Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

bfWVPQsRO1.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.579229790128929
Filename:	bfWVPQsRO1.exe
Filesize:	27648
MD5:	65abbb1b8cb5f121249ad00bf99995aa
SHA1:	e2716aa2af91bfa1e44e029fc86776690d3d2c74
SHA256:	455193e153b09c0c36a9f14f7c1db75e21231615f992c413281b1135dd5b8334
SHA512:	bef09a4254b4c0087487d2d28172ecfd133e05508f665545cc2c94b7349cd254edd22e3b37eeeb01f9aeac6dfb4caf024bfa9b52abfe67d42ae3923ac3ae295c
SSDEEP:	384:CLpHqxzDGoEXHWtyXc0gCQP8thFMRAQk93vmhm7UMKmIEecKdbXTzm9bVhcar6D1:cpKFy4pFRA/vMHTi9bD
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................d..........n.... ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation	Access Token Manipulation Software Packing
Machine Learning detection for sample	AV Detection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Creates a start menu entry (Start Menu\Programs\Startup)	Boot Survival	Registry Run Keys / Startup Folder Access Token Manipulation
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation
Stores files to the Windows start menu directory	Boot Survival
Uses 32bit PE files	Compliance, System Summary	Masquerading
Yara signature match	System Summary
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates an autostart registry key	Boot Survival	Access Token Manipulation
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Enumerates the file system	Spreading, Malware Analysis System Evasion	File and Directory Discovery
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Reads ini files	System Summary
Reads software policies	System Summary	Access Token Manipulation System Information Discovery
Sample is known by Antivirus	System Summary	Access Token Manipulation
Sample reads its own file content	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses new MSVCR Dlls	Compliance, System Summary	Access Token Manipulation

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\bfWVPQsRO1.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\bfWVPQsRO1.exe.log
Category:	dropped
Dump:	bfWVPQsRO1.exe.log.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\bfWVPQsRO1.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.259753436570609
Encrypted:	false
Ssdeep:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
Size:	525
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Temp\Payload.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Payload.exe
Category:	dropped
Dump:	Payload.exe.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\bfWVPQsRO1.exe
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.579229790128929
Encrypted:	false
Ssdeep:	384:CLpHqxzDGoEXHWtyXc0gCQP8thFMRAQk93vmhm7UMKmIEecKdbXTzm9bVhcar6D1:cpKFy4pFRA/vMHTi9bD
Size:	27648
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Creates multiple autostart registry keys	Boot Survival	Registry Run Keys / Startup Folder
Disables zone checking for all users	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Machine Learning detection for dropped file	AV Detection
Sigma detected: New RUN Key Pointing to Suspicious Folder	System Summary
Abnormal high CPU Usage	System Summary
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification	System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Payload.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Payload.exe.log
Category:	dropped
Dump:	Payload.exe.log.6.dr
ID:	dr_4
Target ID:	6
Process:	C:\Users\user\AppData\Local\Temp\Payload.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.259753436570609
Encrypted:	false
Ssdeep:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
Size:	525
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
Category:	dropped
Dump:	Windows.lnk.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\bfWVPQsRO1.exe
Type:	MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Entropy:	2.9005324467960167
Encrypted:	false
Ssdeep:	24:8gvWLgD4/BOmRC87q8MHBJrXE+16d0+qy:8pgDsvRC87tMhJrRhy
Size:	1238
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates a start menu entry (Start Menu\Programs\Startup)	Boot Survival	Registry Run Keys / Startup Folder
Sigma detected: Startup Folder File Write	System Summary
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder
Creates files inside the user directory	System Summary	Masquerading

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
Category:	dropped
Dump:	Windows.lnk0.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\bfWVPQsRO1.exe
Type:	MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Entropy:	2.9364199742996298
Encrypted:	false
Ssdeep:	12:8gl0csXU1e/tz0/CSLwrHj4/3BVwzyDilVBJrXE+1gCNfBf4t2YZ/elFlSJm:87vWLgD4/BUBJrXE+1pjqy
Size:	1058
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\bfWVPQsRO1.exe

"C:\Users\user\Desktop\bfWVPQsRO1.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6276
Target ID:	0
Parent PID:	1028
Name:	bfWVPQsRO1.exe
Path:	C:\Users\user\Desktop\bfWVPQsRO1.exe
Commandline:	"C:\Users\user\Desktop\bfWVPQsRO1.exe"
Size:	27648
MD5:	65ABBB1B8CB5F121249AD00BF99995AA
Time:	06:43:00
Date:	10/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xa50000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Sigma detected: New RUN Key Pointing to Suspicious Folder	System Summary
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sigma detected: Startup Folder File Write	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Temp\Payload.exe

"C:\Users\user\AppData\Local\Temp\Payload.exe"

Details

Is windows:	false
Is dropped:	true
PID:	1440
Target ID:	2
Parent PID:	6276
Name:	Payload.exe
Path:	C:\Users\user\AppData\Local\Temp\Payload.exe
Commandline:	"C:\Users\user\AppData\Local\Temp\Payload.exe"
Size:	27648
MD5:	65ABBB1B8CB5F121249AD00BF99995AA
Time:	06:43:09
Date:	10/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x4d0000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Sigma detected: New RUN Key Pointing to Suspicious Folder	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\Payload.exe

"C:\Users\user\AppData\Local\Temp\Payload.exe"

Details

Is windows:	false
Is dropped:	true
PID:	6180
Target ID:	6
Parent PID:	1028
Name:	Payload.exe
Path:	C:\Users\user\AppData\Local\Temp\Payload.exe
Commandline:	"C:\Users\user\AppData\Local\Temp\Payload.exe"
Size:	27648
MD5:	65ABBB1B8CB5F121249AD00BF99995AA
Time:	06:43:27
Date:	10/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x7d0000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Sigma detected: New RUN Key Pointing to Suspicious Folder	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\user\AppData\Local\Temp\Payload.exe"

Details

Is windows:	true
Is dropped:	false
PID:	1476
Target ID:	3
Parent PID:	6276
Name:	attrib.exe
Path:	C:\Windows\SysWOW64\attrib.exe
Commandline:	attrib +h +r +s "C:\Users\user\AppData\Local\Temp\Payload.exe"
Size:	19456
MD5:	0E938DD280E83B1596EC6AA48729C2B0
Time:	06:43:09
Date:	10/10/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xe70000
Modulesize:	36864
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7096
Target ID:	4
Parent PID:	1476
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	06:43:09
Date:	10/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://go.microsoft.

unknown

http://go.microsoft.LinkId=42127

unknown

https://99.391.161.391

unknown

IPs

Domain

Country

Malicious

193.161.193.99

unknown

Russian Federation

Details

IP:	193.161.193.99
TargetID:	2
Current Path:	C:\Users\user\AppData\Local\Temp\Payload.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	198134
ASN name:	BITREE-ASRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER

Details

TargetID:	0
Path:	HKEY_CURRENT_USER
Value name:	di
Value data:	!

Signature Hits	Behavior Group	Mitre Attack
Creates multiple autostart registry keys	Boot Survival	Registry Run Keys / Startup Folder
Disables zone checking for all users	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Sigma detected: New RUN Key Pointing to Suspicious Folder	System Summary
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder
Reads software policies	System Summary	System Information Discovery

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Windows2

Details

TargetID:	0
Path:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value name:	Windows2
Value data:	C:\Users\user\AppData\Local\Temp\Payload.exe

Signature Hits	Behavior Group	Mitre Attack
Creates multiple autostart registry keys	Boot Survival	Registry Run Keys / Startup Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder	System Summary
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder

HKEY_CURRENT_USER\Environment

SEE_MASK_NOZONECHECKS

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Windows

Details

TargetID:	2
Path:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value name:	Windows
Value data:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL

Signature Hits	Behavior Group	Mitre Attack
Creates multiple autostart registry keys	Boot Survival	Registry Run Keys / Startup Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder	System Summary
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Windows2

Details

TargetID:	2
Path:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value name:	Windows2
Value data:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL

Signature Hits	Behavior Group	Mitre Attack
Creates multiple autostart registry keys	Boot Survival	Registry Run Keys / Startup Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder	System Summary
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run

Windows2

Details

TargetID:	2
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Value name:	Windows2
Value data:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run

Windows

Details

TargetID:	2
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Value name:	Windows
Value data:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Windows.URL

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder

Memdumps

Base Address

Regiontype

Protect

Malicious

2B81000

trusted library allocation

page read and write

3011000

trusted library allocation

page read and write

56B0000

trusted library allocation

page execute and read and write

1162000

trusted library allocation

page execute and read and write

5200000

trusted library allocation

page read and write

AC7000

trusted library allocation

page execute and read and write

AEB000

stack

page read and write

578E000

stack

page read and write

5210000

trusted library allocation

page execute and read and write

1190000

heap

page read and write

5A4F000

stack

page read and write

1020000

heap

page read and write

F30000

heap

page read and write

FF0000

trusted library allocation

page execute and read and write

117B000

trusted library allocation

page execute and read and write

580E000

stack

page read and write

BEF000

heap

page read and write

14F0000

heap

page read and write

1177000

trusted library allocation

page execute and read and write

5F50000

heap

page read and write

8F6000

stack

page read and write

52A0000

heap

page read and write

101E000

heap

page read and write

1210000

heap

page read and write

C0E000

heap

page read and write

324F000

stack

page read and write

4014000

trusted library allocation

page read and write

2E01000

trusted library allocation

page read and write

4FCF000

stack

page read and write

598E000

stack

page read and write

1080000

trusted library allocation

page read and write

594E000

stack

page read and write

2EFD000

stack

page read and write

A90000

trusted library allocation

page read and write

D72000

trusted library allocation

page execute and read and write

D30000

heap

page execute and read and write

1090000

trusted library allocation

page execute and read and write

2C29000

trusted library allocation

page read and write

58B0000

heap

page read and write

4F9C000

stack

page read and write

2EBD000

stack

page read and write

FAF000

stack

page read and write

114C000

trusted library allocation

page execute and read and write

CEE000

stack

page read and write

1010000

trusted library allocation

page read and write

BD0000

heap

page read and write

4F9F000

stack

page read and write

568D000

stack

page read and write

1170000

trusted library allocation

page read and write

F9D000

stack

page read and write

50B0000

heap

page read and write

4011000

trusted library allocation

page read and write

113A000

trusted library allocation

page execute and read and write

B7E000

heap

page read and write

56A9000

stack

page read and write

14DE000

stack

page read and write

C40000

heap

page read and write

2FF0000

heap

page read and write

D80000

heap

page read and write

5280000

trusted library allocation

page read and write

C50000

heap

page read and write

ECB000

trusted library allocation

page execute and read and write

554E000

stack

page read and write

EB2000

trusted library allocation

page execute and read and write

56A000

stack

page read and write

B66000

stack

page read and write

B4E000

heap

page read and write

AD2000

trusted library allocation

page execute and read and write

594E000

stack

page read and write

4ECE000

stack

page read and write

102E000

stack

page read and write

5CDC000

stack

page read and write

3E01000

trusted library allocation

page read and write

2C15000

trusted library allocation

page read and write

985000

heap

page read and write

105D000

heap

page read and write

1083000

heap

page read and write

AB2000

trusted library allocation

page execute and read and write

1096000

heap

page read and write

BBC000

heap

page read and write

115A000

trusted library allocation

page execute and read and write

590F000

stack

page read and write

BFF000

heap

page read and write

E9C000

trusted library allocation

page execute and read and write

11AF000

stack

page read and write

FEE000

heap

page read and write

FE0000

heap

page read and write

311A000

heap

page read and write

10A0000

heap

page read and write

5750000

trusted library allocation

page execute and read and write

AAA000

trusted library allocation

page execute and read and write

2ABF000

stack

page read and write

11EC000

stack

page read and write

105B000

heap

page read and write

2F40000

heap

page read and write

EAA000

trusted library allocation

page execute and read and write

D60000

trusted library allocation

page read and write

5A90000

heap

page read and write

E90000

trusted library allocation

page read and write

1520000

heap

page execute and read and write

5E4E000

stack

page read and write

56C0000

unclassified section

page read and write

3400000

heap

page read and write

AA2000

trusted library allocation

page execute and read and write

AE2000

trusted library allocation

page read and write

8F9000

stack

page read and write

1006000

heap

page read and write

129E000

stack

page read and write

980000

heap

page read and write

BC3000

heap

page read and write

F58000

heap

page read and write

584E000

stack

page read and write

544E000

stack

page read and write

13DE000

stack

page read and write

51EF000

stack

page read and write

2F8E000

unkown

page read and write

106E000

stack

page read and write

A6B000

stack

page read and write

1020000

heap

page read and write

5F9D000

stack

page read and write

D90000

trusted library allocation

page read and write

54B0000

trusted library allocation

page read and write

E50000

heap

page read and write

5A8E000

stack

page read and write

ABA000

trusted library allocation

page execute and read and write

114A000

trusted library allocation

page execute and read and write

553F000

stack

page read and write

1094000

heap

page read and write

568F000

stack

page read and write

A5A000

unkown

page readonly

56CE000

stack

page read and write

2C2B000

trusted library allocation

page read and write

F50000

heap

page read and write

AE7000

trusted library allocation

page execute and read and write

57CE000

stack

page read and write

2FCF000

unkown

page read and write

1080000

heap

page read and write

5F4F000

stack

page read and write

1200000

trusted library allocation

page read and write

5DDC000

stack

page read and write

3E04000

trusted library allocation

page read and write

B20000

heap

page execute and read and write

A52000

unkown

page readonly

4B88000

trusted library allocation

page read and write

1500000

heap

page read and write

B69000

stack

page read and write

EF8000

heap

page read and write

EF0000

heap

page read and write

AB0000

trusted library allocation

page read and write

93E000

stack

page read and write

F55000

heap

page read and write

B40000

heap

page read and write

ADA000

trusted library allocation

page execute and read and write

4D1E000

stack

page read and write

F26000

heap

page read and write

FDD000

stack

page read and write

139E000

stack

page read and write

B48000

heap

page read and write

50EC000

stack

page read and write

509E000

stack

page read and write

1083000

heap

page read and write

609E000

stack

page read and write

F60000

heap

page read and write

FEC000

stack

page read and write

558E000

stack

page read and write

AF0000

heap

page read and write

EC7000

trusted library allocation

page execute and read and write

3117000

heap

page read and write

E8F000

stack

page read and write

53FE000

stack

page read and write

1120000

trusted library allocation

page read and write

CF0000

heap

page read and write

505E000

stack

page read and write

1090000

heap

page read and write

566C000

stack

page read and write

2FD0000

heap

page read and write

BE6000

stack

page read and write

A50000

unkown

page readonly

F0D000

heap

page read and write

58C0000

heap

page read and write

7FCD0000

trusted library allocation

page execute and read and write

FEA000

heap

page read and write

3110000

heap

page read and write

ACA000

trusted library allocation

page execute and read and write

D7A000

trusted library allocation

page execute and read and write

58A0000

heap

page read and write

310E000

stack

page read and write

D7E000

stack

page read and write

5E0000

heap

page read and write

DA0000

heap

page read and write

D00000

heap

page read and write

AEB000

trusted library allocation

page execute and read and write

3B81000

trusted library allocation

page read and write

EAE000

stack

page read and write

543E000

stack

page read and write

51ED000

stack

page read and write

1140000

trusted library allocation

page read and write

E92000

trusted library allocation

page execute and read and write

52FE000

stack

page read and write

5D0000

heap

page read and write

F69000

heap

page read and write

1142000

trusted library allocation

page execute and read and write

1132000

trusted library allocation

page execute and read and write

F40000

heap

page read and write

There are 194 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
bfWVPQsRO1.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportbfWVPQsRO1.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
bfWVPQsRO1.exe