Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

loader.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.139376589302292
Filename:	loader.exe
Filesize:	2040097
MD5:	f462fd11ceda48487db07c5b70410dac
SHA1:	48010b409ab20a6a51e562d347b87abcb15dd9fe
SHA256:	4139522809118bba10441242323550ef8f00264e862a5403dab48c1c5c8ad654
SHA512:	7ba4a2fae1b0558b4a2d1a081a9f63cc0b4184a395fe58a31083bf1e6b4e597938d0ecda8d0e45d03e26a848c1ad30c75941ade6e49f4237bb70139127c72204
SSDEEP:	24576:h2G/nvxW3WCG0xfX0iy3dwFTQ40aI2GP1NE4utdShDpIBUx9PWRW/+YK8bnCAtF:hbA3rnxf0iyoTQi1a1wtStlx9sYX
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'..

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains method to dynamically call methods (often used by packers)	Data Obfuscation
.NET source code contains potential unpacker	Data Obfuscation
Machine Learning detection for sample	AV Detection
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to communicate with device drivers	System Summary
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Encrypted Channel
Drops PE files	Persistence and Installation Behavior
File is packed with WinRar	Data Obfuscation
Found potential string decryption / allocating functions	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
.NET source code contains calls to encryption/decryption functions	System Summary	Deobfuscate/Decode Files or Information Archive Collected Data
.NET source code contains many API calls related to security	System Summary
.NET source code contains many randomly named methods	Data Obfuscation
Contains functionality for error logging	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery System Information Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
Might use command line arguments	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Program exit points	Malware Analysis System Evasion
Reads ini files	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\blockcomwinsavescrt\DKYQpYxB0fjo0It.vbe

data

dropped

Details

File:	C:\blockcomwinsavescrt\DKYQpYxB0fjo0It.vbe
Category:	dropped
Dump:	DKYQpYxB0fjo0It.vbe.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\loader.exe
Type:	data
Entropy:	5.807795909818938
Encrypted:	false
Ssdeep:	6:GXkgwqK+NkLzWbHE08nZNDd3RL1wQJRXu7Nga1RJNdtu:GXkBMCzWLE04d3XBJYX1RS
Size:	223
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Spawns processes	System Summary	Process Injection

C:\blockcomwinsavescrt\containercomponentSaves.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\blockcomwinsavescrt\containercomponentSaves.exe
Category:	dropped
Dump:	containercomponentSaves.exe.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\loader.exe
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.192193387211187
Encrypted:	false
Ssdeep:	24576:lfX0iy3dwFTQ40aI2GP1NE4utdShDpIBUx9PWRW/+YK8bnCAt:lf0iyoTQi1a1wtStlx9sY
Size:	1490944
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Machine Learning detection for dropped file	AV Detection
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Checks the free space of harddrives	Malware Analysis System Evasion	System Information Discovery
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\containercomponentSaves.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\containercomponentSaves.exe.log
Category:	dropped
Dump:	containercomponentSaves.exe.log.4.dr
ID:	dr_3
Target ID:	4
Process:	C:\blockcomwinsavescrt\containercomponentSaves.exe
Type:	CSV text
Entropy:	5.364175471524945
Encrypted:	false
Ssdeep:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNCsXE4Npv:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAu
Size:	1498
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

C:\blockcomwinsavescrt\jwlZX38GInff6rIBqWRHehXwajI.bat

ASCII text, with no line terminators

dropped

Details

File:	C:\blockcomwinsavescrt\jwlZX38GInff6rIBqWRHehXwajI.bat
Category:	dropped
Dump:	jwlZX38GInff6rIBqWRHehXwajI.bat.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\loader.exe
Type:	ASCII text, with no line terminators
Entropy:	4.983747816606965
Encrypted:	false
Ssdeep:	3:I5pKoDDX0YKT0XRAJArAHFDFQNBZwXD9so3KRfyM1K7eB/k+7W34hebJNAKyMhFS:I3b0nTMQsTStuH1jhRiI36BY
Size:	164
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Executes batch files	System Summary	Scripting
Spawns processes	System Summary	Process Injection

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\loader.exe

"C:\Users\user\Desktop\loader.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6432
Target ID:	0
Parent PID:	2580
Name:	loader.exe
Path:	C:\Users\user\Desktop\loader.exe
Commandline:	"C:\Users\user\Desktop\loader.exe"
Size:	2040097
MD5:	F462FD11CEDA48487DB07C5B70410DAC
Time:	10:16:58
Date:	26/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x100000
Modulesize:	708608
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\WScript.exe" "C:\blockcomwinsavescrt\DKYQpYxB0fjo0It.vbe"

Details

Is windows:	true
Is dropped:	false
PID:	6552
Target ID:	1
Parent PID:	6432
Name:	wscript.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\wscript.exe
Commandline:	"C:\Windows\System32\WScript.exe" "C:\blockcomwinsavescrt\DKYQpYxB0fjo0It.vbe"
Size:	147456
MD5:	FF00E0480075B095948000BDC66E81F0
Time:	10:16:59
Date:	26/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x2c0000
Modulesize:	159744
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Spawns processes	System Summary	Process Injection

C:\blockcomwinsavescrt\containercomponentSaves.exe

"C:\blockcomwinsavescrt\containercomponentSaves.exe"

Details

Is windows:	false
Is dropped:	true
PID:	7008
Target ID:	4
Parent PID:	6916
Name:	containercomponentSaves.exe
Path:	C:\blockcomwinsavescrt\containercomponentSaves.exe
Commandline:	"C:\blockcomwinsavescrt\containercomponentSaves.exe"
Size:	1490944
MD5:	59E330F176AE037DCC65EFC5F7D7859A
Time:	10:17:08
Date:	26/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xc10000
Modulesize:	1523712
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected DCRat	Stealing of Sensitive Information, Remote Access Functionality
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Creates files inside the user directory	System Summary	Masquerading
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

Details

Is windows:	true
Is dropped:	false
PID:	3720
Target ID:	5
Parent PID:	6916
Name:	reg.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\reg.exe
Commandline:	reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
Size:	59392
MD5:	CDD462E86EC0F20DE2A1D781928B1B0C
Time:	10:17:11
Date:	26/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xe20000
Modulesize:	335872
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Uses reg.exe to modify the Windows registry	System Summary	Modify Registry
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\blockcomwinsavescrt\jwlZX38GInff6rIBqWRHehXwajI.bat" "

Details

Is windows:	true
Is dropped:	false
PID:	6916
Target ID:	2
Parent PID:	6552
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\blockcomwinsavescrt\jwlZX38GInff6rIBqWRHehXwajI.bat" "
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	10:17:08
Date:	26/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x240000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Executes batch files	System Summary	Scripting
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6960
Target ID:	3
Parent PID:	6916
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	10:17:08
Date:	26/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://ip-api.com/line/?fields=hosting

208.95.112.1

Details

Name:	http://ip-api.com/line/?fields=hosting
IP:	208.95.112.1
TargetID:	4
From Memory:	false
Current Path:	C:\blockcomwinsavescrt\containercomponentSaves.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking

http://ip-api.com

unknown

Details

Name:	http://ip-api.com
TargetID:	4
From Memory:	true
Current Path:	C:\blockcomwinsavescrt\containercomponentSaves.exe
Source:	containercomponentSaves.exe, 00000004.00000002.1832051997.00000000030B8000.00000004.00000800.00020000.00000000.sdmp, containercomponentSaves.exe, 00000004.00000002.1832051997.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, containercomponentSaves.exe, 00000004.00000002.1832051997.00000000030BE000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

ip-api.com

208.95.112.1

Details

Name:	ip-api.com
IP:	208.95.112.1
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Check if machine is in data center or colocation facility	Malware Analysis System Evasion	Security Software Discovery
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

fp2e7a.wpc.phicdn.net

192.229.221.95

IPs

Domain

Country

Malicious

208.95.112.1

ip-api.com

United States

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

DisableTaskMgr

HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

LangID

HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

C:\Windows\System32\WScript.exe.FriendlyAppName

HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

C:\Windows\System32\WScript.exe.ApplicationCompany

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\containercomponentSaves_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\containercomponentSaves_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\containercomponentSaves_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\containercomponentSaves_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\containercomponentSaves_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\containercomponentSaves_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\containercomponentSaves_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\containercomponentSaves_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\containercomponentSaves_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\containercomponentSaves_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\containercomponentSaves_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\containercomponentSaves_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\containercomponentSaves_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\containercomponentSaves_RASMANCS

FileDirectory

There are 8 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

13067000

trusted library allocation

page read and write

2F11000

trusted library allocation

page read and write

2F59000

heap

page read and write

2EBD000

stack

page read and write

55FC000

stack

page read and write

4D30000

heap

page read and write

5140000

heap

page read and write

529E000

stack

page read and write

2AFB000

stack

page read and write

12F11000

trusted library allocation

page read and write

7FFD9B91C000

trusted library allocation

page execute and read and write

2F2A000

heap

page read and write

1C3EE000

stack

page read and write

2C92000

heap

page read and write

5247000

heap

page read and write

53DE000

stack

page read and write

2FBA000

heap

page read and write

7FFD9B8D3000

trusted library allocation

page read and write

5130000

heap

page read and write

6900000

trusted library allocation

page read and write

2F46000

heap

page read and write

2FCC000

heap

page read and write

7FFD9BAF0000

trusted library allocation

page execute and read and write

71FE000

stack

page read and write

580B000

stack

page read and write

56CE000

stack

page read and write

133000

unkown

page readonly

30B8000

trusted library allocation

page read and write

2C80000

heap

page read and write

314A000

heap

page read and write

1B49D000

stack

page read and write

2CD7000

heap

page read and write

2C8F000

heap

page read and write

2CFC000

heap

page read and write

2B76000

stack

page read and write

31BE000

stack

page read and write

1C4EE000

stack

page read and write

7FFD9B8E0000

trusted library allocation

page read and write

3310000

heap

page read and write

100000

unkown

page readonly

7FFD9BA6A000

trusted library allocation

page read and write

7FFD9B8C2000

trusted library allocation

page read and write

2B99000

stack

page read and write

7FFD9B97C000

trusted library allocation

page execute and read and write

2C00000

heap

page read and write

2D50000

trusted library allocation

page read and write

32D0000

heap

page read and write

7FFD9B8DD000

trusted library allocation

page execute and read and write

2F0F000

stack

page read and write

2CA1000

heap

page read and write

2E20000

heap

page readonly

2CB7000

heap

page read and write

32BE000

stack

page read and write

32D8000

heap

page read and write

7FFD9B976000

trusted library allocation

page read and write

3140000

heap

page read and write

100000

unkown

page readonly

2CAF000

heap

page read and write

162000

unkown

page write copy

7FFD9B8E4000

trusted library allocation

page read and write

2CA1000

heap

page read and write

557E000

stack

page read and write

30AE000

trusted library allocation

page read and write

2C50000

heap

page read and write

2E10000

heap

page read and write

7FFD9BA70000

trusted library allocation

page read and write

C10000

unkown

page readonly

2D90000

trusted library allocation

page read and write

2FAF000

heap

page read and write

131D3000

trusted library allocation

page read and write

11D4000

heap

page read and write

2FCC000

heap

page read and write

1A7000

unkown

page readonly

2CB6000

heap

page read and write

7FFD9B8ED000

trusted library allocation

page execute and read and write

2FAF000

heap

page read and write

2DB0000

heap

page execute and read and write

7FFD9B8EB000

trusted library allocation

page execute and read and write

1B840000

trusted library section

page read and write

32DB000

heap

page read and write

2C97000

heap

page read and write

1BD83000

stack

page read and write

2C9D000

heap

page read and write

2E9D000

stack

page read and write

1175000

heap

page read and write

2FCC000

heap

page read and write

11A1000

heap

page read and write

162000

unkown

page readonly

2B93000

stack

page read and write

1B883000

heap

page execute and read and write

72FE000

stack

page read and write

1201000

heap

page read and write

2F26000

heap

page read and write

7FFD9B8C3000

trusted library allocation

page execute and read and write

10F6000

stack

page read and write

2E30000

heap

page read and write

1BA8F000

stack

page read and write

2F29000

heap

page read and write

2FB1000

heap

page read and write

7FFD9B980000

trusted library allocation

page execute and read and write

4FFA000

trusted library allocation

page read and write

6903000

heap

page read and write

2B9E000

stack

page read and write

2CC1000

heap

page read and write

2FF0000

heap

page read and write

1B98E000

stack

page read and write

2B86000

stack

page read and write

4FEF000

stack

page read and write

12F21000

trusted library allocation

page read and write

7FFD9BA63000

trusted library allocation

page read and write

5246000

heap

page read and write

1BC8A000

stack

page read and write

1C0AF000

stack

page read and write

1360000

heap

page read and write

55BE000

stack

page read and write

2FBA000

heap

page read and write

2F16000

heap

page read and write

4FB0000

heap

page read and write

2F2D000

heap

page read and write

2CAA000

heap

page read and write

2F81000

heap

page read and write

2CD7000

heap

page read and write

30BE000

trusted library allocation

page read and write

2FCC000

heap

page read and write

2C94000

heap

page read and write

2CD7000

heap

page read and write

1BF90000

heap

page execute and read and write

2C78000

heap

page read and write

2CA0000

heap

page read and write

2CC0000

heap

page read and write

2CAE000

heap

page read and write

2F1D000

heap

page read and write

7FFD9B9A6000

trusted library allocation

page execute and read and write

7FFD9B8CD000

trusted library allocation

page execute and read and write

4FB4000

heap

page read and write

2EDE000

stack

page read and write

3370000

heap

page read and write

1C5ED000

stack

page read and write

2C8E000

heap

page read and write

7FFD9B9E0000

trusted library allocation

page execute and read and write

2B5E000

stack

page read and write

2CB4000

heap

page read and write

2FAF000

heap

page read and write

5000000

heap

page read and write

2F2E000

heap

page read and write

2C71000

heap

page read and write

2F1E000

heap

page read and write

6904000

heap

page read and write

2F46000

heap

page read and write

2CBE000

heap

page read and write

7FFD9BA8B000

trusted library allocation

page read and write

2E00000

heap

page read and write

7FFD9BA90000

trusted library allocation

page read and write

52C7000

heap

page read and write

2FB1000

heap

page read and write

7FF434ED0000

trusted library allocation

page execute and read and write

1110000

heap

page read and write

2F5D000

heap

page read and write

2C9B000

heap

page read and write

7FFD9BAB0000

trusted library allocation

page read and write

7300000

heap

page read and write

75FC000

stack

page read and write

2CA2000

heap

page read and write

2B7C000

stack

page read and write

2C98000

heap

page read and write

3580000

heap

page read and write

12F1D000

trusted library allocation

page read and write

7FFD9B8C4000

trusted library allocation

page read and write

159E000

stack

page read and write

1AF40000

trusted library allocation

page read and write

2FBA000

heap

page read and write

1390000

heap

page read and write

E1D000

stack

page read and write

27AB000

stack

page read and write

2BA0000

heap

page read and write

5245000

heap

page read and write

2EF8000

heap

page read and write

2CD7000

heap

page read and write

1160000

heap

page read and write

2E50000

heap

page read and write

2C78000

heap

page read and write

7FFD9BA6C000

trusted library allocation

page read and write

5680000

heap

page read and write

2C9E000

heap

page read and write

2C70000

heap

page read and write

2B10000

heap

page read and write

2FB1000

heap

page read and write

1394000

heap

page read and write

7FFD9BA83000

trusted library allocation

page read and write

1BEA7000

heap

page read and write

1375D000

trusted library allocation

page read and write

2CC0000

heap

page read and write

7FFD9BAA0000

trusted library allocation

page read and write

2CAD000

heap

page read and write

2F1F000

heap

page read and write

2CB9000

heap

page read and write

7FFD9BAE0000

trusted library allocation

page execute and read and write

2CB0000

heap

page read and write

D7C000

unkown

page readonly

2F5D000

heap

page read and write

7FFD9B8D7000

trusted library allocation

page read and write

1130000

heap

page read and write

2F46000

heap

page read and write

1BE8E000

stack

page read and write

4F90000

heap

page read and write

161000

unkown

page read and write

2F81000

trusted library allocation

page read and write

2FB1000

heap

page read and write

11A3000

heap

page read and write

2F6E000

stack

page read and write

2CB9000

heap

page read and write

2F2D000

heap

page read and write

133000

unkown

page readonly

2CB9000

heap

page read and write

2C93000

heap

page read and write

2B6C000

stack

page read and write

7FFD9B970000

trusted library allocation

page read and write

13E000

unkown

page read and write

52DE000

stack

page read and write

2CD7000

heap

page read and write

1B880000

heap

page execute and read and write

149E000

stack

page read and write

2FBA000

heap

page read and write

2FBA000

heap

page read and write

2FBA000

heap

page read and write

4D9E000

stack

page read and write

2FB1000

heap

page read and write

2FEE000

stack

page read and write

D80000

unkown

page readonly

2F46000

heap

page read and write

2FAF000

heap

page read and write

301E000

stack

page read and write

524B000

heap

page read and write

4FE1000

trusted library allocation

page read and write

57CF000

stack

page read and write

558D000

stack

page read and write

1217000

heap

page read and write

2FB1000

heap

page read and write

2C99000

heap

page read and write

2BA2000

stack

page read and write

4EEE000

stack

page read and write

2EF0000

heap

page read and write

1A7000

unkown

page readonly

3378000

heap

page read and write

7FFD9B8DC000

trusted library allocation

page read and write

11CD000

heap

page read and write

2F1F000

stack

page read and write

101000

unkown

page execute read

2CB7000

heap

page read and write

2CC0000

heap

page read and write

2FAF000

stack

page read and write

2BD5000

heap

page read and write

4E9F000

stack

page read and write

13E000

unkown

page write copy

1380000

trusted library allocation

page read and write

2C95000

heap

page read and write

2D70000

heap

page read and write

5247000

heap

page read and write

2CD7000

heap

page read and write

2C58000

heap

page read and write

2FCC000

heap

page read and write

7FFD9BAC0000

trusted library allocation

page read and write

553E000

stack

page read and write

2F29000

heap

page read and write

101000

unkown

page execute read

5120000

heap

page read and write

7FFD9BA80000

trusted library allocation

page read and write

2BD0000

heap

page read and write

2FCC000

heap

page read and write

2F5D000

heap

page read and write

144000

unkown

page read and write

11CB000

heap

page read and write

2F20000

heap

page read and write

2B97000

stack

page read and write

1364000

heap

page read and write

163000

unkown

page readonly

2CA0000

heap

page read and write

136E3000

trusted library allocation

page read and write

2BAA000

stack

page read and write

2F29000

heap

page read and write

568E000

stack

page read and write

2CB9000

heap

page read and write

7FFD9BAD0000

trusted library allocation

page execute and read and write

2FAF000

heap

page read and write

1100000

heap

page read and write

2F29000

heap

page read and write

2F19000

heap

page read and write

7FFD9BA60000

trusted library allocation

page read and write

6984000

heap

page read and write

C12000

unkown

page readonly

2CD7000

heap

page read and write

74FF000

stack

page read and write

2E55000

heap

page read and write

3092000

trusted library allocation

page read and write

1C1AD000

stack

page read and write

1BB8E000

stack

page read and write

1BEEF000

heap

page read and write

1330000

heap

page read and write

2AA6000

stack

page read and write

330F000

stack

page read and write

2C95000

heap

page read and write

2B80000

stack

page read and write

5130000

trusted library allocation

page read and write

590C000

stack

page read and write

C10000

unkown

page readonly

7FFD9B8C0000

trusted library allocation

page read and write

519E000

stack

page read and write

1BE90000

heap

page read and write

There are 298 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
loader.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportloader.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
loader.exe