Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.948885981882291
Filename:	file.exe
Filesize:	1846784
MD5:	501847eb502fb6641620bce360885248
SHA1:	377340f26b240648cf165fe4187896850281f576
SHA256:	00ffb53eeccbf175fee55d66119d997ed732aaa3d7aec64919a8c5726dd9301b
SHA512:	1c58489722ee798783262e72ebfab3d9a6668f1611b04c06d237ba69e70b7f5b3bd395937e94e3d4a40a112badd78bd66c42c7c3e2c2662831215a126fa7f46b
SSDEEP:	49152:xlniBG7iIlC0RbrZRdmAVF0EnG1xrTILgg8Z7:xQBGeMdmiA1xAggC7
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...J..f............................. J...........@..........................PJ...........@.................................W...k..

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Hides threads from debuggers	Anti Debugging	Virtualization/Sandbox Evasion Security Software Discovery
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)	Boot Survival
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion
Tries to detect sandboxes and other dynamic analysis tools (window names)	Anti Debugging
Tries to detect virtualization through RDTSC time measurements	Malware Analysis System Evasion
Tries to evade debugger and weak emulator (self modifying code)	Malware Analysis System Evasion
Checks for debuggers (devices)	Anti Debugging
Checks if the current process is being debugged	Anti Debugging
Contains capabilities to detect virtual machines	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
One or more processes crash	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
PE file has a high occurrence of arithmetic instructions at the PE entrypoint (possbibily packed)	System Summary	Obfuscated Files or Information
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
Queries a list of all running drivers	Malware Analysis System Evasion	System Information Discovery
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_2f26e4b65edfc9809a16d7533fcfcfa7c28d99cc_852b229c_f365d048-d750-4d31-8c84-dc291f86ae1d\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_2f26e4b65edfc9809a16d7533fcfcfa7c28d99cc_852b229c_f365d048-d750-4d31-8c84-dc291f86ae1d\Report.wer
Category:	dropped
Dump:	Report.wer.5.dr
ID:	dr_0
Target ID:	5
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	1.045903134794096
Encrypted:	false
Ssdeep:	192:LrGTh/vZOPlktS0BU/7E3juFvgszuiFNZ24IO8ThB:yAN6ZBU/AjPszuiFNY4IO8r
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
PE file has a high occurrence of arithmetic instructions at the PE entrypoint (possbibily packed)	System Summary	Obfuscated Files or Information
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9980.tmp.dmp

Mini DuMP crash report, 15 streams, Sun Oct 13 00:44:05 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER9980.tmp.dmp
Category:	dropped
Dump:	WER9980.tmp.dmp.5.dr
ID:	dr_2
Target ID:	5
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 15 streams, Sun Oct 13 00:44:05 2024, 0x1205a4 type
Entropy:	1.5409149899303913
Encrypted:	false
Ssdeep:	768:mmyA8AB8NkCWfoJiDsHwRlnBAMJg6EeJ+LqU+KePWQb:V/+NyuiDm6n+WbKeP1b
Size:	275240
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9AAA.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER9AAA.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER9AAA.tmp.WERInternalMetadata.xml.5.dr
ID:	dr_3
Target ID:	5
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.691537093034076
Encrypted:	false
Ssdeep:	192:R6l7wVeJ2C66mH2w6YEI9SUvlgmfBGejpr989bLZ9sfA5m:R6lXJI6mH2w6YEySUvlgmfZELZ2fj
Size:	8298
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9ADA.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER9ADA.tmp.xml
Category:	dropped
Dump:	WER9ADA.tmp.xml.5.dr
ID:	dr_4
Target ID:	5
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.430877372993383
Encrypted:	false
Ssdeep:	48:cvIwWl8zsOJg77aI9hWWpW8VYLYm8M4JjlFNY9+q8CTfPzbd:uIjfEI7T37VzJhqj3zbd
Size:	4542
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.5.dr
ID:	dr_1
Target ID:	5
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.421322582905518
Encrypted:	false
Ssdeep:	6144:sSvfpi6ceLP/9skLmb0OTJWSPHaJG8nAgeMZMMhA2fX4WABlEnN20uhiTw:XvloTJW+EZMM6DFy403w
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6172
Target ID:	0
Parent PID:	1028
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	1846784
MD5:	501847EB502FB6641620BCE360885248
Time:	20:44:00
Date:	12/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x9b0000
Modulesize:	4870144
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
PE file has a high occurrence of arithmetic instructions at the PE entrypoint (possbibily packed)	System Summary	Obfuscated Files or Information
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6172 -s 1084

Details

Is windows:	true
Is dropped:	false
PID:	6152
Target ID:	5
Parent PID:	6172
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6172 -s 1084
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	20:44:05
Date:	12/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x710000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6172 -s 1888

Details

Is windows:	true
Is dropped:	false
PID:	5588
Target ID:	6
Parent PID:	6172
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6172 -s 1888
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	20:44:05
Date:	12/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x710000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://sergei-esenin.com/

unknown

bathdoomgaz.store

studennotediw.store

https://sergei-esenin.com/apiE

unknown

clearancek.site

dissapoiznw.store

https://steamcommunity.com/profiles/76561199724331900

104.102.49.254

spirittunek.store

licendfilteo.site

https://steamcommunity.com:443/profiles/76561199724331900

unknown

eaglepawnoy.store

https://sergei-esenin.com/apiWq

unknown

https://steamcommunity.com/profiles/76561199724331900/inventory/

unknown

https://sergei-esenin.com:443/api

unknown

mobbipenju.store

https://sergei-esenin.com/api

104.21.53.8

https://steamcommunity.com/profiles/76561199724331900/badges

unknown

https://steamcommunity.com/my/wishlist/

unknown

https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp

unknown

https://steamcommunity.com/?subsection=broadcasts

unknown

https://help.steampowered.com/en/

unknown

https://steamcommunity.com/market/

unknown

https://store.steampowered.com/news/

unknown

https://store.steampowered.com/subscriber_agreement/

unknown

http://store.steampowered.com/subscriber_agreement/

unknown

https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org

unknown

https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1

unknown

https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en

unknown

http://www.valvesoftware.com/legal.htm

unknown

https://steamcommunity.com/discussions/

unknown

https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png

unknown

https://store.steampowered.com/stats/

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png

unknown

https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1

unknown

https://store.steampowered.com/steam_refunds/

unknown

https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&

unknown

https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

unknown

https://avatars.akamai.steamstatica

unknown

https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900

unknown

https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e

unknown

https://clearancek.site:443/api

unknown

https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL

unknown

https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi

unknown

https://steamcommunity.com/workshop/

unknown

https://store.steampowered.com/legal/

unknown

https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv

unknown

https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl

unknown

http://store.steampowered.com/privacy_agreement/

unknown

https://store.steampowered.com/points/shop/

unknown

https://bathdoomgaz.store:443/apiL

unknown

http://upx.sf.net

unknown

https://store.steampowered.com/

unknown

https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw

unknown

https://studennotediw.store:443/api

unknown

https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif

unknown

https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg

unknown

https://store.steampowered.com/privacy_agreement/

unknown

https://www.cloudflare.com/5xx-error-landing

unknown

https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en

unknown

https://www.cloudflare.com/learning/access-management/phishing-attack

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0

unknown

https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a

unknown

https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am

unknown

https://spirittunek.store:443/api

unknown

https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA

unknown

https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english

unknown

https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english

unknown

https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english

unknown

http://store.steampowered.com/account/cookiepreferences/

unknown

https://store.steampowered.com/mobile

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png

unknown

https://steamcommunity.com/

unknown

https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis

unknown

https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC

unknown

https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl

unknown

https://store.steampowered.com/about/

unknown

There are 73 hidden URLs, click here to show them.

Domains

Name

Malicious

steamcommunity.com

104.102.49.254

sergei-esenin.com

104.21.53.8

eaglepawnoy.store

unknown

bathdoomgaz.store

unknown

spirittunek.store

unknown

licendfilteo.site

unknown

studennotediw.store

unknown

mobbipenju.store

unknown

clearancek.site

unknown

dissapoiznw.store

unknown

IPs

Domain

Country

Malicious

104.21.53.8

sergei-esenin.com

United States

Details

IP:	104.21.53.8
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	sergei-esenin.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

104.102.49.254

steamcommunity.com

United States

Details

IP:	104.102.49.254
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	United States
Countrycode:	USA
ASN number:	16625
ASN name:	AKAMAI-ASUS
Private:	false
Domain:	steamcommunity.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

\REGISTRY\A\{2033b02b-8313-f905-4807-203899401c3c}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

ProgramId

\REGISTRY\A\{2033b02b-8313-f905-4807-203899401c3c}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

FileId

\REGISTRY\A\{2033b02b-8313-f905-4807-203899401c3c}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

LowerCaseLongPath

\REGISTRY\A\{2033b02b-8313-f905-4807-203899401c3c}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

LongPathHash

\REGISTRY\A\{2033b02b-8313-f905-4807-203899401c3c}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

Name

\REGISTRY\A\{2033b02b-8313-f905-4807-203899401c3c}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

OriginalFileName

\REGISTRY\A\{2033b02b-8313-f905-4807-203899401c3c}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

Publisher

\REGISTRY\A\{2033b02b-8313-f905-4807-203899401c3c}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

Version

\REGISTRY\A\{2033b02b-8313-f905-4807-203899401c3c}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

BinFileVersion

\REGISTRY\A\{2033b02b-8313-f905-4807-203899401c3c}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

BinaryType

\REGISTRY\A\{2033b02b-8313-f905-4807-203899401c3c}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

ProductName

\REGISTRY\A\{2033b02b-8313-f905-4807-203899401c3c}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

ProductVersion

\REGISTRY\A\{2033b02b-8313-f905-4807-203899401c3c}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

LinkDate

\REGISTRY\A\{2033b02b-8313-f905-4807-203899401c3c}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

BinProductVersion

\REGISTRY\A\{2033b02b-8313-f905-4807-203899401c3c}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

AppxPackageFullName

\REGISTRY\A\{2033b02b-8313-f905-4807-203899401c3c}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

AppxPackageRelativeId

\REGISTRY\A\{2033b02b-8313-f905-4807-203899401c3c}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

Size

\REGISTRY\A\{2033b02b-8313-f905-4807-203899401c3c}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

Language

\REGISTRY\A\{2033b02b-8313-f905-4807-203899401c3c}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

Usn

There are 9 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

9B1000

unkown

page execute and read and write

145F000

heap

page read and write

5C9F000

stack

page read and write

584F000

stack

page read and write

4D41000

heap

page read and write

A10000

unkown

page execute and read and write

44AE000

stack

page read and write

13E3000

heap

page read and write

14D4000

heap

page read and write

13E0000

heap

page read and write

5350000

direct allocation

page execute and read and write

3AAE000

stack

page read and write

145F000

heap

page read and write

4D30000

direct allocation

page read and write

14D4000

heap

page read and write

2F4F000

stack

page read and write

54CD000

stack

page read and write

3CEF000

stack

page read and write

41EF000

stack

page read and write

141A000

heap

page read and write

4D2F000

stack

page read and write

4D30000

direct allocation

page read and write

14D4000

heap

page read and write

342F000

stack

page read and write

560E000

stack

page read and write

14D4000

heap

page read and write

14D4000

heap

page read and write

E52000

unkown

page execute and write copy

396E000

stack

page read and write

4D40000

heap

page read and write

51D0000

direct allocation

page read and write

392F000

stack

page read and write

588E000

stack

page read and write

45EE000

stack

page read and write

4D30000

direct allocation

page read and write

530F000

stack

page read and write

14D4000

heap

page read and write

137E000

stack

page read and write

4D30000

direct allocation

page read and write

B95000

unkown

page execute and read and write

1380000

heap

page read and write

1415000

heap

page read and write

36AF000

stack

page read and write

14D4000

heap

page read and write

4D30000

direct allocation

page read and write

1410000

heap

page read and write

14CE000

stack

page read and write

4D41000

heap

page read and write

436E000

stack

page read and write

3FAE000

stack

page read and write

2FA7000

heap

page read and write

2F90000

heap

page read and write

45AF000

stack

page read and write

1401000

heap

page read and write

356F000

stack

page read and write

5370000

direct allocation

page execute and read and write

14D4000

heap

page read and write

5350000

direct allocation

page execute and read and write

4D30000

direct allocation

page read and write

548E000

stack

page read and write

133D000

stack

page read and write

346E000

stack

page read and write

138E000

heap

page read and write

13CE000

heap

page read and write

3E2F000

stack

page read and write

14D4000

heap

page read and write

4D30000

direct allocation

page read and write

59FD000

stack

page read and write

4D41000

heap

page read and write

422E000

stack

page read and write

1410000

heap

page read and write

598D000

stack

page read and write

486E000

stack

page read and write

4BEF000

stack

page read and write

1471000

heap

page read and write

4D30000

direct allocation

page read and write

14D4000

heap

page read and write

1426000

heap

page read and write

5380000

direct allocation

page execute and read and write

13C8000

heap

page read and write

482F000

stack

page read and write

5180000

trusted library allocation

page read and write

14D4000

heap

page read and write

51C0000

remote allocation

page read and write

5180000

heap

page read and write

16AE000

stack

page read and write

5B9E000

stack

page read and write

4D41000

heap

page read and write

2FAD000

heap

page read and write

CB7000

unkown

page execute and read and write

14D4000

heap

page read and write

3BEE000

stack

page read and write

36EE000

stack

page read and write

1415000

heap

page read and write

31AF000

stack

page read and write

E51000

unkown

page execute and read and write

51C0000

remote allocation

page read and write

5330000

direct allocation

page execute and read and write

5CA0000

trusted library allocation

page read and write

CB7000

unkown

page execute and write copy

5350000

direct allocation

page execute and read and write

535D000

stack

page read and write

C72000

unkown

page execute and read and write

496F000

stack

page read and write

138A000

heap

page read and write

4D41000

heap

page read and write

446F000

stack

page read and write

432F000

stack

page read and write

30AF000

stack

page read and write

14D0000

heap

page read and write

141A000

heap

page read and write

3D2E000

stack

page read and write

46EF000

stack

page read and write

31EE000

stack

page read and write

FC0000

heap

page read and write

14D4000

heap

page read and write

14D4000

heap

page read and write

49AE000

stack

page read and write

14D4000

heap

page read and write

32EF000

stack

page read and write

5350000

direct allocation

page execute and read and write

4AAF000

stack

page read and write

1410000

heap

page read and write

9B1000

unkown

page execute and write copy

3F6F000

stack

page read and write

1401000

heap

page read and write

3BAF000

stack

page read and write

4D30000

direct allocation

page read and write

13FF000

heap

page read and write

14D4000

heap

page read and write

35AE000

stack

page read and write

574E000

stack

page read and write

13C5000

heap

page read and write

2F8C000

stack

page read and write

51D0000

direct allocation

page read and write

1476000

heap

page read and write

CA1000

unkown

page execute and read and write

1418000

heap

page read and write

4D50000

heap

page read and write

5360000

direct allocation

page execute and read and write

14D4000

heap

page read and write

9B0000

unkown

page readonly

2FA0000

heap

page read and write

141A000

heap

page read and write

4D30000

direct allocation

page read and write

4D41000

heap

page read and write

3A6F000

stack

page read and write

40AF000

stack

page read and write

51C0000

remote allocation

page read and write

5B50000

heap

page read and write

1401000

heap

page read and write

5320000

direct allocation

page execute and read and write

13CE000

heap

page read and write

55CD000

stack

page read and write

13C0000

heap

page read and write

14D4000

heap

page read and write

14D4000

heap

page read and write

4D41000

heap

page read and write

4C2E000

stack

page read and write

145A000

heap

page read and write

9B0000

unkown

page read and write

14D4000

heap

page read and write

12FB000

stack

page read and write

4D30000

direct allocation

page read and write

13E0000

heap

page read and write

1426000

heap

page read and write

37EF000

stack

page read and write

332E000

stack

page read and write

14D4000

heap

page read and write

1469000

heap

page read and write

570F000

stack

page read and write

4D41000

heap

page read and write

4AEE000

stack

page read and write

4D30000

direct allocation

page read and write

14D4000

heap

page read and write

146C000

heap

page read and write

4D30000

direct allocation

page read and write

5350000

direct allocation

page execute and read and write

13E3000

heap

page read and write

5340000

direct allocation

page execute and read and write

51D0000

direct allocation

page read and write

CA8000

unkown

page execute and read and write

472E000

stack

page read and write

14D4000

heap

page read and write

1418000

heap

page read and write

4D30000

direct allocation

page read and write

13BD000

heap

page read and write

4D41000

heap

page read and write

146C000

heap

page read and write

13B8000

heap

page read and write

40EE000

stack

page read and write

3E6E000

stack

page read and write

5350000

direct allocation

page execute and read and write

5AFE000

stack

page read and write

F5B000

stack

page read and write

14D4000

heap

page read and write

14D4000

heap

page read and write

FB0000

heap

page read and write

1418000

heap

page read and write

5399000

trusted library allocation

page read and write

CB8000

unkown

page execute and write copy

382E000

stack

page read and write

1415000

heap

page read and write

520B000

stack

page read and write

There are 194 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
file.exe