Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy:	5.1018163514744295
Filename:	file.exe
Filesize:	7457792
MD5:	7105a2ba8c897b6c2072a6ab0bdecdf1
SHA1:	d3659027483c2825c8430a41a0c3e439aac78e2f
SHA256:	abc53ac9f7564ceba0a7548b880b1e92c8e0329ff9680e3c5f06abcbd4e869b9
SHA512:	25dc46cf350a294ea6ce7b7d07c07bfd379307783bea9f357d20a7277fa49736221c7ba1f33afd46ef26a917ef544303291263931b239c26aa8f5abb35a92c9e
SSDEEP:	49152:w6u6AkFUy00GL2vXkEkaBdCtsRbSgVw1y0y1zTPWs8Mo1FqSiqL7ECI4chxGeO2b:wyA+UtvLgXMaBssNSgAyPzT
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g...............(.VL...q..............pL...@..........................@r......fr...@... ............................

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Drops large PE files	System Summary
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information	Data from Local System
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Contains capabilities to detect virtual machines	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
PE file contains sections with non-standard names	Data Obfuscation
Queries information about the installed CPU (vendor, model number etc)	Language, Device and Operating System Detection
Uses 32bit PE files	Compliance, System Summary	Masquerading
Creates files inside the user directory	System Summary	Masquerading
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Enumerates the file system	Spreading, Malware Analysis System Evasion
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\service123.exe

PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\service123.exe
Category:	dropped
Dump:	service123.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy:	0.0023405286258548507
Encrypted:	false
Size:	314617856
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Found evasive API chain (may stop execution after checking mutex)	Malware Analysis System Evasion	Native API
Found stalling execution ending in API Sleep call	Malware Analysis System Evasion
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities	Obfuscated Files or Information
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	Encrypted Channel
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to register its own exception handler	Anti Debugging
Creates mutexes	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Local\Temp\TMdMlTZMAWbrEijBRYMr.dll

PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\TMdMlTZMAWbrEijBRYMr.dll
Category:	dropped
Dump:	TMdMlTZMAWbrEijBRYMr.dll.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy:	0.0543661346359521
Encrypted:	false
Ssdeep:	24576:HFCE/Be//C7PeTpObC/8llm0WrFaQmWXn5EDP9wXNjKrfS2:yWWhAWXnCPeXRc
Size:	315803136
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7432
Target ID:	0
Parent PID:	2580
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	7457792
MD5:	7105A2BA8C897B6C2072A6AB0BDECDF1
Time:	03:15:00
Date:	14/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x420000
Modulesize:	7487488
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Clipboard Hijacker	Stealing of Sensitive Information
Yara detected Cryptbot	Stealing of Sensitive Information, Remote Access Functionality
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information	Data from Local System
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\service123.exe

"C:\Users\user\AppData\Local\Temp\service123.exe"

Details

Is windows:	false
Is dropped:	true
PID:	8016
Target ID:	4
Parent PID:	7432
Name:	service123.exe
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Commandline:	"C:\Users\user\AppData\Local\Temp\service123.exe"
Size:	314617856
MD5:	C7DE705DEE7C918329739835EB2FFF15
Time:	03:16:10
Date:	14/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x530000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Clipboard Hijacker	Stealing of Sensitive Information
Drops large PE files	System Summary
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f

Details

Is windows:	true
Is dropped:	false
PID:	8040
Target ID:	5
Parent PID:	7432
Name:	schtasks.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\schtasks.exe
Commandline:	"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Size:	187904
MD5:	48C2FE20575769DE916F48EF0676A965
Time:	03:16:10
Date:	14/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xdc0000
Modulesize:	204800
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\service123.exe

C:\Users\user\AppData\Local\Temp\/service123.exe

Details

Is windows:	false
Is dropped:	true
PID:	8100
Target ID:	7
Parent PID:	1044
Name:	service123.exe
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Size:	314617856
MD5:	C7DE705DEE7C918329739835EB2FFF15
Time:	03:16:12
Date:	14/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x530000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Clipboard Hijacker	Stealing of Sensitive Information
Drops large PE files	System Summary
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\service123.exe

C:\Users\user\AppData\Local\Temp\/service123.exe

Details

Is windows:	false
Is dropped:	true
PID:	3180
Target ID:	9
Parent PID:	1044
Name:	service123.exe
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Size:	314617856
MD5:	C7DE705DEE7C918329739835EB2FFF15
Time:	03:17:02
Date:	14/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x530000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Clipboard Hijacker	Stealing of Sensitive Information
Drops large PE files	System Summary
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	8048
Target ID:	6
Parent PID:	8040
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	03:16:10
Date:	14/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

@sevtbv17pn.top

analforeverlovyu.top

pn.top

0asevtbv17pn.top

n.top

+sevtbv17pn.top

sevtbv17pn.top

https://ac.ecosia.org/autocomplete?q=

unknown

https://duckduckgo.com/chrome_newtab

unknown

https://gcc.gnu.org/bugs/):

unknown

https://keruzam.com/update.php?compName

unknown

http://sevtbv17pn.top/

unknown

https://duckduckgo.com/ac/?q=

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

https://keruzam.com/update.php?compName=

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

http://sevtbv17pn.top/v1/upload.php

unknown

https://www.ecosia.org/newtab/

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

There are 11 hidden URLs, click here to show them.

Domains

Name

Malicious

sevtbv17pn.top

80.66.81.78

Details

Name:	sevtbv17pn.top
IP:	80.66.81.78
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

80.66.81.78

sevtbv17pn.top

Russian Federation

Details

IP:	80.66.81.78
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	202984
ASN name:	TEAM-HOSTASRU
Private:	false
Domain:	sevtbv17pn.top

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

4495000

heap

page read and write

D939000

heap

page read and write

A25000

unkown

page write copy

16AE000

stack

page read and write

421000

unkown

page execute read

3FED000

stack

page read and write

6A056000

direct allocation

page read and write

1C22000

heap

page read and write

1C1E000

heap

page read and write

541000

unkown

page readonly

D30000

heap

page read and write

1AAF000

heap

page read and write

1BE2000

heap

page read and write

1C27000

heap

page read and write

541000

unkown

page readonly

344F000

stack

page read and write

6C418000

unkown

page readonly

D10000

heap

page read and write

A1E000

unkown

page read and write

1DCA000

heap

page read and write

69E34000

direct allocation

page read and write

1BE3000

heap

page read and write

1BDD000

heap

page read and write

6A043000

direct allocation

page read and write

1C34000

heap

page read and write

A11000

unkown

page read and write

A11000

unkown

page write copy

541000

unkown

page readonly

1C1E000

heap

page read and write

E90000

heap

page read and write

A2C000

unkown

page write copy

531000

unkown

page execute read

1517000

heap

page read and write

F97000

stack

page read and write

2EEA000

stack

page read and write

531000

unkown

page execute read

C3C000

stack

page read and write

FC9000

stack

page read and write

1C34000

heap

page read and write

420000

unkown

page readonly

10F8000

heap

page read and write

32D0000

heap

page read and write

FAF000

stack

page read and write

1BD6000

heap

page read and write

1BC8000

heap

page read and write

AD9000

unkown

page readonly

12E0000

heap

page read and write

530000

unkown

page readonly

16E0000

heap

page read and write

E97000

heap

page read and write

10D9000

heap

page read and write

6C2F1000

unkown

page execute read

8EC000

unkown

page read and write

8E8000

unkown

page write copy

420000

unkown

page readonly

53A000

unkown

page readonly

32DA000

heap

page read and write

53A000

unkown

page readonly

1BAE000

heap

page read and write

E60000

heap

page read and write

1C34000

heap

page read and write

1510000

heap

page read and write

530000

unkown

page readonly

1C57000

heap

page read and write

DDD2000

heap

page read and write

3570000

heap

page read and write

1C2F000

heap

page read and write

488F000

stack

page read and write

1C2A000

heap

page read and write

1C22000

heap

page read and write

1400000

heap

page read and write

4470000

remote allocation

page read and write

DD4A000

heap

page read and write

541000

unkown

page readonly

1BD1000

heap

page read and write

6A048000

direct allocation

page read and write

FF0000

heap

page read and write

530000

unkown

page readonly

1040000

heap

page read and write

422F000

stack

page read and write

C30000

heap

page read and write

53A000

unkown

page readonly

1C19000

heap

page read and write

D8E1000

heap

page read and write

D943000

heap

page read and write

531000

unkown

page execute read

1BCC000

heap

page read and write

2F9E000

unkown

page read and write

1C2F000

heap

page read and write

1C19000

heap

page read and write

6C3CF000

unkown

page readonly

1C3A000

heap

page read and write

AC2000

unkown

page readonly

A27000

unkown

page read and write

FE2000

stack

page read and write

10E4000

heap

page read and write

69CC1000

direct allocation

page execute read

531000

unkown

page execute read

1060000

heap

page read and write

2F50000

heap

page read and write

1BD1000

heap

page read and write

1C2A000

heap

page read and write

1BDD000

heap

page read and write

129D000

stack

page read and write

10FD000

heap

page read and write

10FA000

heap

page read and write

D90C000

heap

page read and write

D8FA000

heap

page read and write

DCD0000

heap

page read and write

DCE9000

heap

page read and write

D94B000

heap

page read and write

1045000

heap

page read and write

6A2F9000

direct allocation

page read and write

6A364000

direct allocation

page readonly

6A375000

direct allocation

page read and write

10DF000

heap

page read and write

6C3CD000

unkown

page read and write

421000

unkown

page execute read

6A04A000

direct allocation

page read and write

3DED000

stack

page read and write

E3D000

stack

page read and write

1BCC000

heap

page read and write

173E000

stack

page read and write

D92F000

heap

page read and write

1050000

heap

page read and write

541000

unkown

page readonly

1BD2000

heap

page read and write

53E000

unkown

page read and write

DD40000

heap

page read and write

A23000

unkown

page write copy

541000

unkown

page readonly

8E7000

unkown

page write copy

1C19000

heap

page read and write

1C1E000

heap

page read and write

E70000

heap

page read and write

2FB0000

heap

page read and write

6A05B000

direct allocation

page read and write

53A000

unkown

page readonly

10FA000

heap

page read and write

E456000

heap

page read and write

A12000

unkown

page write copy

1BD8000

heap

page read and write

1470000

heap

page read and write

1C2A000

heap

page read and write

2EAD000

stack

page read and write

D94B000

heap

page read and write

1BE4000

heap

page read and write

468F000

stack

page read and write

AD6000

unkown

page write copy

A2A000

unkown

page read and write

10F8000

heap

page read and write

1C1E000

heap

page read and write

149F000

stack

page read and write

1C19000

heap

page read and write

6A372000

direct allocation

page read and write

1C2F000

heap

page read and write

10FD000

heap

page read and write

530000

unkown

page readonly

6C41C000

unkown

page readonly

FFE000

heap

page read and write

1090000

heap

page read and write

FBA000

stack

page read and write

1BD3000

heap

page read and write

2FFF000

unkown

page read and write

69DF5000

direct allocation

page read and write

6C2F0000

unkown

page readonly

1C23000

heap

page read and write

FFA000

heap

page read and write

2FA0000

heap

page read and write

10FD000

heap

page read and write

421000

unkown

page execute read

A2E000

unkown

page read and write

FF7000

stack

page read and write

128C000

stack

page read and write

531000

unkown

page execute read

BDB000

stack

page read and write

53A000

unkown

page readonly

10C5000

heap

page read and write

1C0B000

heap

page read and write

1C2F000

heap

page read and write

10DF000

heap

page read and write

1102000

heap

page read and write

1BCC000

heap

page read and write

3DAD000

stack

page read and write

108C000

stack

page read and write

6A03C000

direct allocation

page read and write

69CF3000

direct allocation

page read and write

53E000

unkown

page read and write

1C23000

heap

page read and write

69FF9000

direct allocation

page read and write

BFC000

stack

page read and write

10DF000

heap

page read and write

E90000

heap

page read and write

1410000

heap

page read and write

A28000

unkown

page write copy

6C419000

unkown

page read and write

4470000

remote allocation

page read and write

F7D000

stack

page read and write

1C2A000

heap

page read and write

1C2A000

heap

page read and write

AC2000

unkown

page readonly

530000

unkown

page readonly

D8E9000

heap

page read and write

402E000

stack

page read and write

10E5000

heap

page read and write

53E000

unkown

page write copy

7DC000

stack

page read and write

E50000

heap

page read and write

1C1E000

heap

page read and write

109A000

heap

page read and write

53A000

unkown

page readonly

53E000

unkown

page write copy

53E000

unkown

page read and write

D8E1000

heap

page read and write

4470000

remote allocation

page read and write

69FB9000

direct allocation

page read and write

1C19000

heap

page read and write

446F000

stack

page read and write

1C1B000

heap

page read and write

228F000

heap

page read and write

69CC0000

direct allocation

page read and write

1B50000

heap

page read and write

1145000

heap

page read and write

A24000

unkown

page read and write

1C1E000

heap

page read and write

530000

unkown

page readonly

1750000

heap

page read and write

6A040000

direct allocation

page read and write

6A03A000

direct allocation

page read and write

1C2A000

heap

page read and write

10DC000

heap

page read and write

1B9E000

heap

page read and write

109E000

heap

page read and write

AD9000

unkown

page readonly

4A8C000

stack

page read and write

14EE000

stack

page read and write

426E000

stack

page read and write

1C27000

heap

page read and write

10DC000

heap

page read and write

1C1E000

heap

page read and write

1756000

heap

page read and write

1C23000

heap

page read and write

1C19000

heap

page read and write

AD6000

unkown

page read and write

1460000

heap

page read and write

53E000

unkown

page write copy

3B1B000

stack

page read and write

10FB000

heap

page read and write

340E000

stack

page read and write

DBC8000

heap

page read and write

10DF000

heap

page read and write

1030000

heap

page read and write

531000

unkown

page execute read

10DC000

heap

page read and write

8E7000

unkown

page read and write

D8E0000

heap

page read and write

There are 246 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
file.exe