Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.789762421792232
Filename:	SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Filesize:	541184
MD5:	e750511892ab532fb2147f4537dabcfd
SHA1:	d78aa528d38fa57bd3a5bf591cbd4437ebcdf377
SHA256:	4328e4ac330339d884b95d99128404d4f8b5d6b695a9f583ff4c3f3a61ac4ff8
SHA512:	f0c1af9e1b8175ea91337702ffa8140dd0c901c8ac570a1def1299f2493efc6fd66f36e19c8ae6b1b5c2b0f174a44a8754761a30eb2e652f3fc2e8d90a939bd5
SSDEEP:	12288:jgDW4PmoO4lv8zw7n9AXJBkwVHI3eC9Z9rzWmvRM:L4uoO4VnsJRHc/zJ
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.........."...P..6...........U... ...`....@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection,
Machine Learning detection for sample	AV Detection,
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion,
Contains capabilities to detect virtual machines	Malware Analysis System Evasion,	Virtualization/Sandbox Evasion
Contains functionality to detect virtual machines (SLDT)	Malware Analysis System Evasion,
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion,
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Detected potential crypto function	System Summary,	Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior,
Enables debug privileges	Anti Debugging,
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion,
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection,	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary,
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary,	Software Packing
Creates files inside the user directory	System Summary,	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging,	Disable or Modify Tools
Creates mutexes	System Summary,
Creates temporary files	System Summary,
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection,
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion,	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary,
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary,
Queries a list of all running processes	Malware Analysis System Evasion,	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection,
Reads ini files	System Summary,	File and Directory Discovery
Reads software policies	System Summary,
Sample is known by Antivirus	System Summary,
Sample reads its own file content	System Summary,
Urls found in memory or binary data	Networking,
Uses an in-process (OLE) Automation server	System Summary,
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary,
PE file contains a COM descriptor data directory	System Summary,
Uses Microsoft Silverlight	System Summary,

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe.log

ASCII text, with CRLF line terminators

modified

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe.log
Category:	modified
Dump:	SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe.log.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.381353871108486
Encrypted:	false
Ssdeep:	48:MxHKEYHKGD8Ao6+vxpNl1qHGiD0HKeGitHTG1hAHKKPJAmHKoA9:iqEYqGgAo9ZPlwmI0qertzG1eqKPJ/qT
Size:	1742
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection,
Machine Learning detection for sample	AV Detection,
Sample file is different than original file name gathered from version info	System Summary,
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary,	Software Packing
PE file has an executable .text section and no other executable section	System Summary,
Sample is known by Antivirus	System Summary,
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary,
PE file contains a COM descriptor data directory	System Summary,

C:\Users\user\AppData\Local\Temp\tmpCBF8.tmp

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\tmpCBF8.tmp
Category:	dropped
Dump:	tmpCBF8.tmp.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	5.184744549823039
Encrypted:	false
Ssdeep:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBLQrtn:cbh47TlNQ//rydbz9I3YODOLNdq3NQp
Size:	1639
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Scheduled temp file as task from temp location	System Summary,
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival,	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Creates temporary files	System Summary,
Spawns processes	System Summary,	Process Injection

C:\Users\user\AppData\Roaming\XdwuEt.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\XdwuEt.exe
Category:	dropped
Dump:	XdwuEt.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.789762421792232
Encrypted:	false
Ssdeep:	12288:jgDW4PmoO4lv8zw7n9AXJBkwVHI3eC9Z9rzWmvRM:L4uoO4VnsJRHc/zJ
Size:	541184
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Machine Learning detection for dropped file	AV Detection,
Drops PE files	Persistence and Installation Behavior,
Creates files inside the user directory	System Summary,	Masquerading

C:\Users\user\AppData\Roaming\XdwuEt.exe:Zone.Identifier

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Roaming\XdwuEt.exe:Zone.Identifier
Category:	dropped
Dump:	XdwuEt.exe_Zone.Identifier.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Machine Learning detection for dropped file	AV Detection,

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe'

Details

Is windows:	true
Is dropped:	false
PID:	5660
Target ID:	0
Parent PID:	5532
Name:	SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe'
Size:	541184
MD5:	E750511892AB532FB2147F4537DABCFD
Time:	16:15:30
Date:	27/01/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x980000
Modulesize:	565248
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection,
Sigma detected: Scheduled temp file as task from temp location	System Summary,
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM_3	Malware Analysis System Evasion,
Machine Learning detection for sample	AV Detection,
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection,	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary,
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary,	Software Packing
PE file has an executable .text section and no other executable section	System Summary,
Sample is known by Antivirus	System Summary,
Sample reads its own file content	System Summary,
Spawns processes	System Summary,	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary,
PE file contains a COM descriptor data directory	System Summary,

C:\Windows\System32\schtasks.exe

'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XdwuEt' /XML 'C:\Users\user\AppData\Local\Temp\tmpCBF8.tmp'

Details

Is windows:	true
Is dropped:	false
PID:	4864
Target ID:	1
Parent PID:	5660
Name:	schtasks.exe
Class:	system-tools
Path:	C:\Windows\System32\schtasks.exe
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XdwuEt' /XML 'C:\Users\user\AppData\Local\Temp\tmpCBF8.tmp'
Size:	226816
MD5:	838D346D1D28F00783B7A6C6BD03A0DA
Time:	16:15:32
Date:	27/01/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff634190000
Modulesize:	249856
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Scheduled temp file as task from temp location	System Summary,
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival,	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Spawns processes	System Summary,	Process Injection

C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Details

Is windows:	true
Is dropped:	false
PID:	5456
Target ID:	3
Parent PID:	5660
Name:	SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Size:	541184
MD5:	E750511892AB532FB2147F4537DABCFD
Time:	16:15:33
Date:	27/01/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x900000
Modulesize:	565248
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection,
Sigma detected: Scheduled temp file as task from temp location	System Summary,
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM_3	Malware Analysis System Evasion,
Machine Learning detection for sample	AV Detection,
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection,	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary,
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary,	Software Packing
PE file has an executable .text section and no other executable section	System Summary,
Sample is known by Antivirus	System Summary,
Sample reads its own file content	System Summary,
Spawns processes	System Summary,	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary,
PE file contains a COM descriptor data directory	System Summary,

C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Details

Is windows:	true
Is dropped:	false
PID:	852
Target ID:	4
Parent PID:	5660
Name:	SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Size:	541184
MD5:	E750511892AB532FB2147F4537DABCFD
Time:	16:15:34
Date:	27/01/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x170000
Modulesize:	565248
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection,
Sigma detected: Scheduled temp file as task from temp location	System Summary,
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM_3	Malware Analysis System Evasion,
Machine Learning detection for sample	AV Detection,
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection,	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary,
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary,	Software Packing
PE file has an executable .text section and no other executable section	System Summary,
Sample is known by Antivirus	System Summary,
Sample reads its own file content	System Summary,
Spawns processes	System Summary,	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary,
PE file contains a COM descriptor data directory	System Summary,

C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Details

Is windows:	true
Is dropped:	false
PID:	5948
Target ID:	5
Parent PID:	5660
Name:	SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Size:	541184
MD5:	E750511892AB532FB2147F4537DABCFD
Time:	16:15:34
Date:	27/01/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xe90000
Modulesize:	565248
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection,
Sigma detected: Scheduled temp file as task from temp location	System Summary,
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM_3	Malware Analysis System Evasion,
Machine Learning detection for sample	AV Detection,
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection,	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary,
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary,	Software Packing
PE file has an executable .text section and no other executable section	System Summary,
Sample is known by Antivirus	System Summary,
Sample reads its own file content	System Summary,
Spawns processes	System Summary,	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary,
PE file contains a COM descriptor data directory	System Summary,

C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Details

Is windows:	true
Is dropped:	false
PID:	5796
Target ID:	6
Parent PID:	5660
Name:	SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Size:	541184
MD5:	E750511892AB532FB2147F4537DABCFD
Time:	16:15:35
Date:	27/01/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x6e0000
Modulesize:	565248
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection,
Sigma detected: Scheduled temp file as task from temp location	System Summary,
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM_3	Malware Analysis System Evasion,
Machine Learning detection for sample	AV Detection,
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection,	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary,
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary,	Software Packing
PE file has an executable .text section and no other executable section	System Summary,
Sample is known by Antivirus	System Summary,
Sample reads its own file content	System Summary,
Spawns processes	System Summary,	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary,
PE file contains a COM descriptor data directory	System Summary,

C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe

Details

Is windows:	true
Is dropped:	false
PID:	1368
Target ID:	7
Parent PID:	5660
Name:	SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Size:	541184
MD5:	E750511892AB532FB2147F4537DABCFD
Time:	16:15:35
Date:	27/01/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xf30000
Modulesize:	565248
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection,
Sigma detected: Scheduled temp file as task from temp location	System Summary,
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM_3	Malware Analysis System Evasion,
Machine Learning detection for sample	AV Detection,
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection,	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary,
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary,	Software Packing
PE file has an executable .text section and no other executable section	System Summary,
Sample is known by Antivirus	System Summary,
Sample reads its own file content	System Summary,
Spawns processes	System Summary,	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary,
PE file contains a COM descriptor data directory	System Summary,

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	4700
Target ID:	2
Parent PID:	4864
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	625664
MD5:	EA777DEEA782E8B4D7C7C33BBF8A4496
Time:	16:15:33
Date:	27/01/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6b2800000
Modulesize:	651264
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary,	Process Injection

URLs

Name

Malicious

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Source:	SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe, 00000000.00000002.225631461.0000000002DD1000.00000004.00000001.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Urls found in memory or binary data	Networking,

https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip

unknown

Details

Name:	https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe
Source:	SecuriteInfo.com.Trojan.MulDrop16.9965.2278.exe, 00000000.00000002.226077491.0000000012DE1000.00000004.00000001.sdmp

Signature Hits	Behavior Group	Mitre Attack
Urls found in memory or binary data	Networking,

Memdumps

Base Address

Regiontype

Protect

Malicious

2E28000

unkown

page read and write

2DD1000

unkown

page read and write

12DE1000

unkown

page read and write

7FFAEE0A0000

unkown

page read and write

F6B000

heap default

page read and write

137E000

unkown

page read and write

2C40000

unkown

page read and write

7FFAEDF83000

unkown

page execute and read and write

2CB0000

unkown

page read and write

2C20000

unkown

page read and write

1BC30000

unkown

page read and write

1B8C9000

heap private

page read and write

F9B000

heap default

page read and write

2C20000

unkown

page read and write

1BAD0000

unkown

page read and write

2C40000

unkown

page readonly

F30000

unkown image

page readonly

6E0000

unkown image

page readonly

1130000

unkown

page readonly

902000

unkown image

page readonly

982000

unkown image

page readonly

1B790000

unkown

page read and write

2C00000

unkown

page read and write

2B30000

unkown

page read and write

2C90000

unkown

page read and write

1BBB0000

unkown

page read and write

1C4A0000

unkown

page read and write

2C20000

unkown

page read and write

2B40000

unkown

page read and write

1BD10000

unkown

page read and write

7FFAEE030000

unkown

page read and write

2C30000

unkown

page read and write

1BD40000

unkown

page read and write

1BD00000

unkown

page read and write

2C20000

unkown

page read and write

2C20000

unkown

page read and write

101D000

heap default

page read and write

1BA9E000

unkown

page read and write

1BA94000

unkown

page read and write

1C4F0000

unkown

page read and write

1BD30000

unkown

page read and write

2C60000

unkown

page read and write

7FF48E5D0000

unkown

page execute and read and write

F32000

unkown image

page readonly

1B8D0000

unkown

page read and write

12DD8000

unkown

page read and write

E00000

unkown

page readonly

1BCE0000

unkown

page read and write

2DCE000

unkown

page read and write

1C4C0000

unkown

page read and write

1C470000

unkown

page read and write

2C80000

heap private

page read and write

F10000

unkown

page read and write

2C30000

unkown

page read and write

1B34C000

unkown

page read and write

1BBB0000

unkown

page read and write

2C70000

unkown

page read and write

1B8C0000

heap private

page read and write

7FFAEE0AB000

unkown

page read and write

1BC90000

unkown

page read and write

1BCA0000

unkown

page read and write

2C04000

unkown

page read and write

2C70000

unkown

page read and write

1C45B000

unkown

page read and write

1BD20000

unkown

page read and write

1C2B0000

unkown

page readonly

1C4D0000

unkown

page read and write

BE0000

unkown

page readonly

F39000

heap default

page read and write

1BBCB000

unkown

page read and write

2C20000

unkown

page read and write

2BB0000

unkown

page read and write

1012000

unkown

page read and write

1BC10000

unkown

page read and write

12DD1000

unkown

page read and write

2C90000

unkown

page read and write

1B350000

unkown

page readonly

1C2AE000

unkown

page read and write

7FFAEDF93000

unkown

page read and write

170000

unkown image

page readonly

900000

unkown image

page readonly

2C20000

unkown

page read and write

1BCF0000

unkown

page read and write

2C20000

unkown

page read and write

1C470000

unkown

page read and write

172000

unkown image

page readonly

1BCB0000

unkown

page read and write

2C10000

unkown

page read and write

2B20000

unkown

page readonly

170000

unkown image

page readonly

1BC40000

unkown

page read and write

1B750000

heap private

page read and write

1B8C3000

heap private

page read and write

E92000

unkown image

page readonly

F71000

heap default

page read and write

980000

unkown image

page readonly

2C10000

unkown

page read and write

E90000

unkown image

page readonly

2C30000

unkown

page read and write

2C00000

unkown

page read and write

BA0000

unkown

page read and write

A25000

heap private

page read and write

F00000

unkown

page read and write

A20000

heap private

page read and write

1150000

unkown

page read and write

2C30000

unkown

page read and write

2CA0000

unkown

page read and write

7FFAEDFA0000

unkown

page read and write

2C20000

unkown

page read and write

2C20000

unkown

page read and write

1011000

heap default

page read and write

2C40000

unkown

page read and write

170000

unkown image

page readonly

1BC80000

unkown

page read and write

1175000

heap private

page read and write

112E000

unkown

page read and write

1BFAF000

unkown

page read and write

12DDD000

unkown

page read and write

2C20000

unkown

page read and write

2C50000

unkown

page read and write

1BD50000

unkown

page read and write

2C60000

unkown

page read and write

980000

unkown image

page readonly

1AE00000

unkown

page read and write

1BC19000

unkown

page read and write

E90000

unkown image

page readonly

2C01000

unkown

page read and write

7FFAEE036000

unkown

page read and write

902000

unkown image

page readonly

1C480000

unkown

page read and write

7FFAEE0B0000

unkown

page execute and read and write

7FFAEDF84000

unkown

page read and write

7FFAEE130000

unkown

page read and write

1B7B0000

heap private

page execute and read and write

7FFAEDF8D000

unkown

page execute and read and write

1170000

heap private

page read and write

7FFAEDFAD000

unkown

page execute and read and write

2C40000

unkown

page read and write

7FFAEE03C000

unkown

page execute and read and write

1BC70000

unkown

page read and write

1BD60000

unkown

page read and write

1B8BC000

unkown

page read and write

1BC60000

unkown

page read and write

E92000

unkown image

page readonly

F30000

heap default

page read and write

2C20000

unkown

page read and write

2C50000

unkown

page read and write

2C83000

heap private

page read and write

1BC50000

unkown

page read and write

7FFAEE040000

unkown

page execute and read and write

1BBC0000

unkown

page read and write

2B50000

unkown

page read and write

2C20000

unkown

page read and write

1B760000

unkown

page readonly

B45000

unkown

page read and write

1B8D1000

unkown

page read and write

127E000

unkown

page read and write

2C20000

unkown

page read and write

E90000

unkown image

page readonly

1C500000

unkown

page read and write

F30000

unkown image

page readonly

6E0000

unkown image

page readonly

F6E000

heap default

page read and write

2C20000

unkown

page read and write

6E0000

unkown image

page readonly

1140000

unkown

page read and write

2C20000

unkown

page read and write

2C60000

unkown

page readonly

1BBF0000

unkown

page read and write

2B30000

unkown

page readonly

1C0AF000

unkown

page read and write

1C4E0000

unkown

page read and write

1C4B0000

unkown

page read and write

1BC20000

unkown

page read and write

1C490000

unkown

page read and write

100E000

unkown

page read and write

F32000

unkown image

page readonly

1BCD0000

unkown

page read and write

B80000

unkown

page read and write

1BBD0000

unkown

page read and write

2C20000

unkown

page read and write

F30000

unkown image

page readonly

2C20000

unkown

page read and write

1BC00000

unkown

page read and write

900000

unkown image

page readonly

1B780000

unkown

page read and write

1B760000

unkown

page read and write

172000

unkown image

page readonly

2C00000

unkown

page read and write

2B30000

unkown

page read and write

1B770000

unkown

page read and write

1BCC0000

unkown

page read and write

1B9D0000

unkown

page read and write

6E2000

unkown image

page readonly

2C30000

unkown

page read and write

2C20000

unkown

page read and write

EE0000

unkown

page read and write

2C30000

unkown

page read and write

2BC0000

heap private

page read and write

900000

unkown image

page readonly

1B690000

unkown

page readonly

F4B000

heap default

page read and write

7FFAEE066000

unkown

page execute and read and write

7FFAEDF9D000

unkown

page execute and read and write

2C20000

unkown

page read and write

980000

unkown image

page readonly

7FFAEDFDC000

unkown

page execute and read and write

2C50000

unkown

page readonly

7FFAEE140000

unkown

page read and write

1C56F000

unkown

page read and write

6E2000

unkown image

page readonly

7FFAEDF90000

unkown

page read and write

2CC0000

heap private

page execute and read and write

1C1AE000

unkown

page read and write

2C40000

unkown

page read and write

1380000

unkown

page readonly

1BEAE000

unkown

page read and write

7FFAEE0A5000

unkown

page read and write

2C20000

unkown

page read and write

1BB40000

unkown

page read and write

982000

unkown image

page readonly

1B7A0000

unkown

page read and write

F14000

unkown

page read and write

2C30000

unkown

page read and write

BC0000

unkown

page read and write

1BBE0000

unkown

page read and write

There are 216 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Files

Processes

URLs

Memdumps