Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

leg#U00edvel9931-009-140.08372236.exe

PE32+ executable (GUI) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy:	7.344961274463145
Filename:	leg#U00edvel9931-009-140.08372236.exe
Filesize:	11252752
MD5:	f8720f77959acda03bd5b2b4a3698848
SHA1:	1ea4f348e20d35774a7db6a89c3d8fc274a9892b
SHA256:	a8ba8a7be8a404f6398c3b3d5a3788f9e513210d0732fd5b0ffebc44af58de8b
SHA512:	624aea439e3241ce67c8e4ce021cfd42e23671bb8fd0d329ef3032ab75c50ab87ede302425e6e949fb16a7760716fcba293924ee7ed94a9f8673606280dbb4fa
SSDEEP:	196608:mMs70enJyd/wXY/rKQDM+vwmDUfm20Rmz8Bm:mf02awozDsmDrm4Bm
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........0x......."......,'..........?........@..............................p............`... ............................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Uses shutdown.exe to shutdown or reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation
PE file contains more sections than normal	System Summary	Access Token Manipulation
PE file contains sections with non-standard names	Data Obfuscation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Native API
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation Security Software Discovery
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Native API Software Packing
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder Access Token Manipulation File and Directory Discovery
Creates files inside the user directory	System Summary	Masquerading
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Sample might require command line arguments	System Summary	Access Token Manipulation Security Software Discovery
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary	Security Software Discovery
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe (copy)

PE32+ executable (GUI) x86-64, for MS Windows

dropped

Details

File:	C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe (copy)
Category:	dropped
Dump:	ClassicIE_64.exe.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe
Type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy:	5.912660682474699
Encrypted:	false
Ssdeep:	1536:OSz4xjHKQ9M2Q2ejqU0Fe/jPbnKaKlyXdWRpew3Wvv7dgKwd9nxCC:OSz4xjHK12QmPM/jPRXd0pOvv7uCC
Size:	103736
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to inject code into remote processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Contains functionality to inject threads in other processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Abnormal high CPU Usage	System Summary
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to record screenshots	Key, Mouse, Clipboard, Microphone and Screen Capturing	Screen Capture
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	Encrypted Channel
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to modify the execution of threads in other processes
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Information Discovery System Time Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Program exit points	Malware Analysis System Evasion
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery Windows Management Instrumentation
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary

C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\ClassicIEDLL_64.dll

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

Details

File:	C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\ClassicIEDLL_64.dll
Category:	dropped
Dump:	ClassicIEDLL_64.dll.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe
Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy:	6.173033180688752
Encrypted:	false
Ssdeep:	3072:ivClsW5twkJ42oa4iVYga9k47hA5sgXiOHPGkdleCLYI/jysM+S/J1Sf:eC8nFiVYNkAhA2HOvNDLEzS
Size:	223232
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior

C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\ClassicIE_64.exe

PE32+ executable (GUI) x86-64, for MS Windows

dropped

Details

File:	C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\ClassicIE_64.exe
Category:	dropped
Dump:	ClassicIE_64.exe.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe
Type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy:	5.912660682474699
Encrypted:	false
Ssdeep:	1536:OSz4xjHKQ9M2Q2ejqU0Fe/jPbnKaKlyXdWRpew3Wvv7dgKwd9nxCC:OSz4xjHK12QmPM/jPRXd0pOvv7uCC
Size:	103736
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior

C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\FrontendCybersecurity.json

data

dropped

Details

File:	C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\FrontendCybersecurity.json
Category:	dropped
Dump:	FrontendCybersecurity.json.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe
Type:	data
Entropy:	6.400963745231183
Encrypted:	false
Ssdeep:	12288:h1R0xeIhP4vZt8T9Hh3M5hUntpngB3v1a6TIGWVLWirPZ:rvIhP4vZtQzngB3v1a6T9WMQPZ
Size:	570368
Whitelisted:	false
Reputation:	timeout

C:\Users\user\Microsoft.NET\netframework4.7\version\ng3DJyCjjqIdyv.zip

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

Details

File:	C:\Users\user\Microsoft.NET\netframework4.7\version\ng3DJyCjjqIdyv.zip
Category:	dropped
Dump:	ng3DJyCjjqIdyv.zip.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe
Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy:	7.995895056783209
Encrypted:	true
Ssdeep:	12288:YID6e1Y6tF28FBBp7aFrSL/9b50zWPFQP3QM2dAu4:YIDPXkIBAsT15nPFQPA4
Size:	440438
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery

\Device\Null

ASCII text

dropped

Details

File:	\Device\Null
Category:	dropped
Dump:	Null.4.dr
ID:	dr_5
Target ID:	4
Process:	C:\Windows\System32\shutdown.exe
Type:	ASCII text
Entropy:	3.5585186130489066
Encrypted:	false
Ssdeep:	3:PgCu35QMvn:4H5Zvn
Size:	21
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe

"C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7120
Target ID:	0
Parent PID:	2580
Name:	leg#U00edvel9931-009-140.08372236.exe
Path:	C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe
Commandline:	"C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe"
Size:	11252752
MD5:	F8720F77959ACDA03BD5B2B4A3698848
Time:	05:12:59
Date:	25/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x720000
Modulesize:	8613888
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
PE file contains more sections than normal	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sigma detected: Suspicious Execution of Shutdown	System Summary
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\System32\shutdown.exe

shutdown /r /t 30

Details

Is windows:	true
Is dropped:	false
PID:	6540
Target ID:	4
Parent PID:	7120
Name:	shutdown.exe
Path:	C:\Windows\System32\shutdown.exe
Commandline:	shutdown /r /t 30
Size:	28160
MD5:	F2A4E18DA72BB2C5B21076A5DE382A20
Time:	05:13:25
Date:	25/11/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6dbc80000
Modulesize:	53248
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Uses shutdown.exe to shutdown or reboot the system	System Summary	System Shutdown/Reboot
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Execution of Shutdown	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe

"C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe"

Details

Is windows:	true
Is dropped:	false
PID:	2056
Target ID:	6
Parent PID:	2580
Name:	8pIuMUYQX9q.exe
Path:	C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe
Commandline:	"C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe"
Size:	103736
MD5:	CCCA2C0E6653506652437868D1049817
Time:	05:13:36
Date:	25/11/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff6b40a0000
Modulesize:	126976
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Dropped file seen in connection with other malware	System Summary
Drops PE files	Persistence and Installation Behavior
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe

"C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe"

Details

Is windows:	true
Is dropped:	false
PID:	2124
Target ID:	7
Parent PID:	2580
Name:	8pIuMUYQX9q.exe
Path:	C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe
Commandline:	"C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe"
Size:	103736
MD5:	CCCA2C0E6653506652437868D1049817
Time:	05:13:44
Date:	25/11/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff6b40a0000
Modulesize:	126976
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Dropped file seen in connection with other malware	System Summary
Drops PE files	Persistence and Installation Behavior
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6300
Target ID:	5
Parent PID:	6540
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	05:13:25
Date:	25/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff70f330000
Modulesize:	36864
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://panternol.com/backup/arqREQUEST_METHODpanternol.comiphlpapi.dll

unknown

http://www.winimage.com/zLibDll

unknown

Details

Name:	http://www.winimage.com/zLibDll
TargetID:	6
From Memory:	true
Current Path:	C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe
Source:	8pIuMUYQX9q.exe, 00000006.00000002.4145409860.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, 8pIuMUYQX9q.exe, 00000006.00000002.4146358786.0000000002220000.00000004.00000020.00020000.00000000.sdmp, 8pIuMUYQX9q.exe, 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmp, 8pIuMUYQX9q.exe, 00000007.00000002.4145308802.0000000001398000.00000004.00000020.00020000.00000000.sdmp, 8pIuMUYQX9q.exe, 00000007.00000002.4145573879.0000000002FA0000.00000004.00000020.00020000.00000000.sdmp, 8pIuMUYQX9q.exe, 00000007.00000002.4145788826.0000000180064000.00000002.00001000.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://GODEBUGhttps://panterno1.1.1.1

unknown

https://panternol.com/backup/arqR

unknown

https://panterno1.1.1.1

unknown

http://www.winimage.com/zLibDll1.3.1rbr

unknown

Details

Name:	http://www.winimage.com/zLibDll1.3.1rbr
TargetID:	6
From Memory:	true
Current Path:	C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe
Source:	8pIuMUYQX9q.exe, 00000006.00000002.4145409860.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, 8pIuMUYQX9q.exe, 00000006.00000002.4146358786.0000000002220000.00000004.00000020.00020000.00000000.sdmp, 8pIuMUYQX9q.exe, 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmp, 8pIuMUYQX9q.exe, 00000007.00000002.4145308802.0000000001398000.00000004.00000020.00020000.00000000.sdmp, 8pIuMUYQX9q.exe, 00000007.00000002.4145573879.0000000002FA0000.00000004.00000020.00020000.00000000.sdmp, 8pIuMUYQX9q.exe, 00000007.00000002.4145788826.0000000180064000.00000002.00001000.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://panternol.com/backup/arquivo1.zip

34.95.207.248

https://panternol.com/cacher/https://panternol.com/cacher/panternol.com

unknown

https://panternol.com/cacher/

34.95.207.248

Domains

Name

Malicious

panternol.com

34.95.207.248

Details

Name:	panternol.com
IP:	34.95.207.248
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

34.95.207.248

panternol.com

United States

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

ng3DJyCjjqIdyv

Details

TargetID:	0
Path:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value name:	ng3DJyCjjqIdyv
Value data:	C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder

Memdumps

Base Address

Regiontype

Protect

Malicious

C00007A000

direct allocation

page read and write

180001000

direct allocation

page execute read

578000

heap

page read and write

C000228000

direct allocation

page read and write

D4A000

unkown

page readonly

7FF6B40B3000

unkown

page readonly

261F000

stack

page read and write

7FF6B40B3000

unkown

page readonly

7FF6B40A1000

unkown

page execute read

C00002A000

direct allocation

page read and write

C0000E6000

direct allocation

page read and write

7FF6B40A0000

unkown

page readonly

C0001E0000

direct allocation

page read and write

232E76F3000

direct allocation

page read and write

C00000E000

direct allocation

page read and write

C23000

unkown

page write copy

243D4AC0000

heap

page read and write

720000

unkown

page readonly

C000104000

direct allocation

page read and write

994000

unkown

page readonly

C000198000

direct allocation

page read and write

58A000

heap

page read and write

C00019C000

direct allocation

page read and write

C000262000

direct allocation

page read and write

C0001A0000

direct allocation

page read and write

13B4000

heap

page read and write

C0000D6000

direct allocation

page read and write

21F3000

heap

page read and write

232A23B0000

heap

page read and write

C000200000

direct allocation

page read and write

67B7DFE000

stack

page read and write

243D4AE4000

heap

page read and write

C000274000

direct allocation

page read and write

243D4AE1000

heap

page read and write

C000112000

direct allocation

page read and write

21DD000

heap

page read and write

7FFE1A534000

unkown

page readonly

C0000E0000

direct allocation

page read and write

C00027E000

direct allocation

page read and write

7FF6B40AF000

unkown

page write copy

C5E000

unkown

page read and write

C0000FE000

direct allocation

page read and write

EEE000

unkown

page readonly

587000

heap

page read and write

4B0000

heap

page read and write

243D4E40000

heap

page read and write

C000041000

direct allocation

page read and write

701F47F000

stack

page read and write

7FF6B40AB000

unkown

page readonly

C000082000

direct allocation

page read and write

460000

heap

page read and write

C000094000

direct allocation

page read and write

C000022000

direct allocation

page read and write

C4E000

unkown

page read and write

67B6FFC000

stack

page read and write

C000002000

direct allocation

page read and write

2CAD000

stack

page read and write

C00009A000

direct allocation

page read and write

22CA000

heap

page read and write

C000241000

direct allocation

page read and write

1300000

heap

page read and write

232E76D0000

heap

page read and write

16C000

stack

page read and write

C000008000

direct allocation

page read and write

7FF6B40A0000

unkown

page readonly

232A2407000

heap

page read and write

C00006E000

direct allocation

page read and write

232E7940000

heap

page read and write

180085000

direct allocation

page read and write

721000

unkown

page execute read

243D4E45000

heap

page read and write

463000

heap

page read and write

C00006A000

direct allocation

page read and write

211D000

stack

page read and write

C00000A000

direct allocation

page read and write

C000076000

direct allocation

page read and write

1398000

heap

page read and write

FAC000

stack

page read and write

CA7000

unkown

page read and write

C0000F0000

direct allocation

page read and write

C000046000

direct allocation

page read and write

C000004000

direct allocation

page read and write

21F1000

heap

page read and write

C00002E000

direct allocation

page read and write

232A2405000

heap

page read and write

C0000BC000

direct allocation

page read and write

58E000

heap

page read and write

C000236000

direct allocation

page read and write

180000000

direct allocation

page read and write

C000222000

direct allocation

page read and write

C00002C000

direct allocation

page read and write

C80000

unkown

page read and write

67B71FE000

stack

page read and write

C000280000

direct allocation

page read and write

C0000C2000

direct allocation

page read and write

7FFE1A510000

unkown

page readonly

C000068000

direct allocation

page read and write

18008C000

direct allocation

page readonly

C0000E4000

direct allocation

page read and write

420000

heap

page read and write

2BA0000

heap

page read and write

7FFE1A510000

unkown

page readonly

D31000

unkown

page readonly

C000018000

direct allocation

page read and write

281F000

stack

page read and write

7FF6B40A1000

unkown

page execute read

C00001E000

direct allocation

page read and write

C00005E000

direct allocation

page read and write

D31000

unkown

page readonly

C0001E6000

direct allocation

page read and write

C00003A000

direct allocation

page read and write

C0000AC000

direct allocation

page read and write

304A000

heap

page read and write

21EB000

heap

page read and write

232E77B0000

heap

page read and write

7FFE1A547000

unkown

page readonly

2DAF000

stack

page read and write

C0001B6000

direct allocation

page read and write

C0000CA000

direct allocation

page read and write

1390000

heap

page read and write

C0000CE000

direct allocation

page read and write

C0000E8000

direct allocation

page read and write

232A2260000

heap

page read and write

1B0000

heap

page read and write

67B73FE000

stack

page read and write

7FF6B40AF000

unkown

page read and write

C00001A000

direct allocation

page read and write

4B8000

heap

page read and write

C000194000

direct allocation

page read and write

C0000DA000

direct allocation

page read and write

232E7945000

heap

page read and write

C000180000

direct allocation

page read and write

C0001AC000

direct allocation

page read and write

21ED000

heap

page read and write

87E000

stack

page read and write

7FF6B40B3000

unkown

page readonly

C000086000

direct allocation

page read and write

721000

unkown

page execute read

232A2350000

direct allocation

page read and write

EED000

unkown

page write copy

C000264000

direct allocation

page read and write

7FF6B40AF000

unkown

page write copy

2FA0000

heap

page read and write

C000110000

direct allocation

page read and write

243D4AC8000

heap

page read and write

C00018C000

direct allocation

page read and write

7FFE1A547000

unkown

page readonly

C000051000

direct allocation

page read and write

C00003F000

direct allocation

page read and write

C4B000

unkown

page read and write

C000300000

direct allocation

page read and write

C0001BA000

direct allocation

page read and write

C0001A4000

direct allocation

page read and write

21D9000

heap

page read and write

232A2358000

direct allocation

page read and write

2120000

heap

page read and write

232A235A000

direct allocation

page read and write

2F9D000

stack

page read and write

C00027A000

direct allocation

page read and write

C00025E000

direct allocation

page read and write

291B000

stack

page read and write

180064000

direct allocation

page readonly

67B79FC000

stack

page read and write

67B7BFF000

stack

page read and write

2B1E000

stack

page read and write

7FF6B40A1000

unkown

page execute read

C000100000

direct allocation

page read and write

C0001B4000

direct allocation

page read and write

C000189000

direct allocation

page read and write

C0000A6000

direct allocation

page read and write

C0000C0000

direct allocation

page read and write

C00006C000

direct allocation

page read and write

C0000FC000

direct allocation

page read and write

C00009E000

direct allocation

page read and write

440000

heap

page read and write

C000108000

direct allocation

page read and write

232A23BC000

heap

page read and write

C0000F2000

direct allocation

page read and write

701F11F000

stack

page read and write

232A2354000

direct allocation

page read and write

22DC000

heap

page read and write

251F000

stack

page read and write

232E76B0000

direct allocation

page read and write

C0001E2000

direct allocation

page read and write

C000096000

direct allocation

page read and write

180085000

direct allocation

page read and write

56C000

heap

page read and write

1330000

heap

page read and write

C0001D5000

direct allocation

page read and write

C0000D2000

direct allocation

page read and write

C00004A000

direct allocation

page read and write

C000092000

direct allocation

page read and write

243D4AA0000

heap

page read and write

C00004F000

direct allocation

page read and write

271A000

stack

page read and write

C26000

unkown

page write copy

13C2000

heap

page read and write

C000266000

direct allocation

page read and write

591000

heap

page read and write

C000090000

direct allocation

page read and write

77E000

stack

page read and write

67B77FE000

stack

page read and write

C0001E8000

direct allocation

page read and write

180094000

direct allocation

page read and write

C00000C000

direct allocation

page read and write

C0001CF000

direct allocation

page read and write

C0000A8000

direct allocation

page read and write

C000302000

direct allocation

page read and write

C000060000

direct allocation

page read and write

CAF000

unkown

page readonly

410000

heap

page read and write

2220000

heap

page read and write

7FFE1A511000

unkown

page execute read

21A4000

heap

page read and write

C000304000

direct allocation

page read and write

C27000

unkown

page read and write

232A23C2000

heap

page read and write

C000000000

direct allocation

page read and write

C000056000

direct allocation

page read and write

1380000

heap

page read and write

FF0000

heap

page read and write

EEE000

unkown

page readonly

232E7730000

direct allocation

page read and write

C000098000

direct allocation

page read and write

C000080000

direct allocation

page read and write

C5C000

unkown

page write copy

7FF6B40AB000

unkown

page readonly

1785000

heap

page read and write

CAF000

unkown

page readonly

701F09C000

stack

page read and write

7FF6B40B3000

unkown

page readonly

C00019E000

direct allocation

page read and write

C00022A000

direct allocation

page read and write

C000010000

direct allocation

page read and write

1C0000

heap

page read and write

C23000

unkown

page read and write

C00010A000

direct allocation

page read and write

C000252000

direct allocation

page read and write

C00026C000

direct allocation

page read and write

232E7770000

direct allocation

page read and write

C000116000

direct allocation

page read and write

232A23B9000

heap

page read and write

7FF6B40AB000

unkown

page readonly

180094000

direct allocation

page read and write

5A0000

heap

page read and write

C0000BA000

direct allocation

page read and write

C0001BE000

direct allocation

page read and write

C000054000

direct allocation

page read and write

C000278000

direct allocation

page read and write

2205000

heap

page read and write

12D0000

heap

page read and write

232A2430000

heap

page read and write

7FF6B40A0000

unkown

page readonly

573000

heap

page read and write

C00007E000

direct allocation

page read and write

C000246000

direct allocation

page read and write

7FFE1A534000

unkown

page readonly

7FFE1A544000

unkown

page read and write

C0000F6000

direct allocation

page read and write

243D4A80000

heap

page read and write

C000254000

direct allocation

page read and write

7FF6B40A1000

unkown

page execute read

C000031000

direct allocation

page read and write

7FFE1A544000

unkown

page read and write

C0000A2000

direct allocation

page read and write

2A1E000

stack

page read and write

D4A000

unkown

page readonly

C00020E000

direct allocation

page read and write

2B70000

heap

page read and write

C0001EA000

direct allocation

page read and write

C000306000

direct allocation

page read and write

C0000C8000

direct allocation

page read and write

7FF6B40AF000

unkown

page read and write

C0001A8000

direct allocation

page read and write

5AE000

heap

page read and write

232A2403000

heap

page read and write

2158000

heap

page read and write

C000016000

direct allocation

page read and write

C0001A6000

direct allocation

page read and write

720000

unkown

page readonly

701F19F000

stack

page read and write

C4C000

unkown

page write copy

7FFE1A511000

unkown

page execute read

C00008E000

direct allocation

page read and write

415000

heap

page read and write

C0001E4000

direct allocation

page read and write

232E7733000

direct allocation

page read and write

13C3000

heap

page read and write

C28000

unkown

page write copy

243D4A70000

heap

page read and write

13B4000

heap

page read and write

C000006000

direct allocation

page read and write

C000256000

direct allocation

page read and write

994000

unkown

page readonly

419000

heap

page read and write

21EF000

heap

page read and write

67B75FE000

stack

page read and write

7FF6B40A0000

unkown

page readonly

7FF6B40AB000

unkown

page readonly

1383000

heap

page read and write

C00008A000

direct allocation

page read and write

C000062000

direct allocation

page read and write

180001000

direct allocation

page execute read

18008C000

direct allocation

page readonly

C00024F000

direct allocation

page read and write

C000084000

direct allocation

page read and write

C000078000

direct allocation

page read and write

232E773C000

direct allocation

page read and write

EED000

unkown

page write copy

180000000

direct allocation

page read and write

180064000

direct allocation

page readonly

C000190000

direct allocation

page read and write

1780000

heap

page read and write

C0001F0000

direct allocation

page read and write

C000064000

direct allocation

page read and write

There are 305 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
leg#U00edvel9931-009-140.08372236.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportleg#U00edvel9931-009-140.08372236.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
leg#U00edvel9931-009-140.08372236.exe