Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

MACHINE SPECIFICATION.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.225620299381016
Filename:	MACHINE SPECIFICATION.exe
Filesize:	1612288
MD5:	d1c6ab3629f6d71840186bd535086505
SHA1:	5591a31837bb82615ddb484a3e21c8db35420dbf
SHA256:	0c1418234d0411468fb45398076b8eed5b2a889472c9a97311069d7fb858c803
SHA512:	62eb373ee385e7a573c338860f783e72a11ecb9df4fbd729530fe6f1af4668a07633dbd5177c5b7fd6c1ff9df20ed5e6a152f4dc05365a6fc2770c40a75e014b
SSDEEP:	24576:bqDEvCTbMWu7rQYlBQcBiT6rprG8aAlWp6l08jgOIcODaJ+lF/vxW/PgHce:bTvC/MTQYxsWR7af0KDlO+lF/pYH
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Binary is likely a compiled AutoIt script file	System Summary
Found API chain indicative of sandbox detection	Malware Analysis System Evasion
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Switches to a custom stack to bypass stack traces	Malware Analysis System Evasion
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion
Contains functionality to launch a process as a different user	System Summary	Valid Accounts Native API Access Token Manipulation
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Process Discovery
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to shutdown / reboot the system	System Summary	System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Process Discovery Archive Collected Data
Found large amount of non-executed APIs	Malware Analysis System Evasion
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information	System Shutdown/Reboot
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Sample file is different than original file name gathered from version info	System Summary	System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality for error logging	System Summary
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary
Contains functionality to check free disk space	System Summary
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\Melber

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Melber
Category:	dropped
Dump:	Melber.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\MACHINE SPECIFICATION.exe
Type:	data
Entropy:	7.8443596385995535
Encrypted:	false
Ssdeep:	6144:/Q0Sl9+yc7j7Oyh2kHwG9oSG5iWfLN+GH5:/Qr9+yc37qkHN9+P5
Size:	209920
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

"C:\Users\user\Desktop\MACHINE SPECIFICATION.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7728
Target ID:	0
Parent PID:	4084
Name:	MACHINE SPECIFICATION.exe
Path:	C:\Users\user\Desktop\MACHINE SPECIFICATION.exe
Commandline:	"C:\Users\user\Desktop\MACHINE SPECIFICATION.exe"
Size:	1612288
MD5:	D1C6AB3629F6D71840186BD535086505
Time:	03:17:38
Date:	16/01/2025
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x5f0000
Modulesize:	1634304
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Binary is likely a compiled AutoIt script file	System Summary
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\MACHINE SPECIFICATION.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7784
Target ID:	2
Parent PID:	7728
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\MACHINE SPECIFICATION.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	03:17:39
Date:	16/01/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x3d0000
Modulesize:	57344
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected MassLogger RAT	Stealing of Sensitive Information, Remote Access Functionality
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Users\user\Desktop\MACHINE SPECIFICATION.exe

"C:\Users\user\Desktop\MACHINE SPECIFICATION.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7792
Target ID:	3
Parent PID:	7728
Name:	MACHINE SPECIFICATION.exe
Path:	C:\Users\user\Desktop\MACHINE SPECIFICATION.exe
Commandline:	"C:\Users\user\Desktop\MACHINE SPECIFICATION.exe"
Size:	1612288
MD5:	D1C6AB3629F6D71840186BD535086505
Time:	03:17:39
Date:	16/01/2025
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x5f0000
Modulesize:	1634304
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Binary is likely a compiled AutoIt script file	System Summary
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\MACHINE SPECIFICATION.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7840
Target ID:	4
Parent PID:	7792
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\MACHINE SPECIFICATION.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	03:17:41
Date:	16/01/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x10000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected MassLogger RAT	Stealing of Sensitive Information, Remote Access Functionality
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

URLs

Name

Malicious

http://checkip.dyndns.org/

193.122.130.0

https://reallyfreegeoip.org/xml/8.46.123.189

104.21.16.1

https://reallyfreegeoip.org/xml/8.46.123.189l

unknown

http://kianaenergy.com

unknown

https://api.telegram.org/bot

unknown

http://r10.i.lencr.org/0-

unknown

http://x1.c.lencr.org/0

unknown

http://x1.i.lencr.org/0

unknown

http://checkip.dyndns.org/q

unknown

http://reallyfreegeoip.org

unknown

https://reallyfreegeoip.org

unknown

http://r10.o.lencr.org0#

unknown

http://checkip.dyndns.org

unknown

http://checkip.dyndns.com

unknown

http://mail.kianaenergy.com

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://api.telegram.org/bot-/sendDocument?chat_id=

unknown

https://reallyfreegeoip.org/xml/

unknown

There are 8 hidden URLs, click here to show them.

Domains

Name

Malicious

kianaenergy.com

5.144.131.244

Details

Name:	kianaenergy.com
IP:	5.144.131.244
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

mail.kianaenergy.com

unknown

Details

Name:	mail.kianaenergy.com
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

reallyfreegeoip.org

104.21.16.1

Details

Name:	reallyfreegeoip.org
IP:	104.21.16.1
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Tries to detect the country of the analysis system (by using the IP)	Location Tracking
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.com

193.122.130.0

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	-1
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

5.144.131.244

kianaenergy.com

Iran (ISLAMIC Republic Of)

Details

IP:	5.144.131.244
TargetID:	4
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	Iran (ISLAMIC Republic Of)
Countrycode:	IRN
ASN number:	59441
ASN name:	HOSTIRAN-NETWORKIR
Private:	false
Domain:	kianaenergy.com

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

104.21.16.1

reallyfreegeoip.org

United States

Details

IP:	104.21.16.1
TargetID:	4
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	reallyfreegeoip.org

Signature Hits	Behavior Group	Mitre Attack
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

193.122.130.0

checkip.dyndns.com

United States

Details

IP:	193.122.130.0
TargetID:	4
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	United States
Countrycode:	USA
ASN number:	31898
ASN name:	ORACLE-BMC-31898US
Private:	false
Domain:	checkip.dyndns.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

2430000

trusted library section

page read and write

4AD0000

trusted library section

page read and write

3471000

trusted library allocation

page read and write

2631000

trusted library allocation

page read and write

21B0000

heap

page read and write

4A60000

trusted library allocation

page read and write

403E000

heap

page read and write

E1B000

stack

page read and write

137A000

heap

page read and write

52B0000

trusted library allocation

page read and write

24AB000

trusted library allocation

page read and write

1B1E000

heap

page read and write

1360000

heap

page read and write

1360000

heap

page read and write

1A70000

heap

page read and write

1B18000

heap

page read and write

3EDE000

direct allocation

page read and write

1B1C000

heap

page read and write

5C00000

trusted library allocation

page execute and read and write

17E0000

heap

page read and write

1360000

heap

page read and write

6C0000

unkown

page write copy

182B000

heap

page read and write

25EE000

trusted library allocation

page read and write

1823000

heap

page read and write

4A6B000

trusted library allocation

page read and write

F7D000

stack

page read and write

5E30000

trusted library allocation

page read and write

137A000

heap

page read and write

3EDE000

direct allocation

page read and write

1FD4000

trusted library allocation

page read and write

1FEE000

stack

page read and write

1377000

heap

page read and write

1A7E000

heap

page read and write

5CAE000

stack

page read and write

3571000

trusted library allocation

page read and write

1357000

heap

page read and write

248A000

trusted library allocation

page read and write

61D0000

trusted library allocation

page execute and read and write

3BA0000

direct allocation

page read and write

5BB0000

trusted library allocation

page read and write

6BC000

unkown

page write copy

68C000

unkown

page readonly

3BA0000

direct allocation

page read and write

24A1000

trusted library allocation

page read and write

2497000

trusted library allocation

page read and write

4A50000

trusted library allocation

page read and write

6C4000

unkown

page readonly

24BC000

trusted library allocation

page read and write

4A92000

trusted library allocation

page read and write

24D9000

trusted library allocation

page read and write

1A63000

heap

page read and write

3CC3000

direct allocation

page read and write

4BAE000

stack

page read and write

1FB3000

heap

page read and write

6DE000

unkown

page readonly

10E0000

heap

page read and write

182F000

heap

page read and write

1221000

heap

page read and write

1357000

heap

page read and write

24CF000

trusted library allocation

page read and write

1A87000

heap

page read and write

4A7E000

trusted library allocation

page read and write

568000

heap

page read and write

A9000

stack

page read and write

3D40000

direct allocation

page read and write

24C4000

trusted library allocation

page read and write

26B3000

trusted library allocation

page read and write

17F0000

heap

page read and write

45BE000

direct allocation

page read and write

1352000

heap

page read and write

11A1000

heap

page read and write

2544000

trusted library allocation

page read and write

3D40000

direct allocation

page read and write

1352000

heap

page read and write

4B30000

trusted library allocation

page execute and read and write

26F5000

trusted library allocation

page read and write

2050000

heap

page execute and read and write

135D000

heap

page read and write

6200000

heap

page read and write

24A5000

trusted library allocation

page read and write

470000

heap

page read and write

3EDE000

direct allocation

page read and write

2060000

trusted library allocation

page read and write

1377000

heap

page read and write

68C000

unkown

page readonly

1415000

heap

page read and write

1824000

heap

page read and write

25FA000

trusted library allocation

page read and write

26F1000

trusted library allocation

page read and write

4AC0000

heap

page execute and read and write

40EA000

heap

page read and write

3BAB000

heap

page read and write

68C000

unkown

page readonly

4420000

direct allocation

page read and write

1A7E000

heap

page read and write

2460000

heap

page read and write

68C000

unkown

page readonly

45BE000

direct allocation

page read and write

40E0000

heap

page read and write

2482000

trusted library allocation

page read and write

E3F000

stack

page read and write

1357000

heap

page read and write

1A63000

heap

page read and write

2010000

heap

page read and write

3CC3000

direct allocation

page read and write

24B6000

trusted library allocation

page read and write

5AAE000

stack

page read and write

3E69000

direct allocation

page read and write

1A87000

heap

page read and write

426000

system

page execute and read and write

2547000

trusted library allocation

page read and write

1790000

heap

page read and write

FBE000

stack

page read and write

137A000

heap

page read and write

25BB000

trusted library allocation

page read and write

395A000

heap

page read and write

1122000

heap

page read and write

18A3000

heap

page read and write

1133000

heap

page read and write

1352000

heap

page read and write

2090000

heap

page read and write

52BC000

trusted library allocation

page read and write

4AA0000

trusted library allocation

page read and write

1E0000

heap

page read and write

112E000

heap

page execute and read and write

4280000

direct allocation

page read and write

4A81000

trusted library allocation

page read and write

460000

heap

page read and write

1415000

heap

page read and write

4DF2000

heap

page read and write

24C0000

trusted library allocation

page read and write

15CF000

stack

page read and write

248E000

trusted library allocation

page read and write

24AD000

trusted library allocation

page read and write

247C000

trusted library allocation

page read and write

4A6E000

trusted library allocation

page read and write

2484000

trusted library allocation

page read and write

3D40000

direct allocation

page read and write

1A7A000

heap

page read and write

F9E000

stack

page read and write

18EF000

stack

page read and write

4960000

heap

page read and write

255C000

trusted library allocation

page read and write

3E6D000

direct allocation

page read and write

6C4000

unkown

page readonly

23DF000

stack

page read and write

22DE000

stack

page read and write

1B17000

heap

page execute and read and write

11A2000

heap

page read and write

1377000

heap

page read and write

5BDD000

trusted library allocation

page read and write

418D000

heap

page read and write

5F1000

unkown

page execute read

135D000

heap

page read and write

3CC3000

direct allocation

page read and write

1FB0000

heap

page read and write

1240000

heap

page read and write

4549000

direct allocation

page read and write

3BA0000

direct allocation

page read and write

1A87000

heap

page read and write

1FFA000

trusted library allocation

page execute and read and write

504000

heap

page read and write

E0F000

stack

page read and write

2550000

trusted library allocation

page read and write

3E6D000

direct allocation

page read and write

1357000

heap

page read and write

A3A000

stack

page read and write

25B7000

trusted library allocation

page read and write

6B2000

unkown

page readonly

4A66000

trusted library allocation

page read and write

3BA0000

direct allocation

page read and write

3BA0000

direct allocation

page read and write

10C0000

heap

page read and write

FC0000

heap

page read and write

258D000

trusted library allocation

page read and write

15BF000

stack

page read and write

43A3000

direct allocation

page read and write

2488000

trusted library allocation

page read and write

255A000

trusted library allocation

page read and write

582000

heap

page read and write

460E000

stack

page read and write

135D000

heap

page read and write

1FF6000

trusted library allocation

page execute and read and write

1352000

heap

page read and write

34FA000

trusted library allocation

page read and write

ECA000

stack

page read and write

50EE000

stack

page read and write

34E4000

trusted library allocation

page read and write

1FC0000

trusted library allocation

page read and write

570000

heap

page read and write

24C2000

trusted library allocation

page read and write

2002000

trusted library allocation

page read and write

400000

system

page execute and read and write

3EDE000

direct allocation

page read and write

4A8D000

trusted library allocation

page read and write

25E0000

heap

page read and write

3D40000

direct allocation

page read and write

4DCC000

heap

page read and write

18A2000

heap

page read and write

2591000

trusted library allocation

page read and write

135D000

heap

page read and write

436000

system

page execute and read and write

25D9000

trusted library allocation

page read and write

5F0000

unkown

page readonly

4950000

heap

page read and write

6C0000

unkown

page write copy

509000

heap

page read and write

24CB000

trusted library allocation

page read and write

1B27000

heap

page read and write

2490000

trusted library allocation

page read and write

52B9000

trusted library allocation

page read and write

135D000

heap

page read and write

2471000

trusted library allocation

page read and write

F30000

heap

page read and write

3E6D000

direct allocation

page read and write

1377000

heap

page read and write

254D000

trusted library allocation

page read and write

1A7A000

heap

page read and write

25C2000

trusted library allocation

page read and write

4DB0000

heap

page read and write

1A70000

heap

page read and write

4A8000

heap

page read and write

4D0E000

stack

page read and write

1377000

heap

page read and write

1921000

heap

page read and write

113E000

heap

page read and write

1FF2000

trusted library allocation

page read and write

3611000

heap

page read and write

2040000

trusted library allocation

page execute and read and write

5F0000

unkown

page readonly

5BE0000

trusted library allocation

page execute and read and write

17F8000

heap

page read and write

2601000

trusted library allocation

page read and write

52BF000

trusted library allocation

page read and write

1352000

heap

page read and write

137A000

heap

page read and write

5F0000

unkown

page readonly

4AB0000

trusted library allocation

page read and write

1A87000

heap

page read and write

1360000

heap

page read and write

2070000

heap

page read and write

24A9000

trusted library allocation

page read and write

56C000

heap

page read and write

4A0000

heap

page read and write

2477000

trusted library allocation

page read and write

24D7000

trusted library allocation

page read and write

2493000

trusted library allocation

page read and write

4DC4000

heap

page read and write

3CC3000

direct allocation

page read and write

1B28000

heap

page read and write

3E69000

direct allocation

page read and write

15FF000

stack

page read and write

11A1000

heap

page read and write

11A1000

heap

page read and write

3BA0000

direct allocation

page read and write

4C0E000

stack

page read and write

3E69000

direct allocation

page read and write

1FDD000

trusted library allocation

page execute and read and write

5C10000

trusted library allocation

page read and write

3AB3000

heap

page read and write

DFF000

stack

page read and write

2578000

trusted library allocation

page read and write

24A7000

trusted library allocation

page read and write

1360000

heap

page read and write

10F8000

heap

page read and write

1360000

heap

page read and write

34EE000

trusted library allocation

page read and write

1FA0000

heap

page read and write

4E7A000

heap

page read and write

113F000

heap

page read and write

4549000

direct allocation

page read and write

3531000

trusted library allocation

page read and write

454D000

direct allocation

page read and write

3E69000

direct allocation

page read and write

1FE0000

trusted library allocation

page read and write

24B4000

trusted library allocation

page read and write

4A7A000

trusted library allocation

page read and write

3E69000

direct allocation

page read and write

6B2000

unkown

page readonly

5F1000

unkown

page execute read

182F000

heap

page read and write

2030000

trusted library allocation

page read and write

1FE3000

trusted library allocation

page read and write

454D000

direct allocation

page read and write

112F000

heap

page read and write

1B18000

heap

page read and write

248C000

trusted library allocation

page read and write

1377000

heap

page read and write

24C9000

trusted library allocation

page read and write

E2F000

stack

page read and write

6DE000

unkown

page readonly

1FF0000

trusted library allocation

page read and write

137A000

heap

page read and write

13A0000

heap

page read and write

3E69000

direct allocation

page read and write

4A86000

trusted library allocation

page read and write

4287000

heap

page read and write

2583000

trusted library allocation

page read and write

253F000

trusted library allocation

page read and write

526D000

stack

page read and write

3E6D000

direct allocation

page read and write

52AE000

stack

page read and write

1FD0000

trusted library allocation

page read and write

FA0000

heap

page read and write

1FD3000

trusted library allocation

page execute and read and write

23EE000

stack

page read and write

1A7A000

heap

page read and write

24C6000

trusted library allocation

page read and write

5BF0000

trusted library allocation

page read and write

1400000

heap

page read and write

1A70000

heap

page read and write

1A7E000

heap

page read and write

112F000

heap

page read and write

1940000

heap

page read and write

3EDE000

direct allocation

page read and write

5BD0000

trusted library allocation

page read and write

1123000

heap

page read and write

5BAE000

stack

page read and write

4DC000

heap

page read and write

3CC3000

direct allocation

page read and write

3600000

heap

page read and write

2595000

trusted library allocation

page read and write

5A6F000

stack

page read and write

6B2000

unkown

page readonly

1EEF000

stack

page read and write

6DE000

unkown

page readonly

1352000

heap

page read and write

1A7E000

heap

page read and write

25CB000

trusted library allocation

page read and write

1A7000

stack

page read and write

18A2000

heap

page read and write

E70000

heap

page read and write

4280000

direct allocation

page read and write

1822000

heap

page read and write

6DE000

unkown

page readonly

5F0000

unkown

page readonly

4BC0000

trusted library allocation

page read and write

3D40000

direct allocation

page read and write

3D40000

direct allocation

page read and write

25F6000

trusted library allocation

page read and write

6BC000

unkown

page read and write

6BC000

unkown

page write copy

4420000

direct allocation

page read and write

6C4000

unkown

page readonly

5F1000

unkown

page execute read

6400000

heap

page read and write

11A1000

heap

page read and write

3E6D000

direct allocation

page read and write

11A1000

heap

page read and write

24A3000

trusted library allocation

page read and write

512E000

stack

page read and write

10F0000

heap

page read and write

FFE000

stack

page read and write

4CF000

heap

page read and write

3EDE000

direct allocation

page read and write

137A000

heap

page read and write

F50000

heap

page read and write

3590000

direct allocation

page read and write

1750000

heap

page read and write

112A000

heap

page read and write

3604000

heap

page read and write

3A0E000

heap

page read and write

2486000

trusted library allocation

page read and write

490000

trusted library section

page read and write

3C04000

heap

page read and write

43A3000

direct allocation

page read and write

5BC0000

trusted library allocation

page execute and read and write

241E000

stack

page read and write

1754000

heap

page read and write

25F4000

trusted library allocation

page read and write

5F1000

unkown

page execute read

6B2000

unkown

page readonly

1A63000

heap

page read and write

3CC3000

direct allocation

page read and write

15DB000

stack

page read and write

5CEE000

stack

page read and write

1A63000

heap

page read and write

15EF000

stack

page read and write

529000

heap

page read and write

3A06000

heap

page read and write

253C000

trusted library allocation

page read and write

135D000

heap

page read and write

6C4000

unkown

page readonly

3E6D000

direct allocation

page read and write

596E000

stack

page read and write

1357000

heap

page read and write

2005000

trusted library allocation

page execute and read and write

1357000

heap

page read and write

1A70000

heap

page read and write

1122000

heap

page read and write

2007000

trusted library allocation

page execute and read and write

1A7A000

heap

page read and write

522E000

stack

page read and write

2580000

direct allocation

page read and write

24BE000

trusted library allocation

page read and write

25D5000

trusted library allocation

page read and write

200B000

trusted library allocation

page execute and read and write

1FED000

trusted library allocation

page execute and read and write

4B20000

trusted library allocation

page read and write

25DE000

trusted library allocation

page read and write

5BB6000

trusted library allocation

page read and write

1E5000

heap

page read and write

6BC000

unkown

page read and write

4A72000

trusted library allocation

page read and write

There are 395 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
MACHINE SPECIFICATION.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportMACHINE SPECIFICATION.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
MACHINE SPECIFICATION.exe