Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.948510198481033
Filename:	file.exe
Filesize:	1867264
MD5:	1f86f024aab58f1a3bbf5ab885147c67
SHA1:	76680e942c19202d5be25982006cca605ab3f5ae
SHA256:	3953c038a10f97b1ca541b55eeb78c7924ab8acc2ec4c85923e176c467c6ea45
SHA512:	f7b91a1b3f72914a1977387a16d6776aaa67f3ddf9814fb30d05f0043fab0bdac3f93f01bf9ee7d304dcac6a9b3c9f46a0055c3fc63d3fc8bd81b7779ce7f124
SSDEEP:	49152:UIYP6l8PmdkoIK6usE9dqzbnmfNmoDfy40GofrlpGoivcN9s:UIPy4koIjut9dWbmlmojmlp0c7
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...9$.g...........

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation
Found malware configuration	AV Detection
Hides threads from debuggers	Anti Debugging
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)	Boot Survival
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion
Tries to detect sandboxes and other dynamic analysis tools (window names)	Anti Debugging	Virtualization/Sandbox Evasion Security Software Discovery
Tries to detect virtualization through RDTSC time measurements	Malware Analysis System Evasion
Tries to evade debugger and weak emulator (self modifying code)	Malware Analysis System Evasion
Checks for debuggers (devices)	Anti Debugging
Checks if the current process is being debugged	Anti Debugging
Contains capabilities to detect virtual machines	Malware Analysis System Evasion
One or more processes crash	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Queries information about the installed CPU (vendor, model number etc)	Language, Device and Operating System Detection	System Information Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging	Disable or Modify Tools
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
Queries a list of all running drivers	Malware Analysis System Evasion
Queries a list of all running processes	Malware Analysis System Evasion
Reads software policies	System Summary
Sample might require command line arguments	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_5491e479b4ed026ea3ae7865ed22a89a0229910_7cc2f8af_1f5dda52-8896-4efc-a3ca-7793fbf9a5dc\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_5491e479b4ed026ea3ae7865ed22a89a0229910_7cc2f8af_1f5dda52-8896-4efc-a3ca-7793fbf9a5dc\Report.wer
Category:	dropped
Dump:	Report.wer.6.dr
ID:	dr_3
Target ID:	6
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.9492942125235141
Encrypted:	false
Ssdeep:	192:zWztb8vlPlN0BU/b03juCZr+dozuiFqZ24IO8ThB:6EldOBU/wjWqzuiFqY4IO8L
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WERED83.tmp.dmp

Mini DuMP crash report, 14 streams, Sun Oct 27 15:04:20 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERED83.tmp.dmp
Category:	dropped
Dump:	WERED83.tmp.dmp.6.dr
ID:	dr_0
Target ID:	6
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 14 streams, Sun Oct 27 15:04:20 2024, 0x1205a4 type
Entropy:	1.275683749548104
Encrypted:	false
Ssdeep:	384:T1CyzHeEnzv/9ZO/qQdne0GIQ8zxm6n/VxZWSAd5FwgABq1SlszEb:5xzHeEz/XO/HdneAHlmsxZPKgM1vo
Size:	284068
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF0B.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF0B.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WEREF0B.tmp.WERInternalMetadata.xml.6.dr
ID:	dr_1
Target ID:	6
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.6936749070501076
Encrypted:	false
Ssdeep:	192:R6l7wVeJ8CT6R6Y2D9SU9D1GgmfBrhprZ89b4SsfEvom:R6lXJ36R6YwSU9Qgmf9K4Rfi
Size:	8324
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF5A.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF5A.tmp.xml
Category:	dropped
Dump:	WEREF5A.tmp.xml.6.dr
ID:	dr_2
Target ID:	6
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.434437229251178
Encrypted:	false
Ssdeep:	48:cvIwWl8zsstJg77aI99KWpW8VYZYm8M4JgeFejP+q8SJ/fEId:uIjfSI73r7VhJYZ/fEId
Size:	4558
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.6.dr
ID:	dr_4
Target ID:	6
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.468438001661628
Encrypted:	false
Ssdeep:	6144:WzZfpi6ceLPx9skLmb0foZWSP3aJG8nAgeiJRMMhA2zX4WABluuNbjDH5S:4ZHtoZWOKnMM6bFp9j4
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2732
Target ID:	0
Parent PID:	4004
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	1867264
MD5:	1F86F024AAB58F1A3BBF5AB885147C67
Time:	11:04:02
Date:	27/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x20000
Modulesize:	6991872
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Yara detected Stealc	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 1492

Details

Is windows:	true
Is dropped:	false
PID:	616
Target ID:	6
Parent PID:	2732
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 1492
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	11:04:19
Date:	27/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x580000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://185.215.113.206/

185.215.113.206

Details

Name:	http://185.215.113.206/
IP:	185.215.113.206
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\file.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
HTTP GET or POST without a user agent	Networking
IP address seen in connection with other malware	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

http://185.215.113.206

unknown

Details

Name:	http://185.215.113.206
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\file.exe
Source:	file.exe, 00000000.00000002.2393169088.0000000000B9E000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
URLs found in memory or binary data	Networking

http://185.215.113.206/e2b1563c6670f193.php

Details

Name:	http://185.215.113.206/e2b1563c6670f193.php
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\file.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

http://185.215.113.206/p

unknown

http://upx.sf.net

unknown

http://185.215.113.206/t

unknown

IPs

Domain

Country

Malicious

185.215.113.206

unknown

Portugal

Details

IP:	185.215.113.206
TargetID:	0
Current Path:	C:\Users\user\Desktop\file.exe
Country:	Portugal
Countrycode:	PRT
ASN number:	206894
ASN name:	WHOLESALECONNECTIONSNL
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
HTTP GET or POST without a user agent	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

\REGISTRY\A\{1670e989-fd9b-c21c-3c4d-db35610d1832}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

ProgramId

\REGISTRY\A\{1670e989-fd9b-c21c-3c4d-db35610d1832}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

FileId

\REGISTRY\A\{1670e989-fd9b-c21c-3c4d-db35610d1832}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

LowerCaseLongPath

\REGISTRY\A\{1670e989-fd9b-c21c-3c4d-db35610d1832}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

LongPathHash

\REGISTRY\A\{1670e989-fd9b-c21c-3c4d-db35610d1832}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

Name

\REGISTRY\A\{1670e989-fd9b-c21c-3c4d-db35610d1832}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

OriginalFileName

\REGISTRY\A\{1670e989-fd9b-c21c-3c4d-db35610d1832}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

Publisher

\REGISTRY\A\{1670e989-fd9b-c21c-3c4d-db35610d1832}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

Version

\REGISTRY\A\{1670e989-fd9b-c21c-3c4d-db35610d1832}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

BinFileVersion

\REGISTRY\A\{1670e989-fd9b-c21c-3c4d-db35610d1832}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

BinaryType

\REGISTRY\A\{1670e989-fd9b-c21c-3c4d-db35610d1832}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

ProductName

\REGISTRY\A\{1670e989-fd9b-c21c-3c4d-db35610d1832}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

ProductVersion

\REGISTRY\A\{1670e989-fd9b-c21c-3c4d-db35610d1832}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

LinkDate

\REGISTRY\A\{1670e989-fd9b-c21c-3c4d-db35610d1832}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

BinProductVersion

\REGISTRY\A\{1670e989-fd9b-c21c-3c4d-db35610d1832}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

AppxPackageFullName

\REGISTRY\A\{1670e989-fd9b-c21c-3c4d-db35610d1832}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

AppxPackageRelativeId

\REGISTRY\A\{1670e989-fd9b-c21c-3c4d-db35610d1832}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

Size

\REGISTRY\A\{1670e989-fd9b-c21c-3c4d-db35610d1832}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

Language

\REGISTRY\A\{1670e989-fd9b-c21c-3c4d-db35610d1832}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0

Usn

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

DeviceTicket

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

DeviceId

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

ApplicationFlags

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property

0018000DDABBE6B3

There are 13 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

BA000

unkown

page execute and read and write

21000

unkown

page execute and read and write

49F0000

direct allocation

page read and write

BB8000

heap

page read and write

37BE000

stack

page read and write

288B000

stack

page read and write

41BE000

stack

page read and write

28E0000

direct allocation

page read and write

A5000

unkown

page execute and read and write

29FF000

stack

page read and write

4561000

heap

page read and write

6C8000

unkown

page execute and write copy

4561000

heap

page read and write

4561000

heap

page read and write

4561000

heap

page read and write

28FB000

heap

page read and write

28E0000

direct allocation

page read and write

3DFE000

stack

page read and write

4561000

heap

page read and write

4561000

heap

page read and write

4561000

heap

page read and write

4561000

heap

page read and write

32BE000

stack

page read and write

4561000

heap

page read and write

2C7E000

stack

page read and write

27E000

unkown

page execute and read and write

34FF000

stack

page read and write

28E0000

direct allocation

page read and write

BF8000

heap

page read and write

363F000

stack

page read and write

3C7E000

stack

page read and write

4561000

heap

page read and write

3DBF000

stack

page read and write

28CE000

stack

page read and write

4561000

heap

page read and write

AFE000

stack

page read and write

2FFF000

stack

page read and write

4561000

heap

page read and write

42FE000

stack

page read and write

1D130000

trusted library allocation

page read and write

4561000

heap

page read and write

4561000

heap

page read and write

B3E000

stack

page read and write

3CBE000

stack

page read and write

1CBBF000

stack

page read and write

4B70000

direct allocation

page execute and read and write

327F000

stack

page read and write

2DBE000

stack

page read and write

4561000

heap

page read and write

43FF000

stack

page read and write

407E000

stack

page read and write

4A2C000

stack

page read and write

4561000

heap

page read and write

4561000

heap

page read and write

4570000

heap

page read and write

B85000

heap

page read and write

28E0000

direct allocation

page read and write

4561000

heap

page read and write

4561000

heap

page read and write

443E000

stack

page read and write

417F000

stack

page read and write

4561000

heap

page read and write

4561000

heap

page read and write

4561000

heap

page read and write

4561000

heap

page read and write

4561000

heap

page read and write

4561000

heap

page read and write

453F000

stack

page read and write

4561000

heap

page read and write

4561000

heap

page read and write

C14000

heap

page read and write

4561000

heap

page read and write

4B7E000

stack

page read and write

4561000

heap

page read and write

4561000

heap

page read and write

28E0000

direct allocation

page read and write

4561000

heap

page read and write

4561000

heap

page read and write

20000

unkown

page read and write

1CD2F000

stack

page read and write

38BF000

stack

page read and write

317E000

stack

page read and write

4561000

heap

page read and write

20000

unkown

page readonly

3B7E000

stack

page read and write

4561000

heap

page read and write

4561000

heap

page read and write

21000

unkown

page execute and write copy

4561000

heap

page read and write

4561000

heap

page read and write

1CA7F000

stack

page read and write

B80000

heap

page read and write

28F0000

heap

page read and write

4561000

heap

page read and write

F5E000

stack

page read and write

4561000

heap

page read and write

4561000

heap

page read and write

4561000

heap

page read and write

274E000

stack

page read and write

2EFE000

stack

page read and write

49F0000

direct allocation

page read and write

AF000

unkown

page execute and read and write

4EB000

unkown

page execute and read and write

4561000

heap

page read and write

4561000

heap

page read and write

42BF000

stack

page read and write

4B70000

direct allocation

page execute and read and write

377F000

stack

page read and write

1C93F000

stack

page read and write

4BA0000

direct allocation

page execute and read and write

4580000

heap

page read and write

4561000

heap

page read and write

284F000

stack

page read and write

7B0000

heap

page read and write

A8000

unkown

page execute and read and write

75C000

stack

page read and write

4660000

trusted library allocation

page read and write

B9E000

heap

page read and write

4561000

heap

page read and write

353E000

stack

page read and write

3A3E000

stack

page read and write

4561000

heap

page read and write

4561000

heap

page read and write

3EFF000

stack

page read and write

525000

unkown

page execute and read and write

1CEAE000

stack

page read and write

4561000

heap

page read and write

39FF000

stack

page read and write

403F000

stack

page read and write

4561000

heap

page read and write

B90000

heap

page read and write

21000

unkown

page execute and write copy

4561000

heap

page read and write

4561000

heap

page read and write

4561000

heap

page read and write

4561000

heap

page read and write

33BF000

stack

page read and write

4561000

heap

page read and write

28E0000

direct allocation

page read and write

BE0000

heap

page read and write

4561000

heap

page read and write

406000

unkown

page execute and read and write

4561000

heap

page read and write

4561000

heap

page read and write

525000

unkown

page execute and write copy

26A000

unkown

page execute and read and write

49F0000

direct allocation

page read and write

4540000

heap

page read and write

515000

unkown

page execute and read and write

303E000

stack

page read and write

4561000

heap

page read and write

7C0000

heap

page read and write

6C7000

unkown

page execute and read and write

28E0000

direct allocation

page read and write

4B90000

direct allocation

page execute and read and write

28E0000

direct allocation

page read and write

28E0000

direct allocation

page read and write

367E000

stack

page read and write

526000

unkown

page execute and write copy

1C97E000

stack

page read and write

BB3000

heap

page read and write

4561000

heap

page read and write

28E0000

direct allocation

page read and write

7A000

unkown

page execute and read and write

4561000

heap

page read and write

2C3F000

stack

page read and write

B7E000

stack

page read and write

28E0000

direct allocation

page read and write

3B3F000

stack

page read and write

B9A000

heap

page read and write

33FE000

stack

page read and write

4B2F000

stack

page read and write

1CE6D000

stack

page read and write

4561000

heap

page read and write

4561000

heap

page read and write

2B3E000

stack

page read and write

82000

unkown

page execute and read and write

4561000

heap

page read and write

1CABE000

stack

page read and write

50E000

unkown

page execute and read and write

AF5000

stack

page read and write

4561000

heap

page read and write

3F3E000

stack

page read and write

4561000

heap

page read and write

4B40000

direct allocation

page execute and read and write

1CFAC000

stack

page read and write

2EBF000

stack

page read and write

4561000

heap

page read and write

4561000

heap

page read and write

28D0000

heap

page read and write

C04000

heap

page read and write

28E0000

direct allocation

page read and write

1D013000

heap

page read and write

E5E000

stack

page read and write

4560000

heap

page read and write

2AFF000

stack

page read and write

4561000

heap

page read and write

1CD6D000

stack

page read and write

38FE000

stack

page read and write

2D7F000

stack

page read and write

313F000

stack

page read and write

4B50000

direct allocation

page execute and read and write

4B80000

direct allocation

page execute and read and write

28E0000

direct allocation

page read and write

4561000

heap

page read and write

4561000

heap

page read and write

BE3000

heap

page read and write

1CC2E000

stack

page read and write

4561000

heap

page read and write

4B60000

direct allocation

page execute and read and write

28E0000

direct allocation

page read and write

28F7000

heap

page read and write

4561000

heap

page read and write

There are 203 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
file.exe