Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

FACTURA.cmd

ISO-8859 text, with very long lines (956), with CRLF line terminators

initial sample

Details

Filetype:	ISO-8859 text, with very long lines (956), with CRLF line terminators
Entropy:	5.1046823921890425
Filename:	FACTURA.cmd
Filesize:	7518388
MD5:	41aff4b752555a0e4304ba0e04bb24c8
SHA1:	a0cf311711779834c880e99799a8501165036a6c
SHA256:	3b9f52447520a884c7ced8dbfb5d3cef7896a90910ef0b34b13cfecb9bd422cc
SHA512:	8d59d88d17956929282ad6b08318e3c233c3e08badb4f6e9e77eb9e422f8ed8ae092c6dc43a523af0893be736991dcad82e22114030a588963987ff71b6f1f97
SSDEEP:	49152:bi5/QaYmqMijFjB6yaHAd0QNEhTp0Ki1OspQcmItJXiCmqkU5Pq:C
Preview:	COMCOM..&@cls&@set "_...=DJcBebTEQGtSYd3yMnqU6HKs x1C5NmRI@9lwgZfrpVPahWz4F0X8oL2OkjiAuv7"..%_...:~33,1%%_...:~23,1%%_...:~4,1%%_...:~10,1%%_...:~24,1%"_...=%_...:~33,1%%_...:~53,1%%_...:~55,1%%_...:~16,1%%_...:~19,1%%_...:~35,1%%_...:~15,1%%_...:~3,1%%_.

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Sample is known by Antivirus	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\Public\Libraries\Host.COM

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\Public\Libraries\Host.COM
Category:	dropped
Dump:	Host.COM.8.dr
ID:	dr_8
Target ID:	8
Process:	C:\Users\Public\kn.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.671316642409848
Encrypted:	false
Ssdeep:	24576:Gj2o2Y8F82BK8Uk1zVvm+8OioUMxW24Q7Q9Z:2pihK+8OiSWaOZ
Size:	1483264
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Allocates many large memory junks	Malware Analysis System Evasion	Security Software Discovery
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)	Anti Debugging	Security Software Discovery
Drops PE files with a suspicious file extension	Persistence and Installation Behavior	Masquerading
Machine Learning detection for dropped file	AV Detection
Sigma detected: Suspicious Program Location with Network Connections	System Summary
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Contains functionality to check if a connection to the internet is available	Networking	System Information Discovery System Network Connections Discovery
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Application Window Discovery
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Parts of this applications are using Borland Delphi (Probably coded in Delphi)	System Summary
Program exit points	Malware Analysis System Evasion
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary

C:\Users\Public\Host.GIF

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\Public\Host.GIF
Category:	dropped
Dump:	Host.GIF.6.dr
ID:	dr_6
Target ID:	6
Process:	C:\Users\Public\kn.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.69988814389252
Encrypted:	false
Ssdeep:	24576:vJ9zAzppcp+GT+lTGX5HLyGHRzBhwxoMpaxHTuQdkFT2KjErG0rQOV7FpJJ:n
Size:	5214496
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Users\Public\alpha.exe

PE32+ executable (console) x86-64, for MS Windows

modified

Details

File:	C:\Users\Public\alpha.exe
Category:	modified
Dump:	alpha.exe.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Windows\System32\extrac32.exe
Type:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	6.135598950357573
Encrypted:	false
Ssdeep:	6144:k4WA1B9BxDfQWKORSqY4zOcmpdlc3gJdmtolSm:H1BhkWvSqY4zvmjOwJIT
Size:	289792
Whitelisted:	true
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Drops PE files to the user root directory	Boot Survival	Masquerading
Drops or copies cmd.exe with a different name (likely to bypass HIPS)	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Sigma detected: Execution from Suspicious Folder	System Summary
Sigma detected: Parent in Public Folder Suspicious Process	System Summary
Contains functionality to call native functions	System Summary
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to communicate with device drivers	System Summary
Contains functionality to launch a process as a different user	System Summary	Valid Accounts Access Token Manipulation
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Drops PE files to the user directory	Persistence and Installation Behavior	Masquerading
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Contains functionality for error logging	System Summary
Contains functionality to check free disk space	System Summary	System Information Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Information Discovery System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to register its own exception handler	Anti Debugging
Creates files inside the user directory	System Summary	Masquerading
Spawns processes	System Summary	Process Injection

C:\Users\Public\kn.exe

PE32+ executable (console) x86-64, for MS Windows

modified

Details

File:	C:\Users\Public\kn.exe
Category:	modified
Dump:	kn.exe.4.dr
ID:	dr_4
Target ID:	4
Process:	C:\Windows\System32\extrac32.exe
Type:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	6.144018815244304
Encrypted:	false
Ssdeep:	24576:MeiElH5YZ5cv6r3HiaZQ8p4XGwiJDgN7MaikGLIsWWi4pT/Y/7hsyDAP760MKR:Me3lZYUvmSu4XTckYD0sWWiwT/MhTzK
Size:	1651712
Whitelisted:	true
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Drops PE files to the user root directory	Boot Survival	Masquerading
Drops PE files with a suspicious file extension	Persistence and Installation Behavior	Masquerading
Drops or copies certutil.exe with a different name (likely to bypass HIPS)	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Registers a new ROOT certificate	E-Banking Fraud	Install Root Certificate
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Valid Accounts Access Token Manipulation
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Drops PE files to the user directory	Persistence and Installation Behavior	Masquerading
Found large amount of non-executed APIs	Malware Analysis System Evasion
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	Encrypted Channel
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to import cryptographic keys (often used in ransomware)	Spam, unwanted Advertisements and Ransom Demands	Archive Collected Data Data Encrypted for Impact
Contains functionality to instantiate COM classes	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query system information	Malware Analysis System Evasion	System Information Discovery
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking

\Device\Null

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\Null
Category:	dropped
Dump:	Null.11.dr
ID:	dr_10
Target ID:	11
Process:	C:\Users\Public\alpha.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.403504238247217
Encrypted:	false
Ssdeep:	3:HnRthLK5aTRECUAdROGCOwXWnjTRrGIAOFZRMQcv:HRoAREYTOGjHVF+
Size:	104
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\FACTURA.cmd" "

C:\Windows\System32\extrac32.exe

C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe

C:\Windows\System32\extrac32.exe

extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\FACTURA.cmd" "C:\\Users\\Public\\Host.GIF" 3

C:\Users\Public\kn.exe

C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\FACTURA.cmd" "C:\\Users\\Public\\Host.GIF" 3

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Host.GIF" "C:\\Users\\Public\\Libraries\\Host.COM" 10

C:\Users\Public\kn.exe

C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Host.GIF" "C:\\Users\\Public\\Libraries\\Host.COM" 10

C:\Users\Public\Libraries\Host.COM

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Host.GIF" / A / F / Q / S

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

There are 2 hidden processes, click here to show them.

URLs

Name

Malicious

https://taksonsdfg.co.in/34243456dfgd/255_ZnrgbbhcbyxV/K$

unknown

https://taksonsdfg.co.in/34243456dfgd/255_Znrgbbhcbyx~

unknown

https://taksonsdfg.co.in/./

unknown

https://taksonsdfg.co.in/Z

unknown

https://taksonsdfg.co.in/f/

unknown

https://taksonsdfg.co.in/34243456dfgd/255_ZnrgbbhcbyxN/c$

unknown

https://taksonsdfg.co.in/H

unknown

https://taksonsdfg.co.in/34243456dfgd/255_Znrgbbhcbyx

108.170.55.202

https://taksonsdfg.co.in/34243456dfgd/255_Znrgbbhcbyx&/

unknown

https://taksonsdfg.co.in/x

unknown

https://taksonsdfg.co.in/

unknown

https://taksonsdfg.co.in/34243456dfgd/255_Znrgbbhcbyx/;

unknown

https://taksonsdfg.co.in/~

unknown

https://taksonsdfg.co.in/34243456dfgd/255_ZnrgbbhcbyxB8

unknown

https://taksonsdfg.co.in/34243456dfgd/255_Znrgbbhcbyxv/

unknown

https://taksonsdfg.co.in:443/34243456dfgd/255_Znrgbbhcbyx;

unknown

https://taksonsdfg.co.in/34243456dfgd/255_ZnrgbbhcbyxV

unknown

https://taksonsdfg.co.in/34243456dfgd/255_Znrgbbhcbyxo/

unknown

https://taksonsdfg.co.in/n/C$

unknown

https://taksonsdfg.co.in/34243456dfgd/25

unknown

https://taksonsdfg.co.in/6/

unknown

https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEP

unknown

https://login.microsoftonline.com/%s/oauth2/authorize

unknown

https://login.microsoftonline.com/%s/oauth2/token

unknown

https://enterpriseregistration.windows.net/EnrollmentServer/key/

unknown

https://login.microsoftonline.com/%s/oauth2/authorizeJoinStatusStorage::SetDefaultDiscoveryMetadatah

unknown

https://enterpriseregistration.windows.net/EnrollmentServer/DeviceEnrollmentWebService.svc

unknown

http://www.pmail.com

unknown

https://%ws/%ws_%ws_%ws/service.svc/%ws

unknown

https://enterpriseregistration.windows.net/EnrollmentServer/device/

unknown

There are 20 hidden URLs, click here to show them.

Domains

Name

Malicious

taksonsdfg.co.in

108.170.55.202

Details

Name:	taksonsdfg.co.in
IP:	108.170.55.202
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sigma detected: Suspicious Program Location with Network Connections	System Summary
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

108.170.55.202

taksonsdfg.co.in

United States

Details

IP:	108.170.55.202
TargetID:	9
Current Path:	C:\Users\Public\Libraries\Host.COM
Country:	United States
Countrycode:	USA
ASN number:	20454
ASN name:	SSASN2US
Private:	false
Domain:	taksonsdfg.co.in

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Suspicious Program Location with Network Connections	System Summary
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7

Name

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7

Name

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7

Name

Memdumps

Base Address

Regiontype

Protect

Malicious

8A8000

heap

page read and write

21775880000

heap

page read and write

48D49CE000

stack

page read and write

877000

heap

page read and write

7FF7E08AE000

unkown

page readonly

878000

heap

page read and write

7FF793740000

unkown

page readonly

7FF793772000

unkown

page readonly

895000

heap

page read and write

7F020000

direct allocation

page read and write

18C3DC80000

heap

page read and write

7FC20000

direct allocation

page read and write

8AA000

heap

page read and write

7FF7E0790000

unkown

page readonly

8C8000

heap

page read and write

8E4000

heap

page read and write

7FF79379C000

unkown

page write copy

21775990000

heap

page read and write

88B000

heap

page read and write

20D2E7B000

stack

page read and write

2B0247C7000

heap

page read and write

21466020000

heap

page read and write

2955000

heap

page read and write

7FF79377D000

unkown

page read and write

217776B0000

heap

page read and write

7FF793799000

unkown

page readonly

8AE000

heap

page read and write

18C3BE9C000

heap

page read and write

7FF793799000

unkown

page readonly

2559E000

stack

page read and write

7FF793740000

unkown

page readonly

8AE000

heap

page read and write

877000

heap

page read and write

1F21CDC0000

heap

page read and write

8A7000

heap

page read and write

8A0000

heap

page read and write

88D000

heap

page read and write

2503A000

direct allocation

page read and write

877000

heap

page read and write

7F840000

direct allocation

page read and write

7FF7E090A000

unkown

page write copy

864000

heap

page read and write

7FF79379D000

unkown

page readonly

7F7C0000

direct allocation

page read and write

E9036FE000

stack

page read and write

21775889000

heap

page read and write

2956000

heap

page read and write

8B2000

heap

page read and write

217776D2000

heap

page read and write

1F21CDE0000

heap

page read and write

892000

heap

page read and write

869000

heap

page read and write

88B000

heap

page read and write

892000

heap

page read and write

8BD000

heap

page read and write

8AA000

heap

page read and write

7FF79379D000

unkown

page readonly

87B000

heap

page read and write

2518A000

stack

page read and write

7FF793799000

unkown

page readonly

7F650000

direct allocation

page read and write

7FF793781000

unkown

page read and write

8E4000

heap

page read and write

8D4000

heap

page read and write

7FF793740000

unkown

page readonly

21466024000

heap

page read and write

8A8000

heap

page read and write

877000

heap

page read and write

69688FE000

stack

page read and write

8A7000

heap

page read and write

884000

heap

page read and write

25A80000

remote allocation

page read and write

217776C0000

heap

page read and write

7FF793772000

unkown

page readonly

484000

unkown

page read and write

2350000

direct allocation

page execute and read and write

25C0E000

stack

page read and write

25DBC000

heap

page read and write

7FC6F000

direct allocation

page read and write

7FF7E090A000

unkown

page write copy

7FF793740000

unkown

page readonly

8C8000

heap

page read and write

22FC000

direct allocation

page read and write

25930000

heap

page read and write

2F6E000

direct allocation

page execute and read and write

7FF7E0918000

unkown

page read and write

22F074F7000

heap

page read and write

2B0247EC000

heap

page read and write

8AA000

heap

page read and write

86C000

heap

page read and write

2E1E000

direct allocation

page read and write

28F886E8000

heap

page read and write

25D0F000

stack

page read and write

895000

heap

page read and write

2340000

heap

page read and write

21775780000

heap

page read and write

870000

heap

page read and write

7EEB0000

direct allocation

page read and write

1F21CE35000

heap

page read and write

7FF793799000

unkown

page readonly

884000

heap

page read and write

18C3E5A0000

heap

page read and write

8B2000

heap

page read and write

2892000

heap

page read and write

8A0000

heap

page read and write

8CF000

heap

page read and write

7FF79377D000

unkown

page read and write

B2EB5FE000

stack

page read and write

26095708000

heap

page read and write

7FF793799000

unkown

page readonly

E90367B000

stack

page read and write

1F21CDB0000

heap

page read and write

7FF79379D000

unkown

page readonly

650000

heap

page read and write

25DD9000

heap

page read and write

881000

heap

page read and write

7EEB0000

direct allocation

page read and write

881000

heap

page read and write

1A3C6A40000

heap

page read and write

895000

heap

page read and write

2518E000

stack

page execute and read and write

E9037FE000

stack

page read and write

7FF793772000

unkown

page readonly

869000

heap

page read and write

869000

heap

page read and write

28F88670000

heap

page read and write

7FF000

heap

page read and write

2311000

direct allocation

page read and write

87D000

heap

page read and write

2B0247BB000

heap

page read and write

7FA30000

direct allocation

page read and write

18C3BE9C000

heap

page read and write

22F07610000

heap

page read and write

21466160000

heap

page read and write

2B024724000

heap

page read and write

864000

heap

page read and write

21466025000

heap

page read and write

8D2000

heap

page read and write

21466040000

heap

page read and write

877000

heap

page read and write

2DF1000

direct allocation

page execute read

2303000

direct allocation

page read and write

25ABE000

stack

page read and write

7FF7E090A000

unkown

page write copy

217759C0000

heap

page read and write

88D000

heap

page read and write

8CC000

heap

page read and write

578CE7D000

stack

page read and write

48D4C7E000

stack

page read and write

2B0247E8000

heap

page read and write

7F4E0000

direct allocation

page read and write

2B0265A0000

trusted library allocation

page read and write

8D3000

heap

page read and write

8AD000

heap

page read and write

21777E06000

heap

page read and write

7FF79379C000

unkown

page write copy

48D494C000

stack

page read and write

7FF793799000

unkown

page readonly

876000

heap

page read and write

25008000

direct allocation

page read and write

2B024770000

heap

page read and write

288E000

heap

page read and write

8AA000

heap

page read and write

1A3C6A54000

heap

page read and write

892000

heap

page read and write

18C3BE9C000

heap

page read and write

2518F000

stack

page read and write

7FF793772000

unkown

page readonly

8E7000

heap

page read and write

7FC90000

direct allocation

page read and write

2B0246C0000

heap

page read and write

5DA63FF000

stack

page read and write

5DA64FF000

stack

page read and write

88B000

heap

page read and write

7FB000

heap

page read and write

2B0247C8000

heap

page read and write

864000

heap

page read and write

872000

heap

page read and write

48F000

unkown

page readonly

8C1000

heap

page read and write

8CE000

heap

page read and write

877000

heap

page read and write

1F21CE60000

heap

page read and write

88D000

heap

page read and write

8A0000

heap

page read and write

7F210000

direct allocation

page read and write

871000

heap

page read and write

260956E7000

heap

page read and write

2B0247E9000

heap

page read and write

89D000

heap

page read and write

7F7C0000

direct allocation

page read and write

7FF7E0913000

unkown

page read and write

25BBD000

stack

page read and write

28F88650000

heap

page read and write

8BD000

heap

page read and write

8E4000

heap

page read and write

2318000

direct allocation

page read and write

2540F000

stack

page read and write

7FF793772000

unkown

page readonly

2483000

heap

page read and write

8CE000

heap

page read and write

8E4000

heap

page read and write

7FA50000

direct allocation

page read and write

7FF7E0791000

unkown

page execute read

578CBBC000

stack

page read and write

8D7000

heap

page read and write

8BD000

heap

page read and write

2DF0000

direct allocation

page readonly

8CF000

heap

page read and write

8C0000

heap

page read and write

8BB000

heap

page read and write

88B000

heap

page read and write

895000

heap

page read and write

7FF7E090A000

unkown

page write copy

7FF7E0791000

unkown

page execute read

1A3C4CF0000

heap

page read and write

8AA000

heap

page read and write

7FF7E0926000

unkown

page readonly

18C3BE38000

heap

page read and write

7FF793772000

unkown

page readonly

8AF000

heap

page read and write

25DB2000

heap

page read and write

7FF793741000

unkown

page execute read

25960000

heap

page read and write

2B0247B7000

heap

page read and write

2B0246E0000

heap

page read and write

2B0247B7000

heap

page read and write

7FF793772000

unkown

page readonly

7F0000

heap

page read and write

7FF79377D000

unkown

page read and write

260955F0000

heap

page read and write

892000

heap

page read and write

870000

heap

page read and write

7FF793741000

unkown

page execute read

8E6000

heap

page read and write

7FF79378F000

unkown

page read and write

2895000

heap

page read and write

8BE000

heap

page read and write

18C3D843000

heap

page read and write

FB2359C000

stack

page read and write

25DBA000

heap

page read and write

2B0247CC000

heap

page read and write

2320000

heap

page read and write

7FF79379C000

unkown

page write copy

22F074F7000

heap

page read and write

7FF79378F000

unkown

page read and write

2569F000

stack

page read and write

7F0A0000

direct allocation

page read and write

7FF7E0913000

unkown

page read and write

8BD000

heap

page read and write

86E000

heap

page read and write

28F887E0000

heap

page read and write

20D2FFF000

stack

page read and write

8E8000

heap

page read and write

27F0000

heap

page read and write

89B000

heap

page read and write

8BD000

heap

page read and write

2B0247E8000

heap

page read and write

884000

heap

page read and write

22D0000

direct allocation

page read and write

88D000

heap

page read and write

7FF793740000

unkown

page readonly

8BD000

heap

page read and write

869000

heap

page read and write

5DA62FC000

stack

page read and write

881000

heap

page read and write

2899000

heap

page read and write

2582E000

stack

page read and write

7F930000

direct allocation

page read and write

26095708000

heap

page read and write

895000

heap

page read and write

18C3BED1000

heap

page read and write

22F074F7000

heap

page read and write

8C8000

heap

page read and write

7FF793789000

unkown

page read and write

7FC00000

direct allocation

page read and write

7FABF000

direct allocation

page read and write

8A7000

heap

page read and write

25DD3000

heap

page read and write

7FF7E091D000

unkown

page readonly

7FF7E0790000

unkown

page readonly

1F0000

heap

page read and write

8A8000

heap

page read and write

7F930000

direct allocation

page read and write

25016000

direct allocation

page read and write

286A000

heap

page read and write

7FF793789000

unkown

page read and write

877000

heap

page read and write

A0AF4FF000

stack

page read and write

22F4000

direct allocation

page read and write

B2EB10C000

stack

page read and write

2B0247BB000

heap

page read and write

7FF79378F000

unkown

page read and write

864000

heap

page read and write

7FF793741000

unkown

page execute read

22ED000

direct allocation

page read and write

1A3C4AB0000

heap

page read and write

26095704000

heap

page read and write

88B000

heap

page read and write

25024000

direct allocation

page read and write

27F7000

heap

page read and write

7FF79379C000

unkown

page write copy

21465FF0000

heap

page read and write

48A000

unkown

page read and write

884000

heap

page read and write

22B5000

direct allocation

page read and write

660000

heap

page read and write

864000

heap

page read and write

18C3BE34000

heap

page read and write

7FF793741000

unkown

page execute read

7FF793781000

unkown

page read and write

88B000

heap

page read and write

7F740000

direct allocation

page read and write

8C3000

heap

page read and write

22F075D0000

heap

page read and write

21D0000

heap

page read and write

8AF000

heap

page read and write

7F650000

direct allocation

page read and write

8A6000

heap

page read and write

2592E000

stack

page read and write

864000

heap

page read and write

2146604B000

heap

page read and write

7F020000

direct allocation

page read and write

8A4000

heap

page read and write

18C3BE3D000

heap

page read and write

2871000

heap

page read and write

7FF7E0928000

unkown

page readonly

7FF7E0790000

unkown

page readonly

22F074F7000

heap

page read and write

22F074D7000

heap

page read and write

2266000

direct allocation

page read and write

7E3D0000

direct allocation

page read and write

25A80000

remote allocation

page read and write

1A3C4E34000

heap

page read and write

2530E000

stack

page read and write

7FF793799000

unkown

page readonly

22F074F7000

heap

page read and write

1A3C4E03000

heap

page read and write

879000

heap

page read and write

8E6000

heap

page read and write

18C3BE10000

heap

page read and write

401000

unkown

page execute read

18C3BE8C000

heap

page read and write

8C9000

heap

page read and write

18C3BECB000

heap

page read and write

7FF793740000

unkown

page readonly

89A000

heap

page read and write

7FF79377D000

unkown

page write copy

400000

unkown

page readonly

8A0000

heap

page read and write

7FF793781000

unkown

page read and write

7F7C0000

direct allocation

page read and write

7FF793741000

unkown

page execute read

22F074F7000

heap

page read and write

881000

heap

page read and write

7FF793785000

unkown

page read and write

FB239FE000

stack

page read and write

7FF7E0925000

unkown

page write copy

8C9000

heap

page read and write

881000

heap

page read and write

8D2000

heap

page read and write

88B000

heap

page read and write

8B2000

heap

page read and write

2B0247A0000

heap

page read and write

895000

heap

page read and write

8A8000

heap

page read and write

22F074F7000

heap

page read and write

25048000

direct allocation

page read and write

257EE000

stack

page read and write

28F889B0000

heap

page read and write

877000

heap

page read and write

22F074D0000

heap

page read and write

18C3D840000

heap

page read and write

260959A0000

heap

page read and write

8A0000

heap

page read and write

217776C3000

heap

page read and write

1F21CE89000

heap

page read and write

7FF793741000

unkown

page execute read

7F930000

direct allocation

page read and write

28F886E0000

heap

page read and write

872000

heap

page read and write

8D2000

heap

page read and write

888000

heap

page read and write

7FF79379D000

unkown

page readonly

1A3C4E36000

heap

page read and write

7FF793741000

unkown

page execute read

8A6000

heap

page read and write

20D2EFE000

stack

page read and write

7FF7E0791000

unkown

page execute read

696854C000

stack

page read and write

8D7000

heap

page read and write

2B0247B4000

heap

page read and write

7FF7E0928000

unkown

page readonly

18C3BECE000

heap

page read and write

18C3BEAE000

heap

page read and write

1F21CE34000

heap

page read and write

864000

heap

page read and write

7FF79377D000

unkown

page write copy

885000

heap

page read and write

869000

heap

page read and write

8BD000

heap

page read and write

84D000

heap

page read and write

8C9000

heap

page read and write

892000

heap

page read and write

25DB4000

heap

page read and write

28F889B4000

heap

page read and write

25DD0000

heap

page read and write

666000

heap

page read and write

8A4000

heap

page read and write

7FF79379C000

unkown

page write copy

7FF79377D000

unkown

page write copy

7F190000

direct allocation

page read and write

260956E0000

heap

page read and write

7FD70000

direct allocation

page read and write

7FBC0000

direct allocation

page read and write

2B0247E8000

heap

page read and write

7EF30000

direct allocation

page read and write

7FF793781000

unkown

page read and write

21466065000

heap

page read and write

7F8EF000

direct allocation

page read and write

888000

heap

page read and write

7FF79377D000

unkown

page write copy

895000

heap

page read and write

7FF79377D000

unkown

page write copy

2CDA000

heap

page read and write

2B026DA0000

heap

page read and write

22F077B0000

heap

page read and write

1A3C4BA9000

heap

page read and write

7FF7E0926000

unkown

page readonly

8E8000

heap

page read and write

88D000

heap

page read and write

25DB0000

heap

page read and write

7FF793794000

unkown

page read and write

69689FF000

stack

page read and write

8C8000

heap

page read and write

7FF7E0914000

unkown

page write copy

2B026150000

heap

page read and write

7FF7E08AE000

unkown

page readonly

8D8000

heap

page read and write

7E810000

direct allocation

page read and write

7F460000

direct allocation

page read and write

8E2000

heap

page read and write

8E6000

heap

page read and write

7FF79378F000

unkown

page read and write

8BF000

heap

page read and write

8C9000

heap

page read and write

888000

heap

page read and write

2B0247EC000

heap

page read and write

884000

heap

page read and write

28F88708000

heap

page read and write

7FF7E0928000

unkown

page readonly

8AE000

heap

page read and write

8AA000

heap

page read and write

B2EB4FE000

stack

page read and write

884000

heap

page read and write

892000

heap

page read and write

88B000

heap

page read and write

7FF793772000

unkown

page readonly

88D000

heap

page read and write

7FF7E091D000

unkown

page readonly

26095800000

heap

page read and write

8A4000

heap

page read and write

881000

heap

page read and write

7F460000

direct allocation

page read and write

260957E0000

heap

page read and write

25950000

heap

page read and write

18C3BEE6000

heap

page read and write

892000

heap

page read and write

7FF793741000

unkown

page execute read

869000

heap

page read and write

89B000

heap

page read and write

1A3C4E30000

heap

page read and write

8BD000

heap

page read and write

892000

heap

page read and write

18C3BECE000

heap

page read and write

892000

heap

page read and write

7F7C0000

direct allocation

page read and write

25DDC000

heap

page read and write

1F21CE67000

heap

page read and write

881000

heap

page read and write

7FF79379D000

unkown

page readonly

2B024720000

heap

page read and write

7FF7E0918000

unkown

page read and write

18C3BECE000

heap

page read and write

21775A80000

heap

page read and write

20D2F7E000

stack

page read and write

2B024728000

heap

page read and write

7F7C0000

direct allocation

page read and write

1A3C6F57000

heap

page read and write

8A0000

heap

page read and write

7F9B0000

direct allocation

page read and write

89B000

heap

page read and write

25A80000

remote allocation

page read and write

18C3BE95000

heap

page read and write

18C3BE98000

heap

page read and write

895000

heap

page read and write

21465F10000

heap

page read and write

7F930000

direct allocation

page read and write

8AA000

heap

page read and write

8C8000

heap

page read and write

578CEFE000

stack

page read and write

888000

heap

page read and write

8A0000

heap

page read and write

2E77000

direct allocation

page execute and read and write

870000

heap

page read and write

230A000

direct allocation

page read and write

7FF7E091D000

unkown

page readonly

8C9000

heap

page read and write

8AB000

heap

page read and write

8A0000

heap

page read and write

28F88570000

heap

page read and write

7FF793781000

unkown

page read and write

864000

heap

page read and write

2B0247EC000

heap

page read and write

1F21CE84000

heap

page read and write

2508C000

stack

page read and write

18C3DDA0000

trusted library allocation

page read and write

2B02472D000

heap

page read and write

26095820000

heap

page read and write

7FF7E0791000

unkown

page execute read

478000

unkown

page read and write

28F88704000

heap

page read and write

2502C000

direct allocation

page read and write

885000

heap

page read and write

7FF7E0925000

unkown

page write copy

2F6C000

direct allocation

page execute and read and write

22F074F5000

heap

page read and write

25DBE000

heap

page read and write

892000

heap

page read and write

7FF7E0914000

unkown

page write copy

2B11000

heap

page read and write

256EE000

stack

page read and write

18C3BE98000

heap

page read and write

2B0247BB000

heap

page read and write

88D000

heap

page read and write

18C3BE87000

heap

page read and write

2B026153000

heap

page read and write

86C000

heap

page read and write

7F5D0000

direct allocation

page read and write

8BD000

heap

page read and write

895000

heap

page read and write

8A7000

heap

page read and write

7FC10000

direct allocation

page read and write

25DB6000

heap

page read and write

7FF793799000

unkown

page readonly

18C3BECE000

heap

page read and write

888000

heap

page read and write

88B000

heap

page read and write

1A3C4CC0000

heap

page read and write

1A3C4BA0000

heap

page read and write

2554F000

stack

page read and write

864000

heap

page read and write

2501D000

direct allocation

page read and write

25DDF000

heap

page read and write

870000

heap

page read and write

260959A5000

heap

page read and write

22F075F0000

heap

page read and write

7FF7E08AE000

unkown

page readonly

260959A4000

heap

page read and write

8AA000

heap

page read and write

87C000

heap

page read and write

18C3BE30000

heap

page read and write

8AE000

heap

page read and write

22F077B4000

heap

page read and write

E90377E000

stack

page read and write

864000

heap

page read and write

7FF793740000

unkown

page readonly

25DB8000

heap

page read and write

888000

heap

page read and write

877000

heap

page read and write

8E8000

heap

page read and write

25041000

direct allocation

page read and write

7E790000

direct allocation

page read and write

7FF793772000

unkown

page readonly

19D000

stack

page read and write

8A4000

heap

page read and write

1F21CE30000

heap

page read and write

7FF793772000

unkown

page readonly

2544E000

stack

page read and write

7FF7E0790000

unkown

page readonly

A0AF3FF000

stack

page read and write

8C8000

heap

page read and write

FB238FE000

stack

page read and write

21775A84000

heap

page read and write

7FF793740000

unkown

page readonly

9B000

stack

page read and write

88D000

heap

page read and write

7FF793741000

unkown

page execute read

7FF793794000

unkown

page read and write

1F21CE89000

heap

page read and write

8E6000

heap

page read and write

7FC5F000

direct allocation

page read and write

7FF79378F000

unkown

page read and write

1A3C4E00000

heap

page read and write

881000

heap

page read and write

24FEA000

direct allocation

page read and write

88D000

heap

page read and write

18C3BEAE000

heap

page read and write

1A3C4CA0000

heap

page read and write

7FF793741000

unkown

page execute read

18C3BEA9000

heap

page read and write

869000

heap

page read and write

7FF79377D000

unkown

page read and write

888000

heap

page read and write

A0AF2FC000

stack

page read and write

884000

heap

page read and write

18C3BE40000

heap

page read and write

21775A86000

heap

page read and write

7FF793799000

unkown

page readonly

22F073F0000

heap

page read and write

8BD000

heap

page read and write

7F930000

direct allocation

page read and write

7FF793799000

unkown

page readonly

2480000

heap

page read and write

881000

heap

page read and write

870000

heap

page read and write

8CB000

heap

page read and write

869000

heap

page read and write

1F21D030000

heap

page read and write

8CB000

heap

page read and write

7FF793740000

unkown

page readonly

28F889B5000

heap

page read and write

21466140000

heap

page read and write

881000

heap

page read and write

885000

heap

page read and write

2B0245E0000

heap

page read and write

7FF7E0928000

unkown

page readonly

7FF7E08AE000

unkown

page readonly

8A0000

heap

page read and write

21775860000

heap

page read and write

2370000

heap

page read and write

18C3BE00000

heap

page read and write

18C3BE80000

heap

page read and write

48A000

unkown

page write copy

7FF793740000

unkown

page readonly

22F077B5000

heap

page read and write

7FAE0000

direct allocation

page read and write

8BD000

heap

page read and write

2376000

heap

page read and write

8D2000

heap

page read and write

870000

heap

page read and write

870000

heap

page read and write

25DD5000

heap

page read and write

7FF79377D000

unkown

page read and write

2B0247CC000

heap

page read and write

25DD2000

heap

page read and write

89A000

heap

page read and write

8CF000

heap

page read and write

25000000

direct allocation

page read and write

89F000

heap

page read and write

478000

unkown

page write copy

25DDF000

heap

page read and write

26095704000

heap

page read and write

870000

heap

page read and write

260956F1000

heap

page read and write

2B0247A9000

heap

page read and write

8D2000

heap

page read and write

25DDA000

heap

page read and write

7FF7E091D000

unkown

page readonly

7F8A0000

direct allocation

page read and write

There are 650 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
FACTURA.cmd

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportFACTURA.cmd

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
FACTURA.cmd