

9A000

stack

page read and write

50E000

stack

page read and write

50C2000

heap

page read and write

2E2E000

stack

page read and write

55AC000

stack

page read and write

95E000

stack

page read and write

A2F000

stack

page read and write

9A000

stack

page read and write

510000

heap

page read and write

5550000

trusted library allocation

page read and write

29DD000

heap

page read and write

29B7000

heap

page read and write

ACE000

stack

page read and write

AD000

stack

page read and write

31AF000

stack

page read and write

638000

heap

page read and write

91F000

stack

page read and write

586000

heap

page read and write

5A7000

heap

page read and write

29C9000

heap

page read and write

AD8000

heap

page read and write

29A5000

heap

page read and write

29BC000

heap

page read and write

2986000

heap

page read and write

56A000

heap

page read and write

29A9000

heap

page read and write

585000

heap

page read and write

2E30000

heap

page read and write

B90000

heap

page read and write

C80000

heap

page read and write

B20000

heap

page read and write

820000

heap

page read and write

510000

heap

page read and write

29B4000

heap

page read and write

21F0000

heap

page read and write

4D2000

heap

page read and write

459000

unkown

page readonly

594000

heap

page read and write

C7F000

stack

page read and write

596000

heap

page read and write

58A000

heap

page read and write

5A5000

heap

page read and write

4E6E000

stack

page read and write

465000

unkown

page read and write

5BF000

heap

page read and write

465000

unkown

page write copy

There are 304 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
calc.exe

Files

Processes

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportcalc.exe

Files

Processes

Registry

Memdumps

IOC Report
calc.exe