Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.949231201981119
Filename:	file.exe
Filesize:	1912832
MD5:	7cf6ca7aa32a2c99dd2e98402c9378a1
SHA1:	bbed49554b5dbda459820b76c59ea21592a81f66
SHA256:	880807d4fec91e5e49dfe8dae955a3f54a260ba185534cd3460718f03d96d2ad
SHA512:	c6199ca37869b7a112b120247f8e87d3d3c7cdff3eccea9134db2fd18c46d0fdf6035e8cdcd047a20c6ad6f1339b9b751986213c4fdb8eadbbb387521e4df8c2
SSDEEP:	49152:0EZvdcnYiFX8TFaxosPT/a9Vne2B3Q8DW+90K7:J1crFXwFaxPb/a9dDJ4+GS
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...J..f..............................L...........@...........................L.....;.....@.................................W...k..

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Hides threads from debuggers	Anti Debugging
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)	Boot Survival
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion
Tries to detect sandboxes and other dynamic analysis tools (window names)	Anti Debugging
Tries to detect virtualization through RDTSC time measurements	Malware Analysis System Evasion
Tries to evade debugger and weak emulator (self modifying code)	Malware Analysis System Evasion	System Information Discovery
Checks for debuggers (devices)	Anti Debugging
Checks if the current process is being debugged	Anti Debugging
Contains capabilities to detect virtual machines	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
One or more processes crash	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Found strings which match to known social media urls	Networking
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Queries a list of all running drivers	Malware Analysis System Evasion
Queries a list of all running processes	Malware Analysis System Evasion
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_2f26e4b65edfc9809a16d7533fcfcfa7c28d99cc_852b229c_d55876a5-eb33-46da-b017-03e896b833b4\Report.wer

data

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_2f26e4b65edfc9809a16d7533fcfcfa7c28d99cc_852b229c_d55876a5-eb33-46da-b017-03e896b833b4\Report.wer
Category:	dropped
Dump:	Report.wer.4.dr
ID:	dr_0
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	data
Entropy:	1.0215520590632747
Encrypted:	false
Ssdeep:	192:G872pivpPlktS0BU/7E3juFHEzuiFE5NZ24IO8ThB:G4pN6ZBU/AjjzuiF2Y4IO8r
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3205.tmp.dmp

Mini DuMP crash report, 15 streams, Sun Oct 13 11:59:10 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER3205.tmp.dmp
Category:	dropped
Dump:	WER3205.tmp.dmp.4.dr
ID:	dr_2
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 15 streams, Sun Oct 13 11:59:10 2024, 0x1205a4 type
Entropy:	1.48142914080104
Encrypted:	false
Ssdeep:	768:BMQ7lD75ABJloflvmX3pgWxOTILdcKt0Jzf2ENYUnRT:379PluHpgWUTIcKtQz2ENHR
Size:	283976
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER332F.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER332F.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER332F.tmp.WERInternalMetadata.xml.4.dr
ID:	dr_3
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.6926068691172267
Encrypted:	false
Ssdeep:	192:R6l7wVeJ1CE6IQV4d6YEIdSUBAyMyGgmfBGepprq89bQGsfTQm:R6lXJr6IQV4d6YECSUBApTgmfZHQlfh
Size:	8296
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER335F.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER335F.tmp.xml
Category:	dropped
Dump:	WER335F.tmp.xml.4.dr
ID:	dr_4
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.426539014929421
Encrypted:	false
Ssdeep:	48:cvIwWl8zshJg77aI9gLWpW8VYLYm8M4JjlF7s+q8Ck5XR+Td:uIjfzI7y67V7J/sU5XR+Td
Size:	4542
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.4.dr
ID:	dr_1
Target ID:	4
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.421311097382272
Encrypted:	false
Ssdeep:	6144:uSvfpi6ceLP/9skLmb0OTZWSPHaJG8nAgeMZMMhA2fX4WABlEnN20uhiTw:NvloTZW+EZMM6DFy403w
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6616
Target ID:	0
Parent PID:	1028
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	1912832
MD5:	7CF6CA7AA32A2C99DD2E98402C9378A1
Time:	07:59:05
Date:	13/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xf70000
Modulesize:	5042176
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6616 -s 1924

Details

Is windows:	true
Is dropped:	false
PID:	5604
Target ID:	4
Parent PID:	6616
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6616 -s 1924
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	07:59:10
Date:	13/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x6f0000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://sergei-esenin.com/

unknown

studennotediw.store

dissapoiznw.store

https://steamcommunity.com/profiles/76561199724331900

104.102.49.254

eaglepawnoy.store

https://steamcommunity.com/profiles/76561199724331900/inventory/

unknown

bathdoomgaz.store

https://sergei-esenin.com/apiK

unknown

clearancek.site

spirittunek.store

licendfilteo.site

mobbipenju.store

https://sergei-esenin.com/api

172.67.206.204

https://www.cloudflare.com/learning/access-management/phishing-attack/

unknown

https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_com

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp

unknown

https://steamcommunity.com/?subsection=broadcasts

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/moda

unknown

https://store.steampowered.com/subscriber_agreement/

unknown

https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzz

unknown

https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6

unknown

http://www.valvesoftware.com/legal.htm

unknown

https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png

unknown

https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=L

unknown

https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

unknown

https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL

unknown

https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi

unknown

https://s.ytimg.com;

unknown

https://steambroadcast-test.akamaized

unknown

https://steam.tv/

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english

unknown

https://www.cloudflare.com/learning/access-managrs

unknown

http://store.steampowered.com/privacy_agreement/

unknown

https://store.steampowered.com/points/shop/

unknown

https://lv.queniujq.cn

unknown

https://www.youtube.com/

unknown

https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg

unknown

https://store.steampowered.com/privacy_agreement/

unknown

https://www.cloudflare.com/learning/access-manag

unknown

https://www.cloudflare.com/5xx-error-landing

unknown

https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.jL

unknown

https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am

unknown

https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english

unknown

https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english

unknown

https://cdn.akamai.

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png

unknown

https://help.st

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis

unknown

https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC

unknown

https://store.steampowered.com/;

unknown

https://store.steampowered.com/about/

unknown

https://steamcommunity.com/my/wishlist/

unknown

https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english

unknown

https://checkout.steampow

unknown

https://help.steampowered.com/en/

unknown

https://steamcommunity.com/market/

unknown

https://store.steampowered.com/news/

unknown

https://community.akamai.steamstatic.com/

unknown

http://store.steampowered.com/subscriber_agreement/

unknown

https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1

unknown

https://recaptcha.net/recaptcha/;

unknown

https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en

unknown

https://community.akamai.stea

unknown

https://login.steamp

unknown

https://steamcommunity.com/discussions/

unknown

https://store.steampowered.com/stats/

unknown

https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1

unknown

https://store.steampowered.com/steam_refunds/

unknown

https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900

unknown

https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e

unknown

https://steamcommunity.com/workshop/

unknown

https://login.steampowered.com/

unknown

https://store.steampowered.com/legal/

unknown

https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e

unknown

https://community.a

unknown

https://community.akamai.steamstatic.com/public/css

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv

unknown

https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl

unknown

http://upx.sf.net

unknown

https://store.steampowered.com/

unknown

https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw

unknown

https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif

unknown

http://127.0.0.1:27060

unknown

https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016

unknown

https://steamcommunity.com/profiles/765611997

unknown

https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA

unknown

https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english

unknown

https://help.steampowered.com/

unknown

https://api.steampowered.com/

unknown

http://store.steampowered.com/account/cookiepreferences/

unknown

https://store.steampowered.com/mobile

unknown

https://steamcommunity.com/

unknown

https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english

unknown

There are 90 hidden URLs, click here to show them.

Domains

Name

Malicious

steamcommunity.com

104.102.49.254

sergei-esenin.com

172.67.206.204

eaglepawnoy.store

unknown

bathdoomgaz.store

unknown

spirittunek.store

unknown

licendfilteo.site

unknown

studennotediw.store

unknown

mobbipenju.store

unknown

clearancek.site

unknown

dissapoiznw.store

unknown

IPs

Domain

Country

Malicious

104.102.49.254

steamcommunity.com

United States

Details

IP:	104.102.49.254
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	United States
Countrycode:	USA
ASN number:	16625
ASN name:	AKAMAI-ASUS
Private:	false
Domain:	steamcommunity.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

172.67.206.204

sergei-esenin.com

United States

Details

IP:	172.67.206.204
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	sergei-esenin.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

\REGISTRY\A\{db5d98ac-a3bb-6d45-73dc-5e673fdf29fe}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

ProgramId

\REGISTRY\A\{db5d98ac-a3bb-6d45-73dc-5e673fdf29fe}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

FileId

\REGISTRY\A\{db5d98ac-a3bb-6d45-73dc-5e673fdf29fe}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

LowerCaseLongPath

\REGISTRY\A\{db5d98ac-a3bb-6d45-73dc-5e673fdf29fe}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

LongPathHash

\REGISTRY\A\{db5d98ac-a3bb-6d45-73dc-5e673fdf29fe}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

Name

\REGISTRY\A\{db5d98ac-a3bb-6d45-73dc-5e673fdf29fe}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

OriginalFileName

\REGISTRY\A\{db5d98ac-a3bb-6d45-73dc-5e673fdf29fe}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

Publisher

\REGISTRY\A\{db5d98ac-a3bb-6d45-73dc-5e673fdf29fe}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

Version

\REGISTRY\A\{db5d98ac-a3bb-6d45-73dc-5e673fdf29fe}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

BinFileVersion

\REGISTRY\A\{db5d98ac-a3bb-6d45-73dc-5e673fdf29fe}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

BinaryType

\REGISTRY\A\{db5d98ac-a3bb-6d45-73dc-5e673fdf29fe}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

ProductName

\REGISTRY\A\{db5d98ac-a3bb-6d45-73dc-5e673fdf29fe}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

ProductVersion

\REGISTRY\A\{db5d98ac-a3bb-6d45-73dc-5e673fdf29fe}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

LinkDate

\REGISTRY\A\{db5d98ac-a3bb-6d45-73dc-5e673fdf29fe}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

BinProductVersion

\REGISTRY\A\{db5d98ac-a3bb-6d45-73dc-5e673fdf29fe}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

AppxPackageFullName

\REGISTRY\A\{db5d98ac-a3bb-6d45-73dc-5e673fdf29fe}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

AppxPackageRelativeId

\REGISTRY\A\{db5d98ac-a3bb-6d45-73dc-5e673fdf29fe}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

Size

\REGISTRY\A\{db5d98ac-a3bb-6d45-73dc-5e673fdf29fe}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

Language

\REGISTRY\A\{db5d98ac-a3bb-6d45-73dc-5e673fdf29fe}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

Usn

There are 9 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

F71000

unkown

page execute and read and write

15BC000

heap

page read and write

4C91000

heap

page read and write

48BF000

stack

page read and write

551D000

stack

page read and write

5110000

remote allocation

page read and write

EEE000

stack

page read and write

403E000

stack

page read and write

453E000

stack

page read and write

15AE000

heap

page read and write

3EFE000

stack

page read and write

DD0000

heap

page read and write

DD4000

heap

page read and write

3DBE000

stack

page read and write

4C80000

direct allocation

page read and write

1569000

heap

page read and write

DD4000

heap

page read and write

1520000

heap

page read and write

31BE000

stack

page read and write

143B000

unkown

page execute and read and write

43BF000

stack

page read and write

DD4000

heap

page read and write

4C91000

heap

page read and write

4C7F000

stack

page read and write

565F000

stack

page read and write

427F000

stack

page read and write

1167000

unkown

page execute and read and write

5110000

remote allocation

page read and write

DD4000

heap

page read and write

4C91000

heap

page read and write

5C30000

heap

page read and write

525F000

stack

page read and write

3D7F000

stack

page read and write

15BC000

heap

page read and write

F70000

unkown

page read and write

52A0000

direct allocation

page execute and read and write

1291000

unkown

page execute and write copy

4C80000

direct allocation

page read and write

4B7E000

stack

page read and write

151D000

heap

page read and write

156E000

heap

page read and write

DD4000

heap

page read and write

52A0000

direct allocation

page execute and read and write

181E000

stack

page read and write

4C80000

direct allocation

page read and write

DD4000

heap

page read and write

DD4000

heap

page read and write

5AAE000

stack

page read and write

15BC000

heap

page read and write

15AE000

heap

page read and write

52EC000

trusted library allocation

page read and write

463F000

stack

page read and write

CFB000

stack

page read and write

38BE000

stack

page read and write

15AE000

heap

page read and write

9DB000

stack

page read and write

57DE000

stack

page read and write

DD4000

heap

page read and write

477F000

stack

page read and write

14BE000

stack

page read and write

1565000

heap

page read and write

579F000

stack

page read and write

52B0000

direct allocation

page execute and read and write

32BF000

stack

page read and write

F6B000

stack

page read and write

594D000

stack

page read and write

47BE000

stack

page read and write

DD4000

heap

page read and write

156E000

heap

page read and write

1580000

heap

page read and write

39FE000

stack

page read and write

1517000

heap

page read and write

52D0000

direct allocation

page execute and read and write

5A4E000

stack

page read and write

1500000

heap

page read and write

48FE000

stack

page read and write

3B3E000

stack

page read and write

152E000

heap

page read and write

4C80000

direct allocation

page read and write

4C80000

direct allocation

page read and write

1292000

unkown

page execute and write copy

3C7E000

stack

page read and write

5BAF000

stack

page read and write

42BE000

stack

page read and write

DD4000

heap

page read and write

52A0000

direct allocation

page execute and read and write

15B2000

heap

page read and write

52AD000

stack

page read and write

F70000

unkown

page readonly

152A000

heap

page read and write

DD4000

heap

page read and write

4C91000

heap

page read and write

F71000

unkown

page execute and write copy

3FFF000

stack

page read and write

5120000

direct allocation

page read and write

FD0000

unkown

page execute and read and write

DAE000

stack

page read and write

43FE000

stack

page read and write

417E000

stack

page read and write

53DD000

stack

page read and write

1568000

heap

page read and write

15FB000

heap

page read and write

4C80000

direct allocation

page read and write

34FE000

stack

page read and write

50D0000

heap

page read and write

4C91000

heap

page read and write

39BF000

stack

page read and write

147E000

stack

page read and write

569E000

stack

page read and write

387F000

stack

page read and write

15A9000

heap

page read and write

58DD000

stack

page read and write

467E000

stack

page read and write

363E000

stack

page read and write

33BF000

stack

page read and write

3EBF000

stack

page read and write

1283000

unkown

page execute and read and write

DD4000

heap

page read and write

34BF000

stack

page read and write

4C80000

direct allocation

page read and write

5270000

direct allocation

page execute and read and write

4C91000

heap

page read and write

35FF000

stack

page read and write

1291000

unkown

page execute and read and write

127A000

unkown

page execute and read and write

52A0000

direct allocation

page execute and read and write

1582000

heap

page read and write

4C91000

heap

page read and write

4B3F000

stack

page read and write

30BF000

stack

page read and write

373F000

stack

page read and write

DD4000

heap

page read and write

515C000

stack

page read and write

5280000

direct allocation

page execute and read and write

DD4000

heap

page read and write

143C000

unkown

page execute and write copy

413F000

stack

page read and write

DD4000

heap

page read and write

124B000

unkown

page execute and read and write

1599000

heap

page read and write

4C80000

direct allocation

page read and write

4C80000

direct allocation

page read and write

171F000

stack

page read and write

377E000

stack

page read and write

1599000

heap

page read and write

1561000

heap

page read and write

DD4000

heap

page read and write

4C80000

direct allocation

page read and write

5120000

direct allocation

page read and write

541D000

stack

page read and write

DD4000

heap

page read and write

52C0000

direct allocation

page execute and read and write

49FF000

stack

page read and write

1580000

heap

page read and write

1510000

heap

page read and write

4C91000

heap

page read and write

DD4000

heap

page read and write

1558000

heap

page read and write

555E000

stack

page read and write

DD4000

heap

page read and write

D40000

heap

page read and write

F2E000

stack

page read and write

4C80000

direct allocation

page read and write

4D90000

trusted library allocation

page read and write

1599000

heap

page read and write

15BC000

heap

page read and write

44FF000

stack

page read and write

DD4000

heap

page read and write

DD4000

heap

page read and write

DD4000

heap

page read and write

DD4000

heap

page read and write

4A3E000

stack

page read and write

3AFF000

stack

page read and write

DD4000

heap

page read and write

4C80000

direct allocation

page read and write

3C3F000

stack

page read and write

14FE000

stack

page read and write

4C91000

heap

page read and write

4C90000

heap

page read and write

52A0000

direct allocation

page execute and read and write

5120000

direct allocation

page read and write

15F2000

heap

page read and write

5110000

remote allocation

page read and write

D30000

heap

page read and write

DD4000

heap

page read and write

4C80000

direct allocation

page read and write

52A0000

direct allocation

page execute and read and write

4C80000

direct allocation

page read and write

5290000

direct allocation

page execute and read and write

There are 179 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
file.exe