Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.947641425285762
Filename:	file.exe
Filesize:	1870336
MD5:	65f0d675552d4962ef62730c4dc2b7f2
SHA1:	97274db72b6b654b23c9985075b4c2c1bd6044c8
SHA256:	da04996a87142ebbfd548a3ec20bbf83fbda45af8a7e41ffea51dfac653e60cf
SHA512:	52c34148038e44a05e1ac213bc4b2505da8ad87f8c1f02b09925a4ab7ef522a2942b42c85f08593f5e4d840b01381f9d4c1ae5342ebb5f46c9214eb5d1b160e4
SSDEEP:	24576:Yga+Ar4d5K5k7hCeubE5wiUFDuJ8Z3snG7NSOegrdzeOi/yj303m/iT79cpcvTm8:TcM1CseBVsG7NSOeGdmaEmJpcvZ1Dj
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...J..f..............................J...........@...........................J...........@.................................W...k..

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Hides threads from debuggers	Anti Debugging	Virtualization/Sandbox Evasion Security Software Discovery
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)	Boot Survival
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion
Tries to detect sandboxes and other dynamic analysis tools (window names)	Anti Debugging
Tries to detect virtualization through RDTSC time measurements	Malware Analysis System Evasion
Tries to evade debugger and weak emulator (self modifying code)	Malware Analysis System Evasion
Checks for debuggers (devices)	Anti Debugging
Checks if the current process is being debugged	Anti Debugging
Contains capabilities to detect virtual machines	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
One or more processes crash	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Found strings which match to known social media urls	Networking
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
Queries a list of all running drivers	Malware Analysis System Evasion	System Information Discovery
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_2f26e4b65edfc9809a16d7533fcfcfa7c28d99cc_852b229c_91cf98b8-f850-4f01-b2eb-8616ce693643\Report.wer

data

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_2f26e4b65edfc9809a16d7533fcfcfa7c28d99cc_852b229c_91cf98b8-f850-4f01-b2eb-8616ce693643\Report.wer
Category:	dropped
Dump:	Report.wer.4.dr
ID:	dr_3
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	data
Entropy:	1.0517770372427475
Encrypted:	false
Ssdeep:	192:+NklAItAvbPlktS0BU/Huiu3juFt31TnkzuiFVZ24IO8TFuB:+NzbN6ZBU/Aj3zuiFVY4IO8g
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9EB8.tmp.dmp

Mini DuMP crash report, 15 streams, Sat Oct 12 22:48:13 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER9EB8.tmp.dmp
Category:	dropped
Dump:	WER9EB8.tmp.dmp.4.dr
ID:	dr_0
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 15 streams, Sat Oct 12 22:48:13 2024, 0x1205a4 type
Entropy:	1.4389387372027371
Encrypted:	false
Ssdeep:	768:XK8pABAg+PPfynpzX4OiTa+ZfrMXAflXgu9ny0uUY+9:Xr7nqpzoD1ZfrMwfljny0uUT9
Size:	284998
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9FF1.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER9FF1.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER9FF1.tmp.WERInternalMetadata.xml.4.dr
ID:	dr_1
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.6902837710334127
Encrypted:	false
Ssdeep:	192:R6l7wVeJACq6fqEz6YcDUSUBggmfBGejFprv89bqXsfuvOm:R6lXJ66fqEz6YDSU2gmfZ0qcf2
Size:	8294
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA021.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERA021.tmp.xml
Category:	dropped
Dump:	WERA021.tmp.xml.4.dr
ID:	dr_2
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.427567642716202
Encrypted:	false
Ssdeep:	48:cvIwWl8zsKNJg77aI9upWpW8VYZYm8M4JjlFd+q8C2umJd:uIjfKnI7AY7VpJhmumJd
Size:	4542
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.4.dr
ID:	dr_4
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.393773478384471
Encrypted:	false
Ssdeep:	6144:9l4fiJoH0ncNXiUjt10q+G/gaocYGBoaUMMhA2NX4WABlBuNAmOBSqa:z4vF+MYQUMM6VFYSmU
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	1364
Target ID:	0
Parent PID:	3504
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	1870336
MD5:	65F0D675552D4962EF62730C4DC2B7F2
Time:	18:48:06
Date:	12/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xc70000
Modulesize:	4907008
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 1900

Details

Is windows:	true
Is dropped:	false
PID:	2840
Target ID:	4
Parent PID:	1364
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 1900
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	18:48:13
Date:	12/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x3b0000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://sergei-esenin.com/

unknown

studennotediw.store

dissapoiznw.store

https://steamcommunity.com/profiles/76561199724331900

104.102.49.254

eaglepawnoy.store

https://steamcommunity.com/profiles/76561199724331900/inventory/

unknown

https://sergei-esenin.com/S

unknown

https://sergei-esenin.com/apigYa

unknown

https://sergei-esenin.com/3

unknown

bathdoomgaz.store

clearancek.site

https://steamcommunity.com/profiles/76561199724331900h

unknown

spirittunek.store

licendfilteo.site

mobbipenju.store

https://www.cloudflare.com/learning/access-management/phishing-attack/

unknown

https://player.vimeo.com

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp

unknown

https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f

unknown

https://steamcommunity.com/?subsection=broadcasts

unknown

https://store.steampowered.com/subscriber_agreement/

unknown

https://www.gstatic.cn/recaptcha/

unknown

https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6

unknown

http://www.valvesoftware.com/legal.htm

unknown

https://www.youtube.com

unknown

https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png

unknown

https://www.google.com

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png

unknown

https://spirittunek.store/

unknown

https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&

unknown

https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

unknown

https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL

unknown

https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi

unknown

https://s.ytimg.com;

unknown

https://steam.tv/

unknown

https://steamcommunity.com/z1

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english

unknown

http://store.steampowered.com/privacy_agreement/

unknown

https://store.steampowered.com/points/shop/

unknown

https://sketchfab.com

unknown

https://lv.queniujq.cn

unknown

https://www.youtube.com/

unknown

https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg

unknown

https://store.steampowered.com/privacy_agreement/

unknown

https://www.cloudflare.com/learning/access-manag

unknown

https://www.cloudflare.com/5xx-error-landing

unknown

https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0

unknown

https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am

unknown

https://www.google.com/recaptcha/

unknown

https://avatars.akamai.steamstaticQn

unknown

https://checkout.steampowered.com/

unknown

https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english

unknown

https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis

unknown

https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC

unknown

https://store.steampowered.com/;

unknown

https://store.steampowered.com/about/

unknown

https://steamcommunity.com/my/wishlist/

unknown

https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english

unknown

https://help.steampowered.com/en/

unknown

https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/

unknown

https://steamcommunity.com/market/

unknown

https://store.steampowered.com/news/

unknown

https://community.akamai.steamstatic.com/

unknown

http://store.steampowered.com/subscriber_agreement/

unknown

https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1

unknown

https://recaptcha.net/recaptcha/;

unknown

https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en

unknown

https://steamcommunity.com/discussions/

unknown

https://store.steampowered.com/stats/

unknown

https://medal.tv

unknown

https://broadcast.st.dl.eccdnx.com

unknown

https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1

unknown

https://store.steampowered.com/steam_refunds/

unknown

https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900

unknown

https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e

unknown

https://steamcommunity.com/workshop/

unknown

https://login.steampowered.com/

unknown

https://store.steam

unknown

https://store.steampowered.com/legal/

unknown

https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv

unknown

https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl

unknown

https://store.steampowered.com;

unknown

https://recaptcha.net

unknown

http://upx.sf.net

unknown

https://store.steampowered.com/

unknown

https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw

unknown

https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif

unknown

http://127.0.0.1:27060

unknown

https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016

unknown

https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA

unknown

https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english

unknown

https://help.steampowered.com/

unknown

https://api.steampowered.com/

unknown

There are 90 hidden URLs, click here to show them.

Domains

Name

Malicious

steamcommunity.com

104.102.49.254

sergei-esenin.com

172.67.206.204

eaglepawnoy.store

unknown

bathdoomgaz.store

unknown

spirittunek.store

unknown

licendfilteo.site

unknown

studennotediw.store

unknown

mobbipenju.store

unknown

clearancek.site

unknown

dissapoiznw.store

unknown

s-part-0032.t-0009.t-msedge.net

13.107.246.60

There are 1 hidden domains, click here to show them.

IPs

Domain

Country

Malicious

104.102.49.254

steamcommunity.com

United States

Details

IP:	104.102.49.254
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	United States
Countrycode:	USA
ASN number:	16625
ASN name:	AKAMAI-ASUS
Private:	false
Domain:	steamcommunity.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

172.67.206.204

sergei-esenin.com

United States

Details

IP:	172.67.206.204
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	sergei-esenin.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

\REGISTRY\A\{bb2d5c57-ab1b-4fda-0b13-1241cd2f3061}\Root\InventoryApplicationFile\file.exe|6945bd954f79b1ce

ProgramId

\REGISTRY\A\{bb2d5c57-ab1b-4fda-0b13-1241cd2f3061}\Root\InventoryApplicationFile\file.exe|6945bd954f79b1ce

FileId

\REGISTRY\A\{bb2d5c57-ab1b-4fda-0b13-1241cd2f3061}\Root\InventoryApplicationFile\file.exe|6945bd954f79b1ce

LowerCaseLongPath

\REGISTRY\A\{bb2d5c57-ab1b-4fda-0b13-1241cd2f3061}\Root\InventoryApplicationFile\file.exe|6945bd954f79b1ce

LongPathHash

\REGISTRY\A\{bb2d5c57-ab1b-4fda-0b13-1241cd2f3061}\Root\InventoryApplicationFile\file.exe|6945bd954f79b1ce

Name

\REGISTRY\A\{bb2d5c57-ab1b-4fda-0b13-1241cd2f3061}\Root\InventoryApplicationFile\file.exe|6945bd954f79b1ce

OriginalFileName

\REGISTRY\A\{bb2d5c57-ab1b-4fda-0b13-1241cd2f3061}\Root\InventoryApplicationFile\file.exe|6945bd954f79b1ce

Publisher

\REGISTRY\A\{bb2d5c57-ab1b-4fda-0b13-1241cd2f3061}\Root\InventoryApplicationFile\file.exe|6945bd954f79b1ce

Version

\REGISTRY\A\{bb2d5c57-ab1b-4fda-0b13-1241cd2f3061}\Root\InventoryApplicationFile\file.exe|6945bd954f79b1ce

BinFileVersion

\REGISTRY\A\{bb2d5c57-ab1b-4fda-0b13-1241cd2f3061}\Root\InventoryApplicationFile\file.exe|6945bd954f79b1ce

BinaryType

\REGISTRY\A\{bb2d5c57-ab1b-4fda-0b13-1241cd2f3061}\Root\InventoryApplicationFile\file.exe|6945bd954f79b1ce

ProductName

\REGISTRY\A\{bb2d5c57-ab1b-4fda-0b13-1241cd2f3061}\Root\InventoryApplicationFile\file.exe|6945bd954f79b1ce

ProductVersion

\REGISTRY\A\{bb2d5c57-ab1b-4fda-0b13-1241cd2f3061}\Root\InventoryApplicationFile\file.exe|6945bd954f79b1ce

LinkDate

\REGISTRY\A\{bb2d5c57-ab1b-4fda-0b13-1241cd2f3061}\Root\InventoryApplicationFile\file.exe|6945bd954f79b1ce

BinProductVersion

\REGISTRY\A\{bb2d5c57-ab1b-4fda-0b13-1241cd2f3061}\Root\InventoryApplicationFile\file.exe|6945bd954f79b1ce

AppxPackageFullName

\REGISTRY\A\{bb2d5c57-ab1b-4fda-0b13-1241cd2f3061}\Root\InventoryApplicationFile\file.exe|6945bd954f79b1ce

AppxPackageRelativeId

\REGISTRY\A\{bb2d5c57-ab1b-4fda-0b13-1241cd2f3061}\Root\InventoryApplicationFile\file.exe|6945bd954f79b1ce

Size

\REGISTRY\A\{bb2d5c57-ab1b-4fda-0b13-1241cd2f3061}\Root\InventoryApplicationFile\file.exe|6945bd954f79b1ce

Language

\REGISTRY\A\{bb2d5c57-ab1b-4fda-0b13-1241cd2f3061}\Root\InventoryApplicationFile\file.exe|6945bd954f79b1ce

Usn

There are 9 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

C71000

unkown

page execute and read and write

5BA000

heap

page read and write

2CFE000

stack

page read and write

44B1000

heap

page read and write

32FF000

stack

page read and write

6EE000

stack

page read and write

36BF000

stack

page read and write

610000

heap

page read and write

F6C000

unkown

page execute and read and write

4AB0000

direct allocation

page execute and read and write

5F8000

heap

page read and write

6A6000

heap

page read and write

4FDD000

stack

page read and write

528E000

stack

page read and write

44B1000

heap

page read and write

538F000

stack

page read and write

4AC0000

direct allocation

page execute and read and write

44A0000

direct allocation

page read and write

C6E000

stack

page read and write

6F0000

heap

page read and write

4AC0000

direct allocation

page execute and read and write

44A0000

direct allocation

page read and write

649000

heap

page read and write

5F9000

heap

page read and write

F7C000

unkown

page execute and write copy

437E000

stack

page read and write

550F000

stack

page read and write

C70000

unkown

page readonly

347E000

stack

page read and write

44B1000

heap

page read and write

4AC0000

direct allocation

page execute and read and write

4AC0000

direct allocation

page execute and read and write

C2C000

heap

page read and write

2F7E000

stack

page read and write

5530000

trusted library allocation

page read and write

F7B000

unkown

page execute and read and write

649000

heap

page read and write

638000

heap

page read and write

4FB000

stack

page read and write

2BBE000

stack

page read and write

44B1000

heap

page read and write

649000

heap

page read and write

2CBF000

stack

page read and write

383E000

stack

page read and write

111B000

unkown

page execute and write copy

5F0000

heap

page read and write

4E7E000

stack

page read and write

4ACD000

stack

page read and write

638000

heap

page read and write

53C0000

heap

page read and write

E52000

unkown

page execute and read and write

F63000

unkown

page execute and read and write

522E000

stack

page read and write

3E7E000

stack

page read and write

2E3E000

stack

page read and write

44A0000

direct allocation

page read and write

3FBE000

stack

page read and write

44B1000

heap

page read and write

67C000

heap

page read and write

62A000

heap

page read and write

111A000

unkown

page execute and read and write

4F7F000

stack

page read and write

423E000

stack

page read and write

27BF000

stack

page read and write

68C000

heap

page read and write

44B1000

heap

page read and write

31BF000

stack

page read and write

560000

heap

page read and write

3CFF000

stack

page read and write

5FE000

heap

page read and write

4F90000

remote allocation

page read and write

44B0000

heap

page read and write

5F4000

heap

page read and write

3ABE000

stack

page read and write

447F000

stack

page read and write

649000

heap

page read and write

1FB000

stack

page read and write

4E3E000

stack

page read and write

62A000

heap

page read and write

44A0000

direct allocation

page read and write

35BE000

stack

page read and write

44A0000

direct allocation

page read and write

F37000

unkown

page execute and read and write

682000

heap

page read and write

A0F000

stack

page read and write

644000

heap

page read and write

CD0000

unkown

page execute and read and write

638000

heap

page read and write

31FE000

stack

page read and write

3F7F000

stack

page read and write

44B1000

heap

page read and write

4CFD000

stack

page read and write

4AC0000

direct allocation

page execute and read and write

F7B000

unkown

page execute and write copy

30BE000

stack

page read and write

2F3F000

stack

page read and write

4A90000

direct allocation

page execute and read and write

40FE000

stack

page read and write

45B0000

trusted library allocation

page read and write

4A7F000

stack

page read and write

44B1000

heap

page read and write

6AA000

heap

page read and write

697000

heap

page read and write

44A0000

direct allocation

page read and write

6AA000

heap

page read and write

3A7F000

stack

page read and write

5E7000

heap

page read and write

44B1000

heap

page read and write

638000

heap

page read and write

44A0000

direct allocation

page read and write

4AF0000

direct allocation

page execute and read and write

3BBF000

stack

page read and write

44B1000

heap

page read and write

C27000

heap

page read and write

C70000

unkown

page read and write

50DD000

stack

page read and write

2B7F000

stack

page read and write

44A0000

direct allocation

page read and write

44B1000

heap

page read and write

397E000

stack

page read and write

2A7E000

stack

page read and write

8CE000

stack

page read and write

4940000

direct allocation

page read and write

6F5000

heap

page read and write

540E000

stack

page read and write

90E000

stack

page read and write

44A0000

direct allocation

page read and write

512E000

stack

page read and write

4F90000

remote allocation

page read and write

5FE000

heap

page read and write

4F90000

remote allocation

page read and write

4AC0000

direct allocation

page execute and read and write

3E3F000

stack

page read and write

492D000

stack

page read and write

497B000

stack

page read and write

433F000

stack

page read and write

62B000

heap

page read and write

5BE000

heap

page read and write

649000

heap

page read and write

44A0000

direct allocation

page read and write

C71000

unkown

page execute and write copy

44B1000

heap

page read and write

C10000

heap

page read and write

4940000

direct allocation

page read and write

27FC000

stack

page read and write

44A0000

direct allocation

page read and write

44B1000

heap

page read and write

37FF000

stack

page read and write

44C0000

heap

page read and write

4AE0000

direct allocation

page execute and read and write

4480000

heap

page read and write

550000

heap

page read and write

44B1000

heap

page read and write

357F000

stack

page read and write

44A0000

direct allocation

page read and write

44A0000

direct allocation

page read and write

3BFE000

stack

page read and write

4D3E000

stack

page read and write

610000

heap

page read and write

4AA0000

direct allocation

page execute and read and write

644000

heap

page read and write

2A3F000

stack

page read and write

4BFE000

stack

page read and write

44B1000

heap

page read and write

3D3E000

stack

page read and write

28FE000

stack

page read and write

2DFF000

stack

page read and write

333E000

stack

page read and write

343F000

stack

page read and write

69F000

heap

page read and write

307F000

stack

page read and write

44B1000

heap

page read and write

68B000

heap

page read and write

44B1000

heap

page read and write

40BF000

stack

page read and write

293E000

stack

page read and write

C20000

heap

page read and write

62B000

heap

page read and write

68B000

heap

page read and write

44B1000

heap

page read and write

5B0000

heap

page read and write

41FF000

stack

page read and write

4B06000

trusted library allocation

page read and write

62A000

heap

page read and write

393F000

stack

page read and write

610000

heap

page read and write

637000

heap

page read and write

44A0000

direct allocation

page read and write

4940000

direct allocation

page read and write

36FE000

stack

page read and write

4AD0000

direct allocation

page execute and read and write

44B1000

heap

page read and write

5FE000

heap

page read and write

There are 183 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
file.exe