Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

c95eb189cffef0c6b222d31de3c7ed0f9cabad48a38aa.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

C:\ProgramData\AFBAFBKEGCFBGCBFIDAKEHDAFC

SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2

dropped

C:\ProgramData\AFCAAEGDBKJJKECBKFHCBAECAF

SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3

dropped

C:\ProgramData\AFIIEBGC

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7

dropped

C:\ProgramData\DAKJDAAFBKFHIEBFCFBKKKECGI

SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7

dropped

C:\ProgramData\EGIDBFBFHJDGCAKEGHJECGHCGC

SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4

dropped

C:\ProgramData\GHJEHJJDAAAKEBGCFCAA

ASCII text, with very long lines (1769), with CRLF line terminators

dropped

C:\ProgramData\IECBGIDA

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3

dropped

C:\ProgramData\IJECBGIJDGCAEBFIIECA

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1

dropped

C:\ProgramData\IPKGELNTQY.docx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\JDDHMPCDUJ.docx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\KJJJJDHIDBGHIDHIDAFB

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1

dropped

C:\ProgramData\LIJDSFKJZG.xlsx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\LSBIHQFDVT.docx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_c95eb189cffef0c6_fbb86e935b9b3f59cd02c7b2f117877c3d1351_e49f94e1_297bcdc7-5f24-4ab5-a323-7eb8a7804093\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8033.tmp.dmp

Mini DuMP crash report, 14 streams, Mon Oct 7 22:41:53 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER814D.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER817D.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\NEBFQQYWPS.docx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\NEBFQQYWPS.xlsx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\PALRGUCVEH.docx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\PALRGUCVEH.xlsx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\QNCYCDFIJJ.xlsx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\SUAVTZKNFL.docx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\UBVUNTSCZJ.xlsx

HIT archive data

dropped

C:\ProgramData\ZQIXMVQGAH.xlsx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\freebl3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\mozglue.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\msvcp140.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\ProgramData\nss3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\softokn3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\vcruntime140.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\1M8V7EFU\freebl3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\1M8V7EFU\mozglue[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\1M8V7EFU\msvcp140[1].dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\1M8V7EFU\nss3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\1M8V7EFU\softokn3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\1M8V7EFU\vcruntime140[1].dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\cookies.sqlite-shm

data

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\places.sqlite-shm

data

dropped

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

There are 31 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\c95eb189cffef0c6b222d31de3c7ed0f9cabad48a38aa.exe

"C:\Users\user\Desktop\c95eb189cffef0c6b222d31de3c7ed0f9cabad48a38aa.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6552
Target ID:	0
Parent PID:	4088
Name:	c95eb189cffef0c6b222d31de3c7ed0f9cabad48a38aa.exe
Path:	C:\Users\user\Desktop\c95eb189cffef0c6b222d31de3c7ed0f9cabad48a38aa.exe
Commandline:	"C:\Users\user\Desktop\c95eb189cffef0c6b222d31de3c7ed0f9cabad48a38aa.exe"
Size:	453632
MD5:	F9302AD7A926E6A5D54FF17513072C79
Time:	18:41:31
Date:	07/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	2494464
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Yara detected Stealc	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information	Data from Local System
Machine Learning detection for sample	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 2328

Details

Is windows:	true
Is dropped:	false
PID:	7032
Target ID:	7
Parent PID:	6552
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 2328
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	18:41:52
Date:	07/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x550000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://62.122.184.144/f88d87a7e087e100.php

62.122.184.144

http://62.122.184.144/00122117a2c73c51/mozglue.dll

62.122.184.144

http://62.122.184.144/

62.122.184.144

http://62.122.184.144/00122117a2c73c51/freebl3.dll

62.122.184.144

http://62.122.184.144/00122117a2c73c51/vcruntime140.dll

62.122.184.144

http://62.122.184.144/00122117a2c73c51/softokn3.dll

62.122.184.144

http://62.122.184.144

unknown

http://62.122.184.144/00122117a2c73c51/sqlite3.dll

62.122.184.144

http://62.122.184.144/00122117a2c73c51/nss3.dll

62.122.184.144

http://62.122.184.144/00122117a2c73c51/msvcp140.dll

62.122.184.144

http://62.122.184.144/Lt

unknown

http://62.122.184.144/f88d87a7e087e100.php03a5c65b5b831b0ec45f59e542f72

unknown

https://duckduckgo.com/chrome_newtab

unknown

http://62.122.184.144/f88d87a7e087e100.phpndows

unknown

https://duckduckgo.com/ac/?q=

unknown

https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696506299400400001.1&ci=1696506299033.12791&cta

unknown

http://62.122.184.144/00122117a2c73c51/nss3.dll_

unknown

https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_cd61a4703a8613be887576f2bd084bcc6f4756dccdbe5062

unknown

http://62.122.184.144/00122117a2c73c51/vcruntime140.dll17a2c73c51/nss3.dll

unknown

http://62.122.184.144/f88d87a7e087e100.phpa

unknown

http://62.122.184.144/f88d87a7e087e100.phpFirefox

unknown

https://support.mozilla.org/products/firefoxgro.allizom.troppus.P9ZDdyXKOWl2

unknown

http://62.122.184.144/f88d87a7e087e100.phpX

unknown

http://62.122.184.144ocx87a7e087e100.php4fDV8MXwxfDB8RE9DfCVET0NVTUVOVFMlXHwqLnR4dCwqLmRvY3gsKi54bHN

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

http://62.122.184.144/00122117a2c73c51/mozglue.dllK-

unknown

http://62.122.184.144/00122117a2c73c51/nss3.dlli

unknown

http://62.122.184.144/f88d87a7e087e100.phpnomi

unknown

http://62.122.184.144/f88d87a7e087e100.phpEHJJDAAAKEBGCFCAA

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

http://62.122.184.144/f88d87a7e087e100.php2

unknown

http://62.122.184.144/7t

unknown

http://www.sqlite.org/copyright.html.

unknown

http://62.122.184.144FCAA

unknown

http://62.122.184.144ff8b95cdd00ac889825c803a5c65b5b831b0ec45f59e542f72

unknown

http://www.mozilla.com/en-US/blocklist/

unknown

https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696506299400400001.2&ci=1696506299033.

unknown

http://62.122.184.144/f88d87a7e087e100.php03a5c65b5b831b0ec45f59e542f72release

unknown

https://mozilla.org0/

unknown

http://62.122.184.144IIDH

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

http://62.122.184.144/f88d87a7e087e100.phpES

unknown

http://62.122.184.144/f88d87a7e087e100.phption:

unknown

http://62.122.184.144/00122117a2c73c51/freebl3.dllO

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

http://upx.sf.net

unknown

http://62.122.184.144/f88d87a7e087e100.php0//EN

unknown

https://www.ecosia.org/newtab/

unknown

http://62.122.184.144/f88d87a7e087e100.phpCoinomi

unknown

https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br

unknown

http://62.122.184.144F

unknown

http://62.122.184.144/f88d87a7e087e100.phpsimple-storage.jsonXBo3

unknown

https://ac.ecosia.org/autocomplete?q=

unknown

http://62.122.184.144/00122117a2c73c51/softokn3.dlla

unknown

https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg

unknown

https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u

unknown

https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4CbmfQq%2B4pbW4pbWfpbX7ReNxR3UIG8zInwYIFIVs9e

unknown

http://62.122.184.144/f88d87a7e087e100.phpser

unknown

https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg

unknown

https://support.mozilla.org

unknown

http://62.122.184.144f88d87a7e087e100.php03a5c65b5b831b0ec45f59e542f72

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

http://62.122.184.144f

unknown

http://62.122.184.144/f88d87a7e087e100.phpt

unknown

There are 54 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

62.122.184.144

unknown

Details

IP:	62.122.184.144
TargetID:	0
Current Path:	C:\Users\user\Desktop\c95eb189cffef0c6b222d31de3c7ed0f9cabad48a38aa.exe
ASN number:	49120
ASN name:	GORSET-ASRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
HTTP GET or POST without a user agent	Networking
Suricata IDS alerts with low severity for network traffic	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

\REGISTRY\A\{40567418-fd87-3e4f-5aff-3736e97a52af}\Root\InventoryApplicationFile\c95eb189cffef0c6|3e36522463d63165

ProgramId

\REGISTRY\A\{40567418-fd87-3e4f-5aff-3736e97a52af}\Root\InventoryApplicationFile\c95eb189cffef0c6|3e36522463d63165

FileId

\REGISTRY\A\{40567418-fd87-3e4f-5aff-3736e97a52af}\Root\InventoryApplicationFile\c95eb189cffef0c6|3e36522463d63165

LowerCaseLongPath

\REGISTRY\A\{40567418-fd87-3e4f-5aff-3736e97a52af}\Root\InventoryApplicationFile\c95eb189cffef0c6|3e36522463d63165

LongPathHash

\REGISTRY\A\{40567418-fd87-3e4f-5aff-3736e97a52af}\Root\InventoryApplicationFile\c95eb189cffef0c6|3e36522463d63165

Name

\REGISTRY\A\{40567418-fd87-3e4f-5aff-3736e97a52af}\Root\InventoryApplicationFile\c95eb189cffef0c6|3e36522463d63165

OriginalFileName

\REGISTRY\A\{40567418-fd87-3e4f-5aff-3736e97a52af}\Root\InventoryApplicationFile\c95eb189cffef0c6|3e36522463d63165

Publisher

\REGISTRY\A\{40567418-fd87-3e4f-5aff-3736e97a52af}\Root\InventoryApplicationFile\c95eb189cffef0c6|3e36522463d63165

Version

\REGISTRY\A\{40567418-fd87-3e4f-5aff-3736e97a52af}\Root\InventoryApplicationFile\c95eb189cffef0c6|3e36522463d63165

BinFileVersion

\REGISTRY\A\{40567418-fd87-3e4f-5aff-3736e97a52af}\Root\InventoryApplicationFile\c95eb189cffef0c6|3e36522463d63165

BinaryType

\REGISTRY\A\{40567418-fd87-3e4f-5aff-3736e97a52af}\Root\InventoryApplicationFile\c95eb189cffef0c6|3e36522463d63165

ProductName

\REGISTRY\A\{40567418-fd87-3e4f-5aff-3736e97a52af}\Root\InventoryApplicationFile\c95eb189cffef0c6|3e36522463d63165

ProductVersion

\REGISTRY\A\{40567418-fd87-3e4f-5aff-3736e97a52af}\Root\InventoryApplicationFile\c95eb189cffef0c6|3e36522463d63165

LinkDate

\REGISTRY\A\{40567418-fd87-3e4f-5aff-3736e97a52af}\Root\InventoryApplicationFile\c95eb189cffef0c6|3e36522463d63165

BinProductVersion

\REGISTRY\A\{40567418-fd87-3e4f-5aff-3736e97a52af}\Root\InventoryApplicationFile\c95eb189cffef0c6|3e36522463d63165

AppxPackageFullName

\REGISTRY\A\{40567418-fd87-3e4f-5aff-3736e97a52af}\Root\InventoryApplicationFile\c95eb189cffef0c6|3e36522463d63165

AppxPackageRelativeId

\REGISTRY\A\{40567418-fd87-3e4f-5aff-3736e97a52af}\Root\InventoryApplicationFile\c95eb189cffef0c6|3e36522463d63165

Size

\REGISTRY\A\{40567418-fd87-3e4f-5aff-3736e97a52af}\Root\InventoryApplicationFile\c95eb189cffef0c6|3e36522463d63165

Language

\REGISTRY\A\{40567418-fd87-3e4f-5aff-3736e97a52af}\Root\InventoryApplicationFile\c95eb189cffef0c6|3e36522463d63165

Usn

There are 9 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

809000

heap

page read and write

22F0000

direct allocation

page read and write

400000

unkown

page execute and read and write

22A0000

direct allocation

page execute and read and write

61EB7000

direct allocation

page readonly

1F4000

heap

page read and write

2D147000

heap

page read and write

26EC0000

heap

page read and write

1F4000

heap

page read and write

20E85000

heap

page read and write

20DC2000

heap

page read and write

61ED0000

direct allocation

page read and write

20E87000

heap

page read and write

20E87000

heap

page read and write

20E95000

heap

page read and write

20E87000

heap

page read and write

401000

unkown

page execute read

20E7A000

heap

page read and write

20EA3000

heap

page read and write

9FE000

stack

page read and write

20E7A000

heap

page read and write

1F4000

heap

page read and write

1F4000

heap

page read and write

20E85000

heap

page read and write

670000

heap

page read and write

7CA000

heap

page read and write

7CE000

heap

page read and write

1ADB6000

heap

page read and write

20E87000

heap

page read and write

20E8C000

heap

page read and write

240E000

stack

page read and write

20E85000

heap

page read and write

20E7A000

heap

page read and write

20E87000

heap

page read and write

1F4000

heap

page read and write

400000

unkown

page readonly

1F4000

heap

page read and write

20EAE000

heap

page read and write

6CB6D000

unkown

page readonly

6CB82000

unkown

page readonly

20E85000

heap

page read and write

20E87000

heap

page read and write

20EA2000

heap

page read and write

20E7D000

heap

page read and write

20E87000

heap

page read and write

6CAF1000

unkown

page execute read

20E87000

heap

page read and write

20E85000

heap

page read and write

61ED3000

direct allocation

page read and write

6CD2F000

unkown

page readonly

20E81000

heap

page read and write

1F4000

heap

page read and write

1AC3E000

stack

page read and write

20E69000

heap

page read and write

20EA2000

heap

page read and write

2CF9E000

stack

page read and write

260E000

stack

page read and write

20E8D000

heap

page read and write

61E01000

direct allocation

page execute read

20E87000

heap

page read and write

41D000

unkown

page readonly

64A000

unkown

page execute and read and write

20E95000

heap

page read and write

61ED4000

direct allocation

page readonly

79E000

stack

page read and write

20E85000

heap

page read and write

1AAFD000

stack

page read and write

20E8E000

heap

page read and write

1F0000

heap

page read and write

1F4000

heap

page read and write

20EA2000

heap

page read and write

2D144000

heap

page read and write

1F4000

heap

page read and write

20E87000

heap

page read and write

20E85000

heap

page read and write

20E95000

heap

page read and write

6CD70000

unkown

page read and write

1F4000

heap

page read and write

20E8C000

heap

page read and write

20E87000

heap

page read and write

20E95000

heap

page read and write

26EE0000

heap

page read and write

20E87000

heap

page read and write

1F4000

heap

page read and write

20E87000

heap

page read and write

2473000

heap

page read and write

20E87000

heap

page read and write

20EAE000

heap

page read and write

236E000

stack

page read and write

1F4000

heap

page read and write

20E6A000

heap

page read and write

6CB90000

unkown

page readonly

9BF000

stack

page read and write

1F4000

heap

page read and write

20E87000

heap

page read and write

1F4000

heap

page read and write

20EAA000

heap

page read and write

20E85000

heap

page read and write

1F4000

heap

page read and write

1A8FF000

stack

page read and write

20E6B000

heap

page read and write

20EA9000

heap

page read and write

20E95000

heap

page read and write

20E85000

heap

page read and write

20E85000

heap

page read and write

20E87000

heap

page read and write

20E95000

heap

page read and write

20E77000

heap

page read and write

1ACA0000

heap

page read and write

20E87000

heap

page read and write

7DD000

heap

page execute and read and write

20E84000

heap

page read and write

460000

unkown

page readonly

20E6D000

heap

page read and write

20E95000

heap

page read and write

1F4000

heap

page read and write

9C000

stack

page read and write

20E7D000

heap

page read and write

20E7D000

heap

page read and write

20E7A000

heap

page read and write

20E95000

heap

page read and write

20E7A000

heap

page read and write

2D14F000

heap

page read and write

1F4000

heap

page read and write

20E77000

heap

page read and write

20E85000

heap

page read and write

26F61000

heap

page read and write

2470000

heap

page read and write

20E62000

heap

page read and write

20E87000

heap

page read and write

1F4000

heap

page read and write

20E7C000

heap

page read and write

26F21000

heap

page read and write

20E60000

heap

page read and write

20E79000

heap

page read and write

1F4000

heap

page read and write

1F4000

heap

page read and write

6CD75000

unkown

page readonly

1ACB0000

heap

page read and write

20EA3000

heap

page read and write

1F4000

heap

page read and write

61E00000

direct allocation

page execute and read and write

20E87000

heap

page read and write

23CE000

stack

page read and write

61EB4000

direct allocation

page read and write

1F4000

heap

page read and write

20EAA000

heap

page read and write

20E87000

heap

page read and write

20EAE000

heap

page read and write

1A9FE000

stack

page read and write

20E69000

heap

page read and write

20EAE000

heap

page read and write

1F4000

heap

page read and write

1F4000

heap

page read and write

20E95000

heap

page read and write

20E87000

heap

page read and write

20E7A000

heap

page read and write

492000

unkown

page execute and read and write

20E81000

heap

page read and write

20E85000

heap

page read and write

1F4000

heap

page read and write

20EA2000

heap

page read and write

20E87000

heap

page read and write

20E95000

heap

page read and write

20E76000

heap

page read and write

83E000

heap

page read and write

1ACB1000

heap

page read and write

6CB7E000

unkown

page read and write

1F4000

heap

page read and write

20E8D000

heap

page read and write

20E6F000

heap

page read and write

1F4000

heap

page read and write

2D09F000

stack

page read and write

20EA3000

heap

page read and write

20E8C000

heap

page read and write

20E87000

heap

page read and write

4EF000

unkown

page execute and read and write

20E77000

heap

page read and write

26F41000

heap

page read and write

1A6FF000

stack

page read and write

20EA2000

heap

page read and write

1A7FF000

stack

page read and write

20E95000

heap

page read and write

20E87000

heap

page read and write

20E95000

heap

page read and write

6CAF0000

unkown

page readonly

20E7C000

heap

page read and write

5CB000

unkown

page execute and read and write

750000

heap

page read and write

20E84000

heap

page read and write

20E7F000

heap

page read and write

20E8D000

heap

page read and write

20F60000

heap

page read and write

40F000

unkown

page readonly

20E85000

heap

page read and write

1F4000

heap

page read and write

25BE000

stack

page read and write

1F4000

heap

page read and write

20E85000

heap

page read and write

20E7A000

heap

page read and write

5A5000

unkown

page execute and read and write

45A000

unkown

page execute and read and write

20E79000

heap

page read and write

20E87000

heap

page read and write

20E81000

heap

page read and write

51B000

unkown

page execute and read and write

2D13C000

heap

page read and write

20E81000

heap

page read and write

5C5000

unkown

page execute and read and write

20EA2000

heap

page read and write

20E95000

heap

page read and write

1AB3E000

stack

page read and write

20E87000

heap

page read and write

20E95000

heap

page read and write

50F000

unkown

page execute and read and write

864000

heap

page read and write

7C0000

heap

page read and write

20E85000

heap

page read and write

20E80000

heap

page read and write

1ADB0000

trusted library allocation

page read and write

6CD6F000

unkown

page write copy

20E85000

heap

page read and write

247C000

heap

page read and write

61ECD000

direct allocation

page readonly

65C000

unkown

page execute and read and write

20E85000

heap

page read and write

20E9A000

heap

page read and write

20E8D000

heap

page read and write

20E6B000

heap

page read and write

4BD000

unkown

page execute and read and write

20D26000

heap

page read and write

1F4000

heap

page read and write

194000

stack

page read and write

20EA2000

heap

page read and write

20E95000

heap

page read and write

26F81000

heap

page read and write

1F4000

heap

page read and write

85A000

heap

page read and write

1F4000

heap

page read and write

20EA3000

heap

page read and write

20EA2000

heap

page read and write

4E2000

unkown

page execute and read and write

20E81000

heap

page read and write

6CB91000

unkown

page execute read

257F000

stack

page read and write

20E81000

heap

page read and write

1F4000

heap

page read and write

1F4000

heap

page read and write

1F4000

heap

page read and write

1F4000

heap

page read and write

20EA2000

heap

page read and write

2D14A000

heap

page read and write

20E85000

heap

page read and write

20E83000

heap

page read and write

1F4000

heap

page read and write

2380000

heap

page read and write

6CD6E000

unkown

page read and write

1ACB1000

heap

page read and write

20E8D000

heap

page read and write

61ECC000

direct allocation

page read and write

20E85000

heap

page read and write

246E000

stack

page read and write

20E87000

heap

page read and write

44B000

unkown

page write copy

26F00000

heap

page read and write

2620000

heap

page read and write

20E83000

heap

page read and write

1F4000

heap

page read and write

488000

unkown

page execute and read and write

20EA2000

heap

page read and write

20E95000

heap

page read and write

1F4000

heap

page read and write

AFE000

stack

page read and write

20E7A000

heap

page read and write

20EA2000

heap

page read and write

1F4000

heap

page read and write

48F000

unkown

page execute and read and write

485000

unkown

page execute and read and write

20EA9000

heap

page read and write

1F4000

heap

page read and write

20E7F000

heap

page read and write

4B1000

unkown

page execute and read and write

There are 272 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
c95eb189cffef0c6b222d31de3c7ed0f9cabad48a38aa.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportc95eb189cffef0c6b222d31de3c7ed0f9cabad48a38aa.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
c95eb189cffef0c6b222d31de3c7ed0f9cabad48a38aa.exe