Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.947628013475882
Filename:	file.exe
Filesize:	1845248
MD5:	395a5c7fa6131d1a2ce4689ce9202399
SHA1:	ea3dab42eced8cf068bd69ecc568a5bd2b1dfcf8
SHA256:	14025c4c8400e3712ad13e69eeab48d32405795852013ae29c1cf8a25ce0169f
SHA512:	d0c84672ee70272becc1a0a3520fb633846556b59847097de2713557d5f285eca073d6e9923da92541521593dd13c6c5dd03e2faf179bf54b0e738a52e5601fd
SSDEEP:	49152:ZXEw/1uHVUqm+lxJu/tvklX+L43xEQEtBb:Z0w9KQ0ct8lXQ43E
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...J..f..............................I...........@...........................I.....r.....@.................................W...k..

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Found malware configuration	AV Detection
Hides threads from debuggers	Anti Debugging	Virtualization/Sandbox Evasion Security Software Discovery
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)	Boot Survival
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion
Tries to detect sandboxes and other dynamic analysis tools (window names)	Anti Debugging
Tries to detect virtualization through RDTSC time measurements	Malware Analysis System Evasion	System Information Discovery
Tries to evade debugger and weak emulator (self modifying code)	Malware Analysis System Evasion
Checks for debuggers (devices)	Anti Debugging
Checks if the current process is being debugged	Anti Debugging
Contains capabilities to detect virtual machines	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
One or more processes crash	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Found strings which match to known social media urls	Networking
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
Queries a list of all running drivers	Malware Analysis System Evasion
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_2f26e4b65edfc9809a16d7533fcfcfa7c28d99cc_852b229c_79272d57-bfa4-4aae-abaf-fac7dfee1222\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF, NEL line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_2f26e4b65edfc9809a16d7533fcfcfa7c28d99cc_852b229c_79272d57-bfa4-4aae-abaf-fac7dfee1222\Report.wer
Category:	dropped
Dump:	Report.wer.12.dr
ID:	dr_0
Target ID:	12
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF, NEL line terminators
Entropy:	1.0584184473248526
Encrypted:	false
Ssdeep:	192:P8C7IQwGqvFPlktS0BU/YP3juFjO8zuiF0Z24IO8TOB:KFN6ZBU/gjyzuiF0Y4IO8C
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WER498B.tmp.dmp

Mini DuMP crash report, 15 streams, Sun Oct 13 19:04:15 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER498B.tmp.dmp
Category:	dropped
Dump:	WER498B.tmp.dmp.12.dr
ID:	dr_2
Target ID:	12
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 15 streams, Sun Oct 13 19:04:15 2024, 0x1205a4 type
Entropy:	1.4661299366534766
Encrypted:	false
Ssdeep:	1536:RqexjGZm2zBUc8R1NlIwLuYJtQS0MaAg34sy:RqehGZm2zBq1NlIwLuYrQS0MaAgos
Size:	284824
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4D35.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER4D35.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER4D35.tmp.WERInternalMetadata.xml.12.dr
ID:	dr_3
Target ID:	12
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.6945393315558235
Encrypted:	false
Ssdeep:	192:R6l7wVeJbCA6Bt5kte6YNhSUcsgmfBGeDprI89b1bsfCXHm:R6lXJx6BbkU6Y7SUcsgmfZb1gfN
Size:	8296
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4D84.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER4D84.tmp.xml
Category:	dropped
Dump:	WER4D84.tmp.xml.12.dr
ID:	dr_4
Target ID:	12
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.427679053750554
Encrypted:	false
Ssdeep:	48:cvIwWl8zsFtJg77aI9lyWpW8VYPYm8M4JjlFI7+q8CoNvWed:uIjfFHI7DT7VTJk7YNvWed
Size:	4542
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.12.dr
ID:	dr_1
Target ID:	12
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.416535713314713
Encrypted:	false
Ssdeep:	6144:hcifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuN85+:+i58oSWIZBk2MM6AFBqo
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4836
Target ID:	1
Parent PID:	4056
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	1845248
MD5:	395A5C7FA6131D1A2CE4689CE9202399
Time:	15:04:08
Date:	13/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x880000
Modulesize:	4841472
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 1112

Details

Is windows:	true
Is dropped:	false
PID:	2172
Target ID:	12
Parent PID:	4836
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 1112
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	15:04:13
Date:	13/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x9b0000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

studennotediw.store

dissapoiznw.store

https://steamcommunity.com/profiles/76561199724331900

104.102.49.254

eaglepawnoy.store

https://steamcommunity.com/profiles/76561199724331900/inventory/

unknown

bathdoomgaz.store

clearancek.site

spirittunek.store

licendfilteo.site

mobbipenju.store

https://sergei-esenin.com/api

104.21.53.8

https://www.cloudflare.com/learning/access-management/phishing-attack/

unknown

https://player.vimeo.com

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp

unknown

https://steamcommunity.com/?subsection=broadcasts

unknown

https://sergei-esenin.com/

unknown

https://store.steampowered.com/subscriber_agreement/

unknown

https://www.gstatic.cn/recaptcha/

unknown

https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6

unknown

https://store.steampowered.com

unknown

http://www.valvesoftware.com/legal.htm

unknown

https://www.youtube.com

unknown

https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png

unknown

https://www.google.com

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png

unknown

https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&

unknown

https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

unknown

https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL

unknown

https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi

unknown

https://s.ytimg.com;

unknown

https://steam.tv/

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english

unknown

https://store.steampower

unknown

http://store.steampowered.com/privacy_agreement/

unknown

https://store.steampowered.com/points/shop/

unknown

https://sketchfab.com

unknown

https://lv.queniujq.cn

unknown

https://www.youtube.com/

unknown

https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg

unknown

https://store.steampowered.com/privacy_agreement/

unknown

https://www.cloudflare.com/5xx-error-landing

unknown

https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0

unknown

https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am

unknown

https://www.google.com/recaptcha/

unknown

https://checkout.steampowered.com/

unknown

https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english

unknown

https://avatars.akamai.steamstaticS3

unknown

https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis

unknown

https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC

unknown

https://store.steampowered.com/;

unknown

https://store.steampowered.com/about/

unknown

https://steamcommunity.com/my/wishlist/

unknown

https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english

unknown

https://sergei-esenin.com/apik

unknown

https://help.steampowered.com/en/

unknown

https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/

unknown

https://steamcommunity.com/market/

unknown

https://store.steampowered.com/news/

unknown

https://community.akamai.steamstatic.com/

unknown

http://store.steampowered.com/subscriber_agreement/

unknown

https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1

unknown

https://recaptcha.net/recaptcha/;

unknown

https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en

unknown

https://steamcommunity.com/discussions/

unknown

https://store.steampowered.com/stats/

unknown

https://medal.tv

unknown

https://broadcast.st.dl.eccdnx.com

unknown

https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1

unknown

https://store.steampowered.com/steam_refunds/

unknown

https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900

unknown

https://sergei-esenin.com/api2

unknown

https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e

unknown

https://steamcommunity.com/workshop/

unknown

https://login.steampowered.com/

unknown

https://store.steampowered.com/legal/

unknown

https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv

unknown

https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl

unknown

https://recaptcha.net

unknown

http://upx.sf.net

unknown

https://store.steampowered.com/

unknown

https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw

unknown

https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif

unknown

http://127.0.0.1:27060

unknown

https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016

unknown

https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA

unknown

https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english

unknown

https://help.steampowered.com/

unknown

https://api.steampowered.com/

unknown

http://store.steampowered.com/account/cookiepreferences/

unknown

https://store.steampowered.com/mobile

unknown

https://steamcommunity.com/

unknown

https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english

unknown

https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl

unknown

There are 90 hidden URLs, click here to show them.

Domains

Name

Malicious

steamcommunity.com

104.102.49.254

sergei-esenin.com

104.21.53.8

eaglepawnoy.store

unknown

bathdoomgaz.store

unknown

spirittunek.store

unknown

licendfilteo.site

unknown

studennotediw.store

unknown

mobbipenju.store

unknown

clearancek.site

unknown

dissapoiznw.store

unknown

IPs

Domain

Country

Malicious

104.21.53.8

sergei-esenin.com

United States

Details

IP:	104.21.53.8
TargetID:	1
Current Path:	C:\Users\user\Desktop\file.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	sergei-esenin.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

104.102.49.254

steamcommunity.com

United States

Details

IP:	104.102.49.254
TargetID:	1
Current Path:	C:\Users\user\Desktop\file.exe
Country:	United States
Countrycode:	USA
ASN number:	16625
ASN name:	AKAMAI-ASUS
Private:	false
Domain:	steamcommunity.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

\REGISTRY\A\{7db89a2f-17a6-3779-277e-8c675d832fb8}\Root\InventoryApplicationFile\file.exe|634507f567776d77

ProgramId

\REGISTRY\A\{7db89a2f-17a6-3779-277e-8c675d832fb8}\Root\InventoryApplicationFile\file.exe|634507f567776d77

FileId

\REGISTRY\A\{7db89a2f-17a6-3779-277e-8c675d832fb8}\Root\InventoryApplicationFile\file.exe|634507f567776d77

LowerCaseLongPath

\REGISTRY\A\{7db89a2f-17a6-3779-277e-8c675d832fb8}\Root\InventoryApplicationFile\file.exe|634507f567776d77

LongPathHash

\REGISTRY\A\{7db89a2f-17a6-3779-277e-8c675d832fb8}\Root\InventoryApplicationFile\file.exe|634507f567776d77

Name

\REGISTRY\A\{7db89a2f-17a6-3779-277e-8c675d832fb8}\Root\InventoryApplicationFile\file.exe|634507f567776d77

OriginalFileName

\REGISTRY\A\{7db89a2f-17a6-3779-277e-8c675d832fb8}\Root\InventoryApplicationFile\file.exe|634507f567776d77

Publisher

\REGISTRY\A\{7db89a2f-17a6-3779-277e-8c675d832fb8}\Root\InventoryApplicationFile\file.exe|634507f567776d77

Version

\REGISTRY\A\{7db89a2f-17a6-3779-277e-8c675d832fb8}\Root\InventoryApplicationFile\file.exe|634507f567776d77

BinFileVersion

\REGISTRY\A\{7db89a2f-17a6-3779-277e-8c675d832fb8}\Root\InventoryApplicationFile\file.exe|634507f567776d77

BinaryType

\REGISTRY\A\{7db89a2f-17a6-3779-277e-8c675d832fb8}\Root\InventoryApplicationFile\file.exe|634507f567776d77

ProductName

\REGISTRY\A\{7db89a2f-17a6-3779-277e-8c675d832fb8}\Root\InventoryApplicationFile\file.exe|634507f567776d77

ProductVersion

\REGISTRY\A\{7db89a2f-17a6-3779-277e-8c675d832fb8}\Root\InventoryApplicationFile\file.exe|634507f567776d77

LinkDate

\REGISTRY\A\{7db89a2f-17a6-3779-277e-8c675d832fb8}\Root\InventoryApplicationFile\file.exe|634507f567776d77

BinProductVersion

\REGISTRY\A\{7db89a2f-17a6-3779-277e-8c675d832fb8}\Root\InventoryApplicationFile\file.exe|634507f567776d77

AppxPackageFullName

\REGISTRY\A\{7db89a2f-17a6-3779-277e-8c675d832fb8}\Root\InventoryApplicationFile\file.exe|634507f567776d77

AppxPackageRelativeId

\REGISTRY\A\{7db89a2f-17a6-3779-277e-8c675d832fb8}\Root\InventoryApplicationFile\file.exe|634507f567776d77

Size

\REGISTRY\A\{7db89a2f-17a6-3779-277e-8c675d832fb8}\Root\InventoryApplicationFile\file.exe|634507f567776d77

Language

\REGISTRY\A\{7db89a2f-17a6-3779-277e-8c675d832fb8}\Root\InventoryApplicationFile\file.exe|634507f567776d77

Usn

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData

ClockTimeSeconds

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData

TickCount

There are 11 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

881000

unkown

page execute and read and write

FB9000

heap

page read and write

294E000

stack

page read and write

A63000

unkown

page execute and read and write

EFE000

heap

page read and write

2F7F000

stack

page read and write

654000

heap

page read and write

8E0000

unkown

page execute and read and write

654000

heap

page read and write

654000

heap

page read and write

4B7F000

stack

page read and write

2B7F000

stack

page read and write

860000

direct allocation

page read and write

45C1000

heap

page read and write

4B90000

remote allocation

page read and write

4BB0000

direct allocation

page execute and read and write

654000

heap

page read and write

860000

direct allocation

page read and write

2960000

direct allocation

page execute and read and write

4B90000

direct allocation

page execute and read and write

45C1000

heap

page read and write

860000

direct allocation

page read and write

740000

heap

page read and write

423E000

stack

page read and write

2A7F000

stack

page read and write

36BF000

stack

page read and write

521D000

stack

page read and write

508E000

stack

page read and write

4B90000

remote allocation

page read and write

4A3E000

stack

page read and write

FDC000

heap

page read and write

F3D000

heap

page read and write

4B90000

direct allocation

page execute and read and write

393F000

stack

page read and write

F3D000

heap

page read and write

EFA000

heap

page read and write

EDE000

stack

page read and write

860000

direct allocation

page read and write

45C1000

heap

page read and write

32FF000

stack

page read and write

4BC0000

direct allocation

page execute and read and write

EE0000

direct allocation

page read and write

45C1000

heap

page read and write

3F7F000

stack

page read and write

860000

direct allocation

page read and write

F28000

heap

page read and write

4F8E000

stack

page read and write

297D000

heap

page read and write

4E0D000

stack

page read and write

654000

heap

page read and write

40FE000

stack

page read and write

54DE000

stack

page read and write

F5E000

heap

page read and write

654000

heap

page read and write

654000

heap

page read and write

5620000

heap

page read and write

51CE000

stack

page read and write

2977000

heap

page read and write

2950000

direct allocation

page execute and read and write

447F000

stack

page read and write

B81000

unkown

page execute and write copy

703B1000

unkown

page execute read

660000

heap

page read and write

2D7F000

stack

page read and write

860000

direct allocation

page read and write

FE2000

heap

page read and write

FB5000

heap

page read and write

433F000

stack

page read and write

860000

direct allocation

page read and write

703CF000

unkown

page readonly

3E3F000

stack

page read and write

FB7000

heap

page read and write

B71000

unkown

page execute and read and write

3BFE000

stack

page read and write

41FF000

stack

page read and write

860000

direct allocation

page read and write

2970000

heap

page read and write

654000

heap

page read and write

880000

unkown

page read and write

2E7F000

stack

page read and write

3FBE000

stack

page read and write

45C1000

heap

page read and write

860000

direct allocation

page read and write

45C1000

heap

page read and write

654000

heap

page read and write

860000

direct allocation

page read and write

537D000

stack

page read and write

55DF000

stack

page read and write

531D000

stack

page read and write

B41000

unkown

page execute and read and write

EF0000

heap

page read and write

650000

heap

page read and write

654000

heap

page read and write

B6A000

unkown

page execute and read and write

3BBF000

stack

page read and write

B81000

unkown

page execute and read and write

35BE000

stack

page read and write

654000

heap

page read and write

654000

heap

page read and write

3FB000

stack

page read and write

4CCE000

stack

page read and write

4BDD000

trusted library allocation

page read and write

654000

heap

page read and write

F5E000

heap

page read and write

10EF000

stack

page read and write

4B90000

direct allocation

page execute and read and write

547E000

stack

page read and write

31BF000

stack

page read and write

3ABE000

stack

page read and write

D1A000

unkown

page execute and read and write

28CE000

stack

page read and write

3A7F000

stack

page read and write

654000

heap

page read and write

45BF000

stack

page read and write

860000

direct allocation

page read and write

F50000

heap

page read and write

654000

heap

page read and write

45C1000

heap

page read and write

850000

heap

page read and write

37FF000

stack

page read and write

4D0E000

stack

page read and write

4B80000

direct allocation

page execute and read and write

290E000

stack

page read and write

654000

heap

page read and write

FE0000

heap

page read and write

343F000

stack

page read and write

437E000

stack

page read and write

44BE000

stack

page read and write

2C7F000

stack

page read and write

E9E000

stack

page read and write

45C1000

heap

page read and write

654000

heap

page read and write

7AE000

stack

page read and write

31FE000

stack

page read and write

F47000

heap

page read and write

3CFF000

stack

page read and write

FB1000

heap

page read and write

383E000

stack

page read and write

E5B000

stack

page read and write

F32000

heap

page read and write

FC0000

heap

page read and write

E1E000

stack

page read and write

4A40000

direct allocation

page read and write

4BA0000

direct allocation

page execute and read and write

860000

direct allocation

page read and write

30BE000

stack

page read and write

40BF000

stack

page read and write

EE0000

direct allocation

page read and write

654000

heap

page read and write

36FE000

stack

page read and write

880000

unkown

page readonly

654000

heap

page read and write

357F000

stack

page read and write

45C1000

heap

page read and write

50CD000

stack

page read and write

4E4E000

stack

page read and write

703C6000

unkown

page readonly

703B0000

unkown

page readonly

654000

heap

page read and write

654000

heap

page read and write

D1B000

unkown

page execute and write copy

703CD000

unkown

page read and write

4F4F000

stack

page read and write

4A7B000

stack

page read and write

F37000

heap

page read and write

2950000

heap

page read and write

860000

direct allocation

page read and write

FC8000

heap

page read and write

F50000

heap

page read and write

7EE000

stack

page read and write

3E7E000

stack

page read and write

4B90000

direct allocation

page execute and read and write

45C1000

heap

page read and write

347E000

stack

page read and write

4B90000

direct allocation

page execute and read and write

B82000

unkown

page execute and write copy

307F000

stack

page read and write

397E000

stack

page read and write

881000

unkown

page execute and write copy

333E000

stack

page read and write

860000

direct allocation

page read and write

4B90000

direct allocation

page execute and read and write

45D1000

heap

page read and write

45C0000

heap

page read and write

2FB000

stack

page read and write

654000

heap

page read and write

4B90000

remote allocation

page read and write

3D3E000

stack

page read and write

84E000

stack

page read and write

5630000

trusted library allocation

page read and write

46C0000

trusted library allocation

page read and write

There are 181 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
file.exe