Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.529077850939505
Filename:	file.exe
Filesize:	2963456
MD5:	b7c6caceb7f0ff55a6d276ef2d4505af
SHA1:	b50a32531b09099caa47ce317a89c4dd38b0a7f2
SHA256:	8c67a0c7241778a14e218933a14a80797a45fca028aff527b42b2f6192a68387
SHA512:	0393058da2a88f4d3c23d32277f6366b4fc68dd873c887b4d006057022ec9e087f4be3091b11a6befc88633395634a17f5105e7bf36dfa1d22026cdde967720d
SSDEEP:	49152:St1I257awrRSvE/kJDZ096+OFxkokD86Wo2ILiTYWvXtZop+/s+bv:XE7awrRWE/kJDZ096+OPMD8X6LiTTPtT
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...J..f..............................0...........@...........................0.....%.....@.................................W...k..

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Found malware configuration	AV Detection
Hides threads from debuggers	Anti Debugging
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)	Boot Survival
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion	Security Software Discovery
Tries to detect sandboxes and other dynamic analysis tools (window names)	Anti Debugging
Tries to detect virtualization through RDTSC time measurements	Malware Analysis System Evasion
Tries to evade debugger and weak emulator (self modifying code)	Malware Analysis System Evasion
Checks for debuggers (devices)	Anti Debugging
Checks if the current process is being debugged	Anti Debugging	Virtualization/Sandbox Evasion
Contains capabilities to detect virtual machines	Malware Analysis System Evasion
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities	Obfuscated Files or Information
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
One or more processes crash	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
Queries a list of all running drivers	Malware Analysis System Evasion
Queries a list of all running processes	Malware Analysis System Evasion
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary
Sample might require command line arguments	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_f5b4a6202a53ee73c263cc4c99e711b13cd935ac_85207d7d_60a13b95-4b9d-48c6-9f21-7624c89f66a0\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_f5b4a6202a53ee73c263cc4c99e711b13cd935ac_85207d7d_60a13b95-4b9d-48c6-9f21-7624c89f66a0\Report.wer
Category:	dropped
Dump:	Report.wer.9.dr
ID:	dr_0
Target ID:	9
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.5816726361411275
Encrypted:	false
Ssdeep:	96:PEikZF9cTKwvcsQhMov7JfqQXIDcQ4c6fcE+cw3tZAX/d5FMT2SlPkpXmTAjf/VH:P4Z0GwvcD0WbkQzuiFTZ24IO8b2
Size:	65536
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3470.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER3470.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER3470.tmp.WERInternalMetadata.xml.9.dr
ID:	dr_3
Target ID:	9
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.6842295844188437
Encrypted:	false
Ssdeep:	192:R6l7wVeJRCv6g6YNtSUepgmfh9pr789b6EsfS+m:R6lXJ06g6Y3SUepgmfh863fy
Size:	8316
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3490.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER3490.tmp.xml
Category:	dropped
Dump:	WER3490.tmp.xml.9.dr
ID:	dr_4
Target ID:	9
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.4416444986680865
Encrypted:	false
Ssdeep:	48:cvIwWl8zsXJg77aI9rwWpW8VYoYm8M4JTEFBV+q8aGcMe3d:uIjf5I7NJ7V8JeMcMe3d
Size:	4571
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\WER24A0.tmp.WERDataCollectionStatus.txt

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\WER24A0.tmp.WERDataCollectionStatus.txt
Category:	dropped
Dump:	WER24A0.tmp.WERDataCollectionStatus.txt.9.dr
ID:	dr_2
Target ID:	9
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.2536549940520088
Encrypted:	false
Ssdeep:	96:pwpIilkXkkXwkynEuWy0QT0QV0Qgk0QXJ0Q00Q+MEFgbXTaszeuzSzbxGQI5lmcW:pAlR+u+9SoeyOkNa
Size:	4790
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.9.dr
ID:	dr_1
Target ID:	9
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.416520369791879
Encrypted:	false
Ssdeep:	6144:ncifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuN85+:ci58oSWIZBk2MM6AFBqo
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7576
Target ID:	4
Parent PID:	4056
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	2963456
MD5:	B7C6CACEB7F0FF55A6D276EF2D4505AF
Time:	05:03:09
Date:	14/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xaa0000
Modulesize:	3203072
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
LummaC encrypted strings found	HIPS / PFW / Operating System Protection Evasion	PowerShell Deobfuscate/Decode Files or Information
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7576 -s 1940

Details

Is windows:	true
Is dropped:	false
PID:	7964
Target ID:	9
Parent PID:	7576
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7576 -s 1940
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	05:03:16
Date:	14/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xaf0000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://sergei-esenin.com/

unknown

https://sergei-esenin.com/apiM

unknown

bathdoomgaz.store

studennotediw.store

clearancek.site

dissapoiznw.store

https://sergei-esenin.com/LOu

unknown

https://steamcommunity.com/profiles/76561199724331900

104.102.49.254

spirittunek.store

licendfilteo.site

eaglepawnoy.store

https://steamcommunity.com/profiles/76561199724331900/inventory/

unknown

https://sergei-esenin.com:443/apifiles/76561199724331900

unknown

https://sergei-esenin.com:443/api

unknown

mobbipenju.store

https://sergei-esenin.com/api

104.21.53.8

https://steamcommunity.com/profiles/76561199724331900/badges

unknown

https://steamcommunity.com/my/wishlist/

unknown

https://www.cloudflare.com/learning/access-management/phishing-attack/

unknown

https://store.steampowU)

unknown

https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp

unknown

https://steamcommunity.com/?subsection=broadcasts

unknown

https://help.steampowered.com/en/

unknown

https://steamcommunity.com/market/

unknown

https://store.steampowered.com/news/

unknown

https://licendfilteo.site:443/apid

unknown

https://store.steampowered.com/subscriber_agreement/

unknown

http://store.steampowered.com/subscriber_agreement/

unknown

https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org

unknown

https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1

unknown

https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en

unknown

http://www.valvesoftware.com/legal.htm

unknown

https://steamcommunity.com/discussions/

unknown

https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png

unknown

https://store.steampowered.com/stats/

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png

unknown

https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1

unknown

https://store.steampowered.com/steam_refunds/

unknown

https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&

unknown

https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

unknown

https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900

unknown

https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e

unknown

https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL

unknown

https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi

unknown

https://steamcommunity.com/workshop/

unknown

https://eaglepawnoy.store:443/api

unknown

https://store.steampowered.com/legal/

unknown

https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv

unknown

https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl

unknown

http://store.steampowered.com/privacy_agreement/

unknown

https://store.steampowered.com/points/shop/

unknown

http://upx.sf.net

unknown

https://store.steampowered.com/

unknown

https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw

unknown

https://www.cloudflare.com/learning/access-manMV

unknown

https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif

unknown

https://www.cloudflare.com/learning/access-man

unknown

https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg

unknown

https://store.steampowered.com/privacy_agreement/

unknown

https://www.cloudflare.com/5xx-error-landing

unknown

https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en

unknown

https://www.cloudflare.com/5xx-errop

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0

unknown

https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a

unknown

https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016

unknown

https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am

unknown

https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA

unknown

https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english

unknown

https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english

unknown

https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english

unknown

http://store.steampowered.com/account/cookiepreferences/

unknown

https://store.steampowered.com/mobile

unknown

https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png

unknown

https://steamcommunity.com/

unknown

https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english

unknown

https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis

unknown

https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC

unknown

https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl

unknown

https://store.steampowered.com/about/

unknown

https://studennotediw.store:443/api:

unknown

There are 75 hidden URLs, click here to show them.

Domains

Name

Malicious

steamcommunity.com

104.102.49.254

sergei-esenin.com

104.21.53.8

eaglepawnoy.store

unknown

bathdoomgaz.store

unknown

spirittunek.store

unknown

licendfilteo.site

unknown

studennotediw.store

unknown

mobbipenju.store

unknown

clearancek.site

unknown

dissapoiznw.store

unknown

IPs

Domain

Country

Malicious

104.21.53.8

sergei-esenin.com

United States

Details

IP:	104.21.53.8
TargetID:	4
Current Path:	C:\Users\user\Desktop\file.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	sergei-esenin.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

104.102.49.254

steamcommunity.com

United States

Details

IP:	104.102.49.254
TargetID:	4
Current Path:	C:\Users\user\Desktop\file.exe
Country:	United States
Countrycode:	USA
ASN number:	16625
ASN name:	AKAMAI-ASUS
Private:	false
Domain:	steamcommunity.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

\REGISTRY\A\{b2517614-415f-6cd4-7d68-a04c1f0f5489}\Root\InventoryApplicationFile\file.exe|634507f567776d77

ProgramId

\REGISTRY\A\{b2517614-415f-6cd4-7d68-a04c1f0f5489}\Root\InventoryApplicationFile\file.exe|634507f567776d77

FileId

\REGISTRY\A\{b2517614-415f-6cd4-7d68-a04c1f0f5489}\Root\InventoryApplicationFile\file.exe|634507f567776d77

LowerCaseLongPath

\REGISTRY\A\{b2517614-415f-6cd4-7d68-a04c1f0f5489}\Root\InventoryApplicationFile\file.exe|634507f567776d77

LongPathHash

\REGISTRY\A\{b2517614-415f-6cd4-7d68-a04c1f0f5489}\Root\InventoryApplicationFile\file.exe|634507f567776d77

Name

\REGISTRY\A\{b2517614-415f-6cd4-7d68-a04c1f0f5489}\Root\InventoryApplicationFile\file.exe|634507f567776d77

OriginalFileName

\REGISTRY\A\{b2517614-415f-6cd4-7d68-a04c1f0f5489}\Root\InventoryApplicationFile\file.exe|634507f567776d77

Publisher

\REGISTRY\A\{b2517614-415f-6cd4-7d68-a04c1f0f5489}\Root\InventoryApplicationFile\file.exe|634507f567776d77

Version

\REGISTRY\A\{b2517614-415f-6cd4-7d68-a04c1f0f5489}\Root\InventoryApplicationFile\file.exe|634507f567776d77

BinFileVersion

\REGISTRY\A\{b2517614-415f-6cd4-7d68-a04c1f0f5489}\Root\InventoryApplicationFile\file.exe|634507f567776d77

BinaryType

\REGISTRY\A\{b2517614-415f-6cd4-7d68-a04c1f0f5489}\Root\InventoryApplicationFile\file.exe|634507f567776d77

ProductName

\REGISTRY\A\{b2517614-415f-6cd4-7d68-a04c1f0f5489}\Root\InventoryApplicationFile\file.exe|634507f567776d77

ProductVersion

\REGISTRY\A\{b2517614-415f-6cd4-7d68-a04c1f0f5489}\Root\InventoryApplicationFile\file.exe|634507f567776d77

LinkDate

\REGISTRY\A\{b2517614-415f-6cd4-7d68-a04c1f0f5489}\Root\InventoryApplicationFile\file.exe|634507f567776d77

BinProductVersion

\REGISTRY\A\{b2517614-415f-6cd4-7d68-a04c1f0f5489}\Root\InventoryApplicationFile\file.exe|634507f567776d77

AppxPackageFullName

\REGISTRY\A\{b2517614-415f-6cd4-7d68-a04c1f0f5489}\Root\InventoryApplicationFile\file.exe|634507f567776d77

AppxPackageRelativeId

\REGISTRY\A\{b2517614-415f-6cd4-7d68-a04c1f0f5489}\Root\InventoryApplicationFile\file.exe|634507f567776d77

Size

\REGISTRY\A\{b2517614-415f-6cd4-7d68-a04c1f0f5489}\Root\InventoryApplicationFile\file.exe|634507f567776d77

Language

\REGISTRY\A\{b2517614-415f-6cd4-7d68-a04c1f0f5489}\Root\InventoryApplicationFile\file.exe|634507f567776d77

Usn

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData

ClockTimeSeconds

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData

TickCount

There are 11 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

AA1000

unkown

page execute and read and write

388E000

stack

page read and write

338E000

stack

page read and write

CBB000

unkown

page execute and read and write

12D4000

heap

page read and write

14AF000

stack

page read and write

55EE000

stack

page read and write

D18000

unkown

page execute and write copy

546F000

stack

page read and write

3ACF000

stack

page read and write

1100000

direct allocation

page read and write

5BFA000

trusted library allocation

page read and write

3B0E000

stack

page read and write

73D0F000

unkown

page readonly

310E000

stack

page read and write

50E0000

direct allocation

page execute and read and write

CBA000

unkown

page execute and write copy

10FB000

stack

page read and write

4B11000

heap

page read and write

D21000

unkown

page execute and read and write

12D4000

heap

page read and write

39CE000

stack

page read and write

2EA0000

direct allocation

page execute and read and write

398F000

stack

page read and write

5C00000

trusted library allocation

page read and write

4B11000

heap

page read and write

5BE0000

trusted library allocation

page read and write

CE6000

unkown

page execute and write copy

12D4000

heap

page read and write

4B11000

heap

page read and write

DF0000

heap

page read and write

D3B000

unkown

page execute and write copy

1190000

heap

page read and write

2EC0000

heap

page read and write

1100000

direct allocation

page read and write

1100000

direct allocation

page read and write

4F90000

direct allocation

page read and write

12D4000

heap

page read and write

CCE000

unkown

page execute and read and write

1200000

heap

page read and write

384F000

stack

page read and write

C7E000

unkown

page execute and write copy

1209000

heap

page read and write

117D000

heap

page read and write

450E000

stack

page read and write

73D06000

unkown

page readonly

12D4000

heap

page read and write

424F000

stack

page read and write

2E90000

direct allocation

page execute and read and write

2ECD000

heap

page read and write

D02000

unkown

page execute and read and write

3E8F000

stack

page read and write

CEC000

unkown

page execute and read and write

73CF0000

unkown

page readonly

12B0000

heap

page read and write

C9C000

unkown

page execute and read and write

4B0F000

stack

page read and write

DAA000

unkown

page execute and read and write

D2C000

unkown

page execute and read and write

1100000

direct allocation

page read and write

4B11000

heap

page read and write

A00000

heap

page read and write

428E000

stack

page read and write

C6C000

unkown

page execute and write copy

1120000

direct allocation

page read and write

12D4000

heap

page read and write

589D000

stack

page read and write

12D4000

heap

page read and write

5BDF000

stack

page read and write

2EB0000

direct allocation

page execute and read and write

116D000

heap

page read and write

11BD000

heap

page read and write

12D4000

heap

page read and write

11AF000

heap

page read and write

A10000

heap

page read and write

1100000

direct allocation

page read and write

348F000

stack

page read and write

4B11000

heap

page read and write

51ED000

stack

page read and write

D6B000

unkown

page execute and read and write

2EA0000

direct allocation

page execute and read and write

2EA0000

direct allocation

page execute and read and write

3ECE000

stack

page read and write

C9B000

unkown

page execute and write copy

59FE000

stack

page read and write

573D000

stack

page read and write

2D4E000

stack

page read and write

11BD000

heap

page read and write

12C0000

direct allocation

page execute and read and write

48CE000

stack

page read and write

12D4000

heap

page read and write

583E000

stack

page read and write

1100000

direct allocation

page read and write

5BEB000

trusted library allocation

page read and write

12D4000

heap

page read and write

478E000

stack

page read and write

2EA0000

direct allocation

page execute and read and write

44CF000

stack

page read and write

CFE000

unkown

page execute and write copy

C7C000

unkown

page execute and read and write

4F50000

trusted library allocation

page read and write

52AB000

trusted library allocation

page read and write

B0A000

unkown

page execute and write copy

C6A000

unkown

page execute and read and write

1100000

direct allocation

page read and write

126E000

stack

page read and write

4B11000

heap

page read and write

12D4000

heap

page read and write

1208000

heap

page read and write

374E000

stack

page read and write

1100000

direct allocation

page read and write

360E000

stack

page read and write

D95000

unkown

page execute and read and write

A7E000

stack

page read and write

53C0000

trusted library allocation

page read and write

50FC000

trusted library allocation

page read and write

334F000

stack

page read and write

4A0E000

stack

page read and write

113A000

heap

page read and write

D80000

unkown

page execute and write copy

532D000

stack

page read and write

460F000

stack

page read and write

4FCC000

stack

page read and write

D0F000

unkown

page execute and read and write

3FCF000

stack

page read and write

9AB000

stack

page read and write

12D4000

heap

page read and write

2EA0000

direct allocation

page execute and read and write

3D8E000

stack

page read and write

1130000

heap

page read and write

2FCE000

stack

page read and write

D0B000

unkown

page execute and read and write

410F000

stack

page read and write

73D0D000

unkown

page read and write

B0C000

unkown

page execute and write copy

12D4000

heap

page read and write

B0B000

unkown

page execute and read and write

12D4000

heap

page read and write

C88000

unkown

page execute and write copy

1100000

direct allocation

page read and write

2EA0000

remote allocation

page read and write

D95000

unkown

page execute and write copy

12D4000

heap

page read and write

35CF000

stack

page read and write

B00000

unkown

page execute and read and write

1168000

heap

page read and write

D0A000

unkown

page execute and write copy

DAB000

unkown

page execute and write copy

12B0000

direct allocation

page execute and read and write

2EA0000

remote allocation

page read and write

73CF1000

unkown

page execute read

CC4000

unkown

page execute and write copy

414E000

stack

page read and write

2EC7000

heap

page read and write

1175000

heap

page read and write

370F000

stack

page read and write

53CD000

trusted library allocation

page read and write

12D4000

heap

page read and write

53B8000

trusted library allocation

page read and write

12D4000

heap

page read and write

43CE000

stack

page read and write

CED000

unkown

page execute and write copy

DAA000

unkown

page execute and write copy

488F000

stack

page read and write

536E000

stack

page read and write

12D4000

heap

page read and write

1170000

heap

page read and write

1120000

direct allocation

page read and write

4B20000

heap

page read and write

1100000

direct allocation

page read and write

2EA0000

remote allocation

page read and write

D0C000

unkown

page execute and write copy

DEE000

stack

page read and write

55AE000

stack

page read and write

4B11000

heap

page read and write

CCB000

unkown

page execute and read and write

522D000

stack

page read and write

CF2000

unkown

page execute and read and write

12D4000

heap

page read and write

1100000

direct allocation

page read and write

4F8D000

stack

page read and write

D87000

unkown

page execute and write copy

D9D000

unkown

page execute and write copy

12D4000

heap

page read and write

12D4000

heap

page read and write

AA1000

unkown

page execute and write copy

3C0F000

stack

page read and write

4B11000

heap

page read and write

D9D000

unkown

page execute and write copy

11BD000

heap

page read and write

1100000

direct allocation

page read and write

320F000

stack

page read and write

1100000

direct allocation

page read and write

599E000

stack

page read and write

AA0000

unkown

page readonly

2E4F000

stack

page read and write

C89000

unkown

page execute and read and write

324E000

stack

page read and write

400E000

stack

page read and write

113E000

heap

page read and write

54AD000

stack

page read and write

AA0000

unkown

page read and write

12D4000

heap

page read and write

1100000

direct allocation

page read and write

56EE000

stack

page read and write

11A5000

heap

page read and write

1193000

heap

page read and write

C7F000

unkown

page execute and read and write

11E8000

heap

page read and write

D96000

unkown

page execute and write copy

D3C000

unkown

page execute and read and write

438F000

stack

page read and write

B00000

unkown

page execute and write copy

3C4E000

stack

page read and write

4B11000

heap

page read and write

D28000

unkown

page execute and write copy

11F3000

heap

page read and write

12D4000

heap

page read and write

D81000

unkown

page execute and read and write

30CF000

stack

page read and write

12D4000

heap

page read and write

53AA000

trusted library allocation

page read and write

12D4000

heap

page read and write

50CE000

stack

page read and write

5AD0000

heap

page read and write

CCC000

unkown

page execute and write copy

4B10000

heap

page read and write

12D0000

heap

page read and write

12AC000

stack

page read and write

50D0000

direct allocation

page execute and read and write

2EA0000

direct allocation

page execute and read and write

34CE000

stack

page read and write

49CF000

stack

page read and write

3D4F000

stack

page read and write

474F000

stack

page read and write

2E8E000

stack

page read and write

464E000

stack

page read and write

There are 227 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
file.exe