Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Set-up.exe

PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy:	2.7772662119663822
Filename:	Set-up.exe
Filesize:	9964544
MD5:	b13e354d435e1c6058a47f21c02d340d
SHA1:	27bf445af2cf41ecd8b63d6a4f69e0daec155070
SHA256:	69de589ce17aef3d2b265ef806d8783d882e53671542518d1379c7cbbf8f67d0
SHA512:	c4eb98283fa6464aadfe33c0c1b17243053a7d5b526a0fdc0755674190b96b753fee6c5e0104f6928d013741bd72eea4371fe0a1dbc38c3b16ad299c94eee927
SSDEEP:	49152:U1G09RgzuJvG124EDqbkXqayB7nh5uerH3HUktNdtaK6OjzYwAIp5a2GWPwibr7R:jYRZVZqwiB7
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f..f...............(..+...................,...@..........................p............@... .........................B..

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Drops large PE files	System Summary
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information	Data from Local System
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Contains capabilities to detect virtual machines	Malware Analysis System Evasion	Virtualization/Sandbox Evasion Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
PE file contains sections with non-standard names	Data Obfuscation
Queries information about the installed CPU (vendor, model number etc)	Language, Device and Operating System Detection
Uses 32bit PE files	Compliance, System Summary	Masquerading
Creates files inside the user directory	System Summary	Masquerading
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Enumerates the file system	Spreading, Malware Analysis System Evasion
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\service123.exe

PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\service123.exe
Category:	dropped
Dump:	service123.exe.1.dr
ID:	dr_0
Target ID:	1
Process:	C:\Users\user\Desktop\Set-up.exe
Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy:	0.00234046682378051
Encrypted:	false
Ssdeep:	768:+WE9OaBxc0AJF8JAfPrYU3HcW534/lVBill7xbAOxuz/kQ:QxBxcEJAfPrYSHcW6/C5Buz7
Size:	314617856
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Found evasive API chain (may stop execution after checking mutex)	Malware Analysis System Evasion	Native API
Found stalling execution ending in API Sleep call	Malware Analysis System Evasion
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities	Obfuscated Files or Information
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	Encrypted Channel
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to register its own exception handler	Anti Debugging
Creates mutexes	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Local\Temp\siNpVQuBSTLTLeNwdJHL.dll

PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\siNpVQuBSTLTLeNwdJHL.dll
Category:	dropped
Dump:	siNpVQuBSTLTLeNwdJHL.dll.1.dr
ID:	dr_1
Target ID:	1
Process:	C:\Users\user\Desktop\Set-up.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy:	0.054304440754360264
Encrypted:	false
Size:	315803136
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Set-up.exe

"C:\Users\user\Desktop\Set-up.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7300
Target ID:	1
Parent PID:	3968
Name:	Set-up.exe
Path:	C:\Users\user\Desktop\Set-up.exe
Commandline:	"C:\Users\user\Desktop\Set-up.exe"
Size:	9964544
MD5:	B13E354D435E1C6058A47F21C02D340D
Time:	08:43:44
Date:	04/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x710000
Modulesize:	9990144
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Clipboard Hijacker	Stealing of Sensitive Information
Yara detected Cryptbot	Stealing of Sensitive Information, Remote Access Functionality
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information	Data from Local System
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\service123.exe

"C:\Users\user\AppData\Local\Temp\service123.exe"

Details

Is windows:	false
Is dropped:	true
PID:	3452
Target ID:	5
Parent PID:	7300
Name:	service123.exe
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Commandline:	"C:\Users\user\AppData\Local\Temp\service123.exe"
Size:	314617856
MD5:	9B62814A6554664282F49BF19A2D734C
Time:	08:44:52
Date:	04/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7b0000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Clipboard Hijacker	Stealing of Sensitive Information
Drops large PE files	System Summary
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f

Details

Is windows:	true
Is dropped:	false
PID:	4428
Target ID:	6
Parent PID:	7300
Name:	schtasks.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\schtasks.exe
Commandline:	"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Size:	187904
MD5:	48C2FE20575769DE916F48EF0676A965
Time:	08:44:53
Date:	04/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x510000
Modulesize:	204800
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\service123.exe

C:\Users\user\AppData\Local\Temp\/service123.exe

Details

Is windows:	false
Is dropped:	true
PID:	1996
Target ID:	8
Parent PID:	1040
Name:	service123.exe
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Size:	314617856
MD5:	9B62814A6554664282F49BF19A2D734C
Time:	08:44:55
Date:	04/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x7b0000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Clipboard Hijacker	Stealing of Sensitive Information
Drops large PE files	System Summary
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\service123.exe

C:\Users\user\AppData\Local\Temp\/service123.exe

Details

Is windows:	false
Is dropped:	true
PID:	2092
Target ID:	9
Parent PID:	1040
Name:	service123.exe
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Size:	314617856
MD5:	9B62814A6554664282F49BF19A2D734C
Time:	08:45:03
Date:	04/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x7b0000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Clipboard Hijacker	Stealing of Sensitive Information
Drops large PE files	System Summary
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	3688
Target ID:	7
Parent PID:	4428
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	08:44:53
Date:	04/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff620390000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

tventyvr20pt.top

analforeverlovyu.top

@tventyvr20pt.top

https://ac.ecosia.org/autocomplete?q=

unknown

https://duckduckgo.com/chrome_newtab

unknown

https://gcc.gnu.org/bugs/):

unknown

https://duckduckgo.com/ac/?q=

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

https://serviceupdate32.com/update

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

https://www.ecosia.org/newtab/

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

http://tventyvr20pt.top/v1/upload.php

unknown

http://tventyvr20pt.top/v1/upload.phpX

unknown

There are 6 hidden URLs, click here to show them.

Domains

Name

Malicious

tventyvr20pt.top

185.244.181.140

Details

Name:	tventyvr20pt.top
IP:	185.244.181.140
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

s-part-0017.t-0009.t-msedge.net

13.107.246.45

IPs

Domain

Country

Malicious

185.244.181.140

tventyvr20pt.top

Russian Federation

Details

IP:	185.244.181.140
TargetID:	1
Current Path:	C:\Users\user\Desktop\Set-up.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	44901
ASN name:	BELCLOUDBG
Private:	false
Domain:	tventyvr20pt.top

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

4263000

heap

page read and write

1874000

heap

page read and write

184B000

heap

page read and write

680000

heap

page read and write

7B0000

unkown

page readonly

48FC000

stack

page read and write

325D000

stack

page read and write

D19000

unkown

page read and write

403F000

stack

page read and write

3E3E000

stack

page read and write

1350000

heap

page read and write

710000

unkown

page readonly

7C1000

unkown

page readonly

B11000

unkown

page read and write

1870000

heap

page read and write

1844000

heap

page read and write

770000

heap

page read and write

33EB000

heap

page read and write

7BE000

unkown

page write copy

6CAFD000

unkown

page read and write

1867000

heap

page read and write

4240000

remote allocation

page read and write

112B000

stack

page read and write

DBAD000

heap

page read and write

6CB4C000

unkown

page readonly

39BF000

heap

page read and write

12D0000

heap

page read and write

189E000

heap

page read and write

39BF000

heap

page read and write

3790000

heap

page read and write

183E000

heap

page read and write

185F000

heap

page read and write

9D0000

unkown

page read and write

1896000

heap

page read and write

711000

unkown

page execute read

3A0E000

heap

page read and write

D90000

heap

page read and write

1890000

heap

page read and write

D1D000

unkown

page read and write

1870000

heap

page read and write

7B0000

unkown

page readonly

FC0000

heap

page read and write

185F000

heap

page read and write

188E000

heap

page read and write

BFC000

stack

page read and write

760000

heap

page read and write

3941000

heap

page read and write

338F000

unkown

page read and write

35F0000

heap

page read and write

1710000

heap

page read and write

15D7000

stack

page read and write

188B000

heap

page read and write

1050000

unkown

page write copy

39E4000

heap

page read and write

7BE000

unkown

page read and write

4240000

remote allocation

page read and write

15F3000

stack

page read and write

39DF000

heap

page read and write

E25C000

heap

page read and write

7BE000

unkown

page write copy

AD1000

unkown

page read and write

3941000

heap

page read and write

6CA20000

unkown

page readonly

1E0C000

stack

page read and write

D27000

unkown

page read and write

D25000

unkown

page read and write

1810000

heap

page read and write

1874000

heap

page read and write

33CE000

stack

page read and write

15F7000

stack

page read and write

711000

unkown

page execute read

184B000

heap

page read and write

9D0000

unkown

page write copy

1D5A000

heap

page read and write

6CA21000

unkown

page execute read

1357000

heap

page read and write

396B000

heap

page read and write

1730000

heap

page read and write

3C3D000

stack

page read and write

33D0000

heap

page read and write

1855000

heap

page read and write

6FC000

stack

page read and write

17FE000

stack

page read and write

183E000

heap

page read and write

39E4000

heap

page read and write

DB40000

heap

page read and write

1844000

heap

page read and write

186C000

heap

page read and write

103D000

stack

page read and write

39EA000

heap

page read and write

1867000

heap

page read and write

39E4000

heap

page read and write

1857000

heap

page read and write

1DCE000

stack

page read and write

186C000

heap

page read and write

33E0000

heap

page read and write

D6BA000

heap

page read and write

6CB48000

unkown

page readonly

1874000

heap

page read and write

39FB000

heap

page read and write

7B1000

unkown

page execute read

1D50000

heap

page read and write

1B4E000

unkown

page read and write

670000

heap

page read and write

6CB49000

unkown

page read and write

1E54000

heap

page read and write

7C1000

unkown

page readonly

186A000

heap

page read and write

186A000

heap

page read and write

46FF000

stack

page read and write

7BA000

unkown

page readonly

35EF000

stack

page read and write

7B0000

unkown

page readonly

7B0000

unkown

page readonly

7BA000

unkown

page readonly

1B0E000

stack

page read and write

7C1000

unkown

page readonly

11A0000

heap

page read and write

39EE000

heap

page read and write

445F000

stack

page read and write

1870000

heap

page read and write

D38000

unkown

page read and write

1844000

heap

page read and write

1340000

heap

page read and write

184F000

heap

page read and write

D9A000

heap

page read and write

63C000

stack

page read and write

3941000

heap

page read and write

1870000

heap

page read and write

D16000

unkown

page read and write

1857000

heap

page read and write

7B1000

unkown

page execute read

186A000

heap

page read and write

7C1000

unkown

page readonly

7B0000

unkown

page readonly

1041000

unkown

page readonly

9CC000

stack

page read and write

DB50000

heap

page read and write

DB8F000

heap

page read and write

E3C000

stack

page read and write

D96000

unkown

page read and write

3A06000

heap

page read and write

17BD000

stack

page read and write

184B000

heap

page read and write

1844000

heap

page read and write

1890000

heap

page read and write

181E000

heap

page read and write

39F7000

heap

page read and write

181A000

heap

page read and write

B20000

heap

page read and write

183E000

heap

page read and write

7B1000

unkown

page execute read

1870000

heap

page read and write

39B0000

heap

page read and write

3300000

heap

page read and write

185F000

heap

page read and write

1867000

heap

page read and write

D32000

unkown

page read and write

710000

unkown

page readonly

39F5000

heap

page read and write

1E4E000

stack

page read and write

1041000

unkown

page readonly

B27000

heap

page read and write

3940000

heap

page read and write

D20000

unkown

page read and write

1867000

heap

page read and write

39C4000

heap

page read and write

7B1000

unkown

page execute read

7C1000

unkown

page readonly

334E000

unkown

page read and write

39FA000

heap

page read and write

1874000

heap

page read and write

7BA000

unkown

page readonly

1870000

heap

page read and write

7B1000

unkown

page execute read

7BA000

unkown

page readonly

1190000

heap

page read and write

3A00000

heap

page read and write

39EA000

heap

page read and write

CD6000

unkown

page read and write

3959000

heap

page read and write

1E50000

heap

page read and write

39AB000

heap

page read and write

730000

heap

page read and write

7BA000

unkown

page readonly

7B0000

unkown

page readonly

7B1000

unkown

page execute read

7BE000

unkown

page write copy

184F000

heap

page read and write

7BA000

unkown

page readonly

1857000

heap

page read and write

D994000

heap

page read and write

39EA000

heap

page read and write

1053000

unkown

page readonly

FD7000

unkown

page read and write

1D5F000

heap

page read and write

1898000

heap

page read and write

3A03000

heap

page read and write

7BE000

unkown

page read and write

39E8000

heap

page read and write

39E9000

heap

page read and write

1E55000

heap

page read and write

39EA000

heap

page read and write

D9E000

heap

page read and write

188A000

heap

page read and write

39C1000

heap

page read and write

1874000

heap

page read and write

39C1000

heap

page read and write

39F0000

heap

page read and write

1D8E000

stack

page read and write

3A08000

heap

page read and write

690000

heap

page read and write

11DE000

stack

page read and write

177E000

stack

page read and write

39E4000

heap

page read and write

1870000

heap

page read and write

1892000

heap

page read and write

7BE000

unkown

page read and write

185F000

heap

page read and write

1180000

heap

page read and write

423F000

stack

page read and write

1874000

heap

page read and write

7C1000

unkown

page readonly

3949000

heap

page read and write

1080000

heap

page read and write

11E0000

heap

page read and write

6CAFF000

unkown

page readonly

184F000

heap

page read and write

1874000

heap

page read and write

1B50000

heap

page read and write

188A000

heap

page read and write

395E000

heap

page read and write

1053000

unkown

page readonly

1735000

heap

page read and write

329A000

stack

page read and write

D8AF000

stack

page read and write

4240000

remote allocation

page read and write

DB57000

heap

page read and write

1050000

unkown

page read and write

1D40000

heap

page read and write

39EE000

heap

page read and write

39C1000

heap

page read and write

There are 232 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Set-up.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSet-up.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
Set-up.exe