Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.9462156143250855
Filename:	file.exe
Filesize:	1798656
MD5:	eca468992cf2597dac9a7c4b2291016b
SHA1:	56cd1d16e39837a5b33d2fe5a631930ca6eecde5
SHA256:	4ddfbbc94a53d32fcabd261d31923e3a8767e9c9705809ee1639b5c1238abaf2
SHA512:	1c9e7760c558bfd75db99b02160d25460b4a0edd059196932ef40b99e3721d597df79b8a94356ab50417acc953bda1e5b0885b642129d9620a7dcaa933728ff0
SSDEEP:	49152:xA5b8hrp/UHULyY/dtL3oLPocJbLJ4hL7G:xmb8BW0LyodtQjLeL
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation
Found malware configuration	AV Detection
Hides threads from debuggers	Anti Debugging	Virtualization/Sandbox Evasion Security Software Discovery
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)	Boot Survival
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion
Tries to detect sandboxes and other dynamic analysis tools (window names)	Anti Debugging
Tries to detect virtualization through RDTSC time measurements	Malware Analysis System Evasion
Tries to evade debugger and weak emulator (self modifying code)	Malware Analysis System Evasion
Checks for debuggers (devices)	Anti Debugging
Checks if the current process is being debugged	Anti Debugging
Contains capabilities to detect virtual machines	Malware Analysis System Evasion
One or more processes crash	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Queries information about the installed CPU (vendor, model number etc)	Language, Device and Operating System Detection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
PE file has a high occurrence of arithmetic instructions at the PE entrypoint (possbibily packed)	System Summary	Obfuscated Files or Information
Binary contains paths to development resources	System Summary
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
Queries a list of all running drivers	Malware Analysis System Evasion	System Information Discovery
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_819e5e45b8a757e26ca9bd44e6d9284b79b3342d_a5cec3f2_4ab8625c-119a-4837-903c-777f0b7ed8e0\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_819e5e45b8a757e26ca9bd44e6d9284b79b3342d_a5cec3f2_4ab8625c-119a-4837-903c-777f0b7ed8e0\Report.wer
Category:	dropped
Dump:	Report.wer.5.dr
ID:	dr_0
Target ID:	5
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.9488212876899321
Encrypted:	false
Ssdeep:	192:RahLK6b5vvu7tPlI0BU/7E3juCZr+dQzuiFMZ24IO8ThB:RslytNjBU/AjWyzuiFMY4IO8r
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
PE file has a high occurrence of arithmetic instructions at the PE entrypoint (possbibily packed)	System Summary	Obfuscated Files or Information
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF56B.tmp.dmp

Mini DuMP crash report, 14 streams, Fri Oct 25 19:52:30 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERF56B.tmp.dmp
Category:	dropped
Dump:	WERF56B.tmp.dmp.5.dr
ID:	dr_2
Target ID:	5
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Fri Oct 25 19:52:30 2024, 0x1205a4 type
Entropy:	1.2846259597336942
Encrypted:	false
Ssdeep:	768:6HCFBeER7SBIgK/+EG2f21nSvfjd2F8gIM1diF8C:6H4CIga+Yf6nSn8F8PMriFb
Size:	282582
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF6B5.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERF6B5.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WERF6B5.tmp.WERInternalMetadata.xml.5.dr
ID:	dr_3
Target ID:	5
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.6936899693575236
Encrypted:	false
Ssdeep:	192:R6l7wVeJvCZ6F6YEIYSUPmHgmfBENprj89bc7sfYm0m:R6lXJM6F6YEnSU+Hgmf+kcAfJ
Size:	8326
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF6D5.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERF6D5.tmp.xml
Category:	dropped
Dump:	WERF6D5.tmp.xml.5.dr
ID:	dr_4
Target ID:	5
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.436524049079654
Encrypted:	false
Ssdeep:	48:cvIwWl8zskJg77aI91jiWpW8VYA5Ym8M4JVeFuE+q816L6u4d:uIjfiI77j7V7oJtETLR4d
Size:	4558
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.5.dr
ID:	dr_1
Target ID:	5
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.421319427518146
Encrypted:	false
Ssdeep:	6144:RSvfpi6ceLP/9skLmb0OTSWSPHaJG8nAgeMZMMhA2fX4WABlEnN20uhiTw:ovloTSW+EZMM6DFy403w
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7064
Target ID:	0
Parent PID:	1028
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	1798656
MD5:	ECA468992CF2597DAC9A7C4B2291016B
Time:	15:52:04
Date:	25/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x380000
Modulesize:	6819840
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Yara detected Stealc	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
PE file has a high occurrence of arithmetic instructions at the PE entrypoint (possbibily packed)	System Summary	Obfuscated Files or Information
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7064 -s 1516

Details

Is windows:	true
Is dropped:	false
PID:	5136
Target ID:	5
Parent PID:	7064
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7064 -s 1516
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	15:52:29
Date:	25/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x780000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://185.215.113.37/

185.215.113.37

Details

Name:	http://185.215.113.37/
IP:	185.215.113.37
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\file.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
HTTP GET or POST without a user agent	Networking
IP address seen in connection with other malware	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

http://185.215.113.37/A&

unknown

Details

Name:	http://185.215.113.37/A&
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\file.exe
Source:	file.exe, 00000000.00000002.2651833926.000000000029B000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
URLs found in memory or binary data	Networking

http://185.215.113.37

unknown

Details

Name:	http://185.215.113.37
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\file.exe
Source:	file.exe, 00000000.00000002.2651833926.000000000026E000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
URLs found in memory or binary data	Networking

http://185.215.113.37/e2b1563c6670f193.php

Details

Name:	http://185.215.113.37/e2b1563c6670f193.php
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\file.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

http://185.215.113.37/7

unknown

Details

Name:	http://185.215.113.37/7
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\file.exe
Source:	file.exe, 00000000.00000002.2651833926.00000000002C7000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
URLs found in memory or binary data	Networking

http://185.215.113.37/I&

unknown

Details

Name:	http://185.215.113.37/I&
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\file.exe
Source:	file.exe, 00000000.00000002.2651833926.000000000029B000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
URLs found in memory or binary data	Networking

http://185.215.113.37/z

unknown

Details

Name:	http://185.215.113.37/z
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\file.exe
Source:	file.exe, 00000000.00000002.2651833926.00000000002C7000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
URLs found in memory or binary data	Networking

http://upx.sf.net

unknown

IPs

Domain

Country

Malicious

185.215.113.37

unknown

Portugal

Details

IP:	185.215.113.37
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	Portugal
Countrycode:	PRT
ASN number:	206894
ASN name:	WHOLESALECONNECTIONSNL
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
HTTP GET or POST without a user agent	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

\REGISTRY\A\{e5ebfc10-e8f2-793c-4802-6874f3781d8e}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

ProgramId

\REGISTRY\A\{e5ebfc10-e8f2-793c-4802-6874f3781d8e}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

FileId

\REGISTRY\A\{e5ebfc10-e8f2-793c-4802-6874f3781d8e}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

LowerCaseLongPath

\REGISTRY\A\{e5ebfc10-e8f2-793c-4802-6874f3781d8e}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

LongPathHash

\REGISTRY\A\{e5ebfc10-e8f2-793c-4802-6874f3781d8e}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

Name

\REGISTRY\A\{e5ebfc10-e8f2-793c-4802-6874f3781d8e}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

OriginalFileName

\REGISTRY\A\{e5ebfc10-e8f2-793c-4802-6874f3781d8e}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

Publisher

\REGISTRY\A\{e5ebfc10-e8f2-793c-4802-6874f3781d8e}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

Version

\REGISTRY\A\{e5ebfc10-e8f2-793c-4802-6874f3781d8e}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

BinFileVersion

\REGISTRY\A\{e5ebfc10-e8f2-793c-4802-6874f3781d8e}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

BinaryType

\REGISTRY\A\{e5ebfc10-e8f2-793c-4802-6874f3781d8e}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

ProductName

\REGISTRY\A\{e5ebfc10-e8f2-793c-4802-6874f3781d8e}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

ProductVersion

\REGISTRY\A\{e5ebfc10-e8f2-793c-4802-6874f3781d8e}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

LinkDate

\REGISTRY\A\{e5ebfc10-e8f2-793c-4802-6874f3781d8e}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

BinProductVersion

\REGISTRY\A\{e5ebfc10-e8f2-793c-4802-6874f3781d8e}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

AppxPackageFullName

\REGISTRY\A\{e5ebfc10-e8f2-793c-4802-6874f3781d8e}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

AppxPackageRelativeId

\REGISTRY\A\{e5ebfc10-e8f2-793c-4802-6874f3781d8e}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

Size

\REGISTRY\A\{e5ebfc10-e8f2-793c-4802-6874f3781d8e}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

Language

\REGISTRY\A\{e5ebfc10-e8f2-793c-4802-6874f3781d8e}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649

Usn

There are 9 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

26E000

heap

page read and write

49B0000

direct allocation

page read and write

41A000

unkown

page execute and read and write

381000

unkown

page execute and read and write

34EF000

stack

page read and write

4531000

heap

page read and write

4531000

heap

page read and write

244000

heap

page read and write

244000

heap

page read and write

33AF000

stack

page read and write

244000

heap

page read and write

3DA000

unkown

page execute and read and write

4B30000

direct allocation

page execute and read and write

4531000

heap

page read and write

4B10000

direct allocation

page execute and read and write

1CFD3000

heap

page read and write

4531000

heap

page read and write

4990000

heap

page read and write

19E000

stack

page read and write

370000

direct allocation

page read and write

4531000

heap

page read and write

2920000

heap

page read and write

4B20000

direct allocation

page execute and read and write

4B20000

direct allocation

page execute and read and write

381000

unkown

page execute and write copy

4531000

heap

page read and write

442E000

stack

page read and write

28DE000

stack

page read and write

326E000

stack

page read and write

244000

heap

page read and write

2C6E000

stack

page read and write

370000

direct allocation

page read and write

370000

direct allocation

page read and write

4531000

heap

page read and write

4531000

heap

page read and write

1D0F0000

trusted library allocation

page read and write

4531000

heap

page read and write

2DAE000

stack

page read and write

4531000

heap

page read and write

3B2F000

stack

page read and write

244000

heap

page read and write

42EE000

stack

page read and write

2D6F000

stack

page read and write

4531000

heap

page read and write

244000

heap

page read and write

1CA9E000

stack

page read and write

4531000

heap

page read and write

402F000

stack

page read and write

405000

unkown

page execute and read and write

4531000

heap

page read and write

4531000

heap

page read and write

4531000

heap

page read and write

4531000

heap

page read and write

244000

heap

page read and write

3C6F000

stack

page read and write

39EF000

stack

page read and write

316E000

stack

page read and write

4531000

heap

page read and write

4531000

heap

page read and write

1CD2D000

stack

page read and write

240000

heap

page read and write

4531000

heap

page read and write

4531000

heap

page read and write

9C000

stack

page read and write

29B000

heap

page read and write

1CB9F000

stack

page read and write

4531000

heap

page read and write

244000

heap

page read and write

4531000

heap

page read and write

86D000

unkown

page execute and write copy

26A000

heap

page read and write

4531000

heap

page read and write

1CE6D000

stack

page read and write

244000

heap

page read and write

370000

direct allocation

page read and write

B9E000

stack

page read and write

408000

unkown

page execute and read and write

4531000

heap

page read and write

3DAF000

stack

page read and write

4531000

heap

page read and write

380000

unkown

page readonly

3CAE000

stack

page read and write

85E000

unkown

page execute and read and write

B1E000

stack

page read and write

4531000

heap

page read and write

2EAF000

stack

page read and write

370000

direct allocation

page read and write

244000

heap

page read and write

1CCDF000

stack

page read and write

370000

direct allocation

page read and write

4550000

heap

page read and write

244000

heap

page read and write

86C000

unkown

page execute and read and write

244000

heap

page read and write

370000

direct allocation

page read and write

4531000

heap

page read and write

37AE000

stack

page read and write

4AEF000

stack

page read and write

1C81E000

stack

page read and write

244000

heap

page read and write

82C000

unkown

page execute and read and write

4531000

heap

page read and write

B5D000

stack

page read and write

1CF6D000

stack

page read and write

244000

heap

page read and write

2E1000

heap

page read and write

260000

heap

page read and write

244000

heap

page read and write

244000

heap

page read and write

244000

heap

page read and write

32AE000

stack

page read and write

4537000

heap

page read and write

3A2E000

stack

page read and write

244000

heap

page read and write

4531000

heap

page read and write

4531000

heap

page read and write

244000

heap

page read and write

4531000

heap

page read and write

406E000

stack

page read and write

244000

heap

page read and write

BF0000

direct allocation

page read and write

9FD000

unkown

page execute and read and write

4531000

heap

page read and write

2A2F000

stack

page read and write

2D5000

heap

page read and write

BF0000

direct allocation

page read and write

754000

unkown

page execute and read and write

40F000

unkown

page execute and read and write

86C000

unkown

page execute and write copy

195000

stack

page read and write

244000

heap

page read and write

4531000

heap

page read and write

4531000

heap

page read and write

370000

direct allocation

page read and write

42AF000

stack

page read and write

1C91F000

stack

page read and write

FFE000

stack

page read and write

4531000

heap

page read and write

244000

heap

page read and write

4531000

heap

page read and write

244000

heap

page read and write

244000

heap

page read and write

3DEE000

stack

page read and write

362F000

stack

page read and write

4531000

heap

page read and write

851000

unkown

page execute and read and write

4AF0000

direct allocation

page execute and read and write

244000

heap

page read and write

2927000

heap

page read and write

4530000

heap

page read and write

9FE000

unkown

page execute and write copy

376F000

stack

page read and write

244000

heap

page read and write

370000

direct allocation

page read and write

370000

direct allocation

page read and write

370000

direct allocation

page read and write

4531000

heap

page read and write

244000

heap

page read and write

4970000

trusted library allocation

page read and write

1CE2D000

stack

page read and write

3F2E000

stack

page read and write

4531000

heap

page read and write

5CA000

unkown

page execute and read and write

244000

heap

page read and write

352E000

stack

page read and write

4531000

heap

page read and write

244000

heap

page read and write

4531000

heap

page read and write

244000

heap

page read and write

4540000

heap

page read and write

2B4000

heap

page read and write

4531000

heap

page read and write

244000

heap

page read and write

1C95D000

stack

page read and write

416F000

stack

page read and write

244000

heap

page read and write

244000

heap

page read and write

4B00000

direct allocation

page execute and read and write

5DE000

unkown

page execute and read and write

4531000

heap

page read and write

2EEE000

stack

page read and write

292B000

heap

page read and write

33EE000

stack

page read and write

1CBDE000

stack

page read and write

244000

heap

page read and write

1CA5F000

stack

page read and write

1F0000

heap

page read and write

38AF000

stack

page read and write

3B6D000

stack

page read and write

302E000

stack

page read and write

2FEF000

stack

page read and write

289F000

stack

page read and write

366E000

stack

page read and write

4531000

heap

page read and write

2B2F000

stack

page read and write

4531000

heap

page read and write

291E000

stack

page read and write

370000

direct allocation

page read and write

2AE000

heap

page read and write

4531000

heap

page read and write

4531000

heap

page read and write

360000

heap

page read and write

4531000

heap

page read and write

4B40000

direct allocation

page execute and read and write

38EE000

stack

page read and write

4531000

heap

page read and write

370000

direct allocation

page read and write

3E2000

unkown

page execute and read and write

452F000

stack

page read and write

244000

heap

page read and write

244000

heap

page read and write

4531000

heap

page read and write

BDB000

stack

page read and write

4531000

heap

page read and write

4531000

heap

page read and write

370000

direct allocation

page read and write

2C7000

heap

page read and write

4531000

heap

page read and write

EFF000

stack

page read and write

41AE000

stack

page read and write

4531000

heap

page read and write

4531000

heap

page read and write

312F000

stack

page read and write

3EEF000

stack

page read and write

244000

heap

page read and write

4531000

heap

page read and write

4531000

heap

page read and write

4531000

heap

page read and write

43EF000

stack

page read and write

4531000

heap

page read and write

380000

unkown

page read and write

49EB000

stack

page read and write

2C2F000

stack

page read and write

200000

heap

page read and write

There are 224 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
file.exe