Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

doc_2021_98666_SIGNED - PRO FACTURA.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.712684433960131
Filename:	doc_2021_98666_SIGNED - PRO FACTURA.exe
Filesize:	1202688
MD5:	532b5c7f4e3212a0d05e51c85864caf6
SHA1:	9a46dd2c45b724e23a0e3d316eb7fbc16b144e19
SHA256:	46510a62d266a7663f6cbe0a7ffbbba5019a6c890512e5d050b667a8b44f6ea6
SHA512:	55b368430e4b5faa59ca892a15930b25df9f571786cd21dbf87ee311b5da033f24fd660e7750a51e3a92f3777e82f480c287c35c7ffc295b3a2ef7069b38e108
SSDEEP:	24576:qmlBdz3ITXWl+O/JR308rntdkcr2VGSsjv1StbqiXk:RlBdz3OXW/RkAny7sjv0oi
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.........."...P..F..........Fe... ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Detected Nanocore Rat	Remote Access Functionality	Remote Access Software
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\doc_2021_98666_SIGNED - PRO FACTURA.exe.log

ASCII text, with CRLF line terminators

modified

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\doc_2021_98666_SIGNED - PRO FACTURA.exe.log
Category:	modified
Dump:	doc_2021_98666_SIGNED - PRO FACTURA.exe.log.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.381353871108486
Encrypted:	false
Ssdeep:	48:MxHKEYHKGD8Ao6+vxpNl1qHGiD0HKeGitHTG1hAHKKPJAmHKoA9:iqEYqGgAo9ZPlwmI0qertzG1eqKPJ/qT
Size:	1742
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\tmpDCE9.tmp

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\tmpDCE9.tmp
Category:	dropped
Dump:	tmpDCE9.tmp.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	5.176967825324459
Encrypted:	false
Ssdeep:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGktn:cbhK79lNQR/rydbz9I3YODOLNdq3N
Size:	1639
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\bWuIYd.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\bWuIYd.exe
Category:	dropped
Dump:	bWuIYd.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.712684433960131
Encrypted:	false
Ssdeep:	24576:qmlBdz3ITXWl+O/JR308rntdkcr2VGSsjv1StbqiXk:RlBdz3OXW/RkAny7sjv0oi
Size:	1202688
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Machine Learning detection for dropped file	AV Detection
Drops PE files	Persistence and Installation Behavior
Creates files inside the user directory	System Summary	Masquerading

C:\Users\user\AppData\Roaming\bWuIYd.exe:Zone.Identifier

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Roaming\bWuIYd.exe:Zone.Identifier
Category:	dropped
Dump:	bWuIYd.exe_Zone.Identifier.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Machine Learning detection for dropped file	AV Detection

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe

'C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe'

Details

Is windows:	false
Is dropped:	false
PID:	6512
Target ID:	0
Parent PID:	5840
Name:	doc_2021_98666_SIGNED - PRO FACTURA.exe
Path:	C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
Commandline:	'C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe'
Size:	1202688
MD5:	532B5C7F4E3212A0D05E51C85864CAF6
Time:	15:56:30
Date:	03/08/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xa80000
Modulesize:	1228800
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Nanocore RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\System32\schtasks.exe

'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\bWuIYd' /XML 'C:\Users\user\AppData\Local\Temp\tmpDCE9.tmp'

Details

Is windows:	true
Is dropped:	false
PID:	6744
Target ID:	4
Parent PID:	6512
Name:	schtasks.exe
Class:	system-tools
Path:	C:\Windows\System32\schtasks.exe
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\bWuIYd' /XML 'C:\Users\user\AppData\Local\Temp\tmpDCE9.tmp'
Size:	226816
MD5:	838D346D1D28F00783B7A6C6BD03A0DA
Time:	15:56:34
Date:	03/08/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6fe380000
Modulesize:	249856
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe

Details

Is windows:	false
Is dropped:	false
PID:	6788
Target ID:	6
Parent PID:	6512
Name:	doc_2021_98666_SIGNED - PRO FACTURA.exe
Path:	C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
Commandline:	C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
Size:	1202688
MD5:	532B5C7F4E3212A0D05E51C85864CAF6
Time:	15:56:35
Date:	03/08/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xd50000
Modulesize:	1228800
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Nanocore RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe

Details

Is windows:	false
Is dropped:	false
PID:	6804
Target ID:	7
Parent PID:	6512
Name:	doc_2021_98666_SIGNED - PRO FACTURA.exe
Path:	C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
Commandline:	C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
Size:	1202688
MD5:	532B5C7F4E3212A0D05E51C85864CAF6
Time:	15:56:35
Date:	03/08/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xc70000
Modulesize:	1228800
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Nanocore RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe

Details

Is windows:	false
Is dropped:	false
PID:	6820
Target ID:	8
Parent PID:	6512
Name:	doc_2021_98666_SIGNED - PRO FACTURA.exe
Path:	C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
Commandline:	C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
Size:	1202688
MD5:	532B5C7F4E3212A0D05E51C85864CAF6
Time:	15:56:36
Date:	03/08/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xbf0000
Modulesize:	1228800
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Nanocore RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe

Details

Is windows:	false
Is dropped:	false
PID:	6836
Target ID:	9
Parent PID:	6512
Name:	doc_2021_98666_SIGNED - PRO FACTURA.exe
Path:	C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
Commandline:	C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
Size:	1202688
MD5:	532B5C7F4E3212A0D05E51C85864CAF6
Time:	15:56:37
Date:	03/08/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xbb0000
Modulesize:	1228800
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Nanocore RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe

Details

Is windows:	false
Is dropped:	false
PID:	6848
Target ID:	10
Parent PID:	6512
Name:	doc_2021_98666_SIGNED - PRO FACTURA.exe
Path:	C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
Commandline:	C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
Size:	1202688
MD5:	532B5C7F4E3212A0D05E51C85864CAF6
Time:	15:56:37
Date:	03/08/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7c0000
Modulesize:	1228800
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Nanocore RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6752
Target ID:	5
Parent PID:	6744
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	625664
MD5:	EA777DEEA782E8B4D7C7C33BBF8A4496
Time:	15:56:34
Date:	03/08/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff724c50000
Modulesize:	651264
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

194.5.98.127

Details

Name:	194.5.98.127
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
Source:	config extactor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

127.0.0.1

Details

Name:	127.0.0.1
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
Source:	config extactor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\doc_2021_98666_SIGNED - PRO FACTURA.exe
Source:	doc_2021_98666_SIGNED - PRO FACTURA.exe, 00000000.00000002.667857482.0000000002F51000.00000004.00000001.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

32EA000

unkown

page read and write

12F61000

unkown

page read and write

1B840000

unkown

page read and write

BB2000

unkown image

page readonly

109E000

heap default

page read and write

2DA0000

unkown

page read and write

10A2000

heap default

page read and write

7FF50E6D1000

unkown

page readonly

13F0000

unkown

page readonly

1B940000

heap private

page execute and read and write

2DD0000

unkown

page read and write

1B960000

unkown

page read and write

2DB0000

unkown

page read and write

BB0000

unkown image

page readonly

1B930000

unkown

page read and write

1B813000

unkown

page read and write

BF0000

unkown image

page readonly

7C0000

unkown image

page readonly

BF2000

unkown image

page readonly

1B960000

unkown

page read and write

23785702000

unkown

page read and write

7FF50E880000

unkown

page readonly

1B930000

unkown

page read and write

2E40000

heap private

page read and write

1B930000

unkown

page read and write

1B930000

unkown

page read and write

1B2C5000

unkown

page read and write

7FF50E8C4000

unkown

page readonly

7FFA35F1C000

unkown

page execute and read and write

2E30000

unkown

page read and write

1B970000

unkown

page read and write

1C8A0000

unkown

page read and write

BB0000

unkown image

page readonly

BA8000

unkown image

page readonly

1B930000

unkown

page read and write

1BD70000

unkown

page read and write

1B960000

unkown

page read and write

1B970000

unkown

page read and write

10D3000

heap default

page read and write

1B970000

unkown

page read and write

90270F7000

unkown

page read and write

2DC0000

unkown

page read and write

7FFA35E73000

unkown

page read and write

1B9CF000

unkown

page read and write

1B960000

unkown

page read and write

1B930000

unkown

page read and write

1B87D000

unkown

page read and write

1B930000

unkown

page read and write

1B4CB000

unkown

page read and write

1B930000

unkown

page read and write

1B970000

unkown

page read and write

BB2000

unkown image

page readonly

1B960000

unkown

page read and write

125E000

unkown

page read and write

2DB0000

unkown

page read and write

1B910000

heap private

page read and write

23785530000

unkown

page readonly

2D70000

heap private

page execute and read and write

1B970000

unkown

page read and write

1B953000

heap private

page read and write

2378564E000

unkown

page read and write

115D000

unkown

page read and write

23785708000

unkown

page read and write

1B960000

unkown

page read and write

23785650000

unkown

page read and write

1B87D000

unkown

page read and write

90271FE000

unkown

page read and write

1B930000

unkown

page read and write

FF0000

unkown

page read and write

1069000

heap default

page read and write

7FF50E897000

unkown

page readonly

1B87D000

unkown

page read and write

A80000

unkown image

page readonly

1B930000

unkown

page read and write

7FF50E87A000

unkown

page readonly

12A0000

unkown

page read and write

EF0000

unkown

page read and write

23785460000

unkown

page readonly

BC5000

heap private

page read and write

1B990000

unkown

page read and write

1B930000

unkown

page read and write

115B000

unkown

page read and write

7FFA36043000

unkown

page read and write

1060000

heap default

page read and write

D18000

unkown image

page readonly

1B980000

heap private

page read and write

1B930000

unkown

page read and write

9026D7E000

unkown

page read and write

7FF50E8EE000

unkown

page readonly

1B930000

unkown

page read and write

1BFA0000

unkown

page read and write

7FFA35E80000

unkown

page read and write

1B970000

unkown

page read and write

A80000

unkown image

page readonly

2DB0000

unkown

page read and write

7FF50E87E000

unkown

page readonly

1B841000

unkown

page read and write

7FFA35F90000

unkown

page execute and read and write

142A6000

unkown

page read and write

7FF50E7CD000

unkown

page readonly

9026C7B000

unkown

page read and write

1B930000

unkown

page read and write

12E5000

heap private

page read and write

CD8000

unkown image

page readonly

2DF0000

unkown

page read and write

23786000000

unkown

page readonly

1BEA0000

unkown

page read and write

7FFA35F85000

unkown

page read and write

1B930000

unkown

page read and write

1B810000

unkown

page read and write

2DC0000

unkown

page read and write

7C0000

unkown image

page readonly

D50000

unkown image

page readonly

7FFA35E84000

unkown

page read and write

7FF50E7EC000

unkown

page readonly

7FFA36030000

unkown

page read and write

1B87D000

unkown

page read and write

7FF50E5F7000

unkown

page readonly

1B930000

unkown

page read and write

1C8A0000

unkown

page read and write

7FF50E7D3000

unkown

page readonly

2E20000

unkown

page read and write

1B824000

unkown

page read and write

1B930000

unkown

page read and write

2DC0000

unkown

page read and write

BC0000

heap private

page read and write

7FF50E964000

unkown

page readonly

23785700000

unkown

page read and write

10D7000

heap default

page read and write

7C0000

unkown image

page readonly

D50000

unkown image

page readonly

1B82F000

unkown

page read and write

2E10000

unkown

page read and write

2D80000

unkown

page read and write

13961000

unkown

page read and write

1B930000

unkown

page read and write

1C900000

unkown

page read and write

7FFA35E7D000

unkown

page execute and read and write

2D60000

unkown

page readonly

2378563C000

unkown

page read and write

1C130000

unkown

page read and write

1B930000

unkown

page read and write

1AF80000

unkown

page read and write

1C8B0000

unkown

page read and write

1145000

heap default

page read and write

1B82B000

unkown

page read and write

7FF50E972000

unkown

page readonly

7FF50E8F6000

unkown

page readonly

1C140000

unkown

page read and write

2DA0000

unkown

page read and write

D50000

unkown image

page readonly

7FF50E455000

unkown

page readonly

1C920000

unkown

page read and write

7FF50E86A000

unkown

page readonly

1C8E0000

unkown

page read and write

8E8000

unkown image

page readonly

23785613000

unkown

page read and write

1C0C0000

unkown

page read and write

1C730000

unkown

page readonly

2378564A000

unkown

page read and write

1C130000

unkown

page read and write

7FF50E55A000

unkown

page readonly

1B9C0000

unkown

page read and write

1C130000

unkown

page read and write

7FFA35F46000

unkown

page execute and read and write

2DC0000

unkown

page read and write

90272FD000

unkown

page read and write

1B930000

unkown

page read and write

7FFA36040000

unkown

page read and write

7FFA36010000

unkown

page read and write

1B817000

unkown

page read and write

7FFA35E8D000

unkown

page execute and read and write

1B9B0000

unkown

page read and write

D98000

unkown image

page readonly

1B960000

unkown

page read and write

A82000

unkown image

page readonly

1B81F000

unkown

page read and write

7FF50E8B7000

unkown

page readonly

7FF50E8E8000

unkown

page readonly

23785540000

unkown

page readonly

2DB0000

unkown

page read and write

7FF50E8DF000

unkown

page readonly

7FF50E885000

unkown

page readonly

12F5D000

unkown

page read and write

7FF50E77B000

unkown

page readonly

1BB90000

unkown

page read and write

10EA000

heap default

page read and write

C72000

unkown image

page readonly

1B857000

unkown

page read and write

23785652000

unkown

page read and write

1B960000

unkown

page read and write

2DA0000

unkown

page read and write

7FFA35E6D000

unkown

page execute and read and write

1BFB0000

unkown

page read and write

23785629000

unkown

page read and write

1B837000

unkown

page read and write

1B930000

unkown

page read and write

23785800000

unkown

page readonly

1C0B0000

unkown

page read and write

7FFA35E70000

unkown

page read and write

7FF50E86C000

unkown

page readonly

2DE0000

unkown

page read and write

23785649000

unkown

page read and write

1B920000

unkown

page read and write

1C910000

unkown

page read and write

12D0000

unkown

page readonly

1C8D0000

unkown

page read and write

237853F0000

heap private

page read and write

7FF50E8FD000

unkown

page readonly

1280000

unkown

page read and write

1C8B0000

unkown

page read and write

1B930000

unkown

page read and write

7C2000

unkown image

page readonly

1B970000

unkown

page readonly

7FFA35E63000

unkown

page execute and read and write

1B930000

unkown

page read and write

7FF50E88B000

unkown

page readonly

2378564C000

unkown

page read and write

1B970000

unkown

page read and write

7FF50E761000

unkown

page readonly

13EE000

unkown

page read and write

C70000

unkown image

page readonly

1C0D0000

unkown

page read and write

12B4000

unkown

page read and write

1B960000

unkown

page read and write

7FF50E971000

unkown

page readonly

1B970000

unkown

page read and write

23785C60000

unkown

page readonly

9026F7B000

unkown

page read and write

1B930000

unkown

page read and write

1C99E000

unkown

page read and write

D52000

unkown image

page readonly

1B970000

unkown

page read and write

1B930000

unkown

page read and write

D52000

unkown image

page readonly

A80000

unkown image

page readonly

23785713000

unkown

page read and write

1C160000

unkown

page read and write

1B930000

unkown

page read and write

2DA0000

unkown

page read and write

C70000

unkown image

page readonly

1B930000

unkown

page read and write

BF0000

unkown image

page readonly

1B960000

unkown

page read and write

1B960000

unkown

page read and write

1B930000

unkown

page read and write

1B930000

unkown

page read and write

1C140000

unkown

page read and write

1B930000

unkown

page read and write

1B920000

unkown

page read and write

1C88A000

unkown

page read and write

1C8C0000

unkown

page read and write

C70000

unkown image

page readonly

23785450000

heap default

page read and write

1B81D000

unkown

page read and write

7FFA35F16000

unkown

page read and write

1B87D000

unkown

page read and write

F20000

unkown

page readonly

7FFA35F20000

unkown

page execute and read and write

1C150000

unkown

page read and write

7FFA36050000

unkown

page execute and read and write

1C690000

unkown

page readonly

2D50000

unkown

page read and write

7FF50E8AF000

unkown

page readonly

1030000

unkown

page read and write

1B930000

unkown

page read and write

7FF50E8D4000

unkown

page readonly

1B930000

unkown

page read and write

2E00000

unkown

page read and write

1B970000

unkown

page read and write

1B829000

unkown

page read and write

1B960000

unkown

page read and write

1B930000

unkown

page read and write

1C630000

unkown

page readonly

2DB0000

unkown

page read and write

2F51000

unkown

page read and write

2C8E000

unkown

page read and write

C72000

unkown image

page readonly

1C930000

unkown

page read and write

7FF50E77E000

unkown

page readonly

1B930000

unkown

page read and write

E78000

unkown image

page readonly

7FFA35F10000

unkown

page read and write

1C8F0000

unkown

page read and write

1B960000

unkown

page read and write

7C2000

unkown image

page readonly

2DA0000

unkown

page read and write

1B970000

unkown

page read and write

7FFA36020000

unkown

page read and write

1B87D000

unkown

page read and write

23785600000

unkown

page read and write

1B970000

unkown

page read and write

7FF50E723000

unkown

page readonly

7FFA35E64000

unkown

page read and write

1B930000

unkown

page read and write

1B930000

unkown

page read and write

1050000

unkown

page readonly

90273FF000

unkown

page read and write

1C09D000

unkown

page read and write

1B930000

unkown

page read and write

9026FFF000

unkown

page read and write

9026E75000

unkown

page read and write

1B930000

unkown

page read and write

1B980000

unkown

page read and write

2DC0000

unkown

page readonly

1C940000

unkown

page read and write

12F51000

unkown

page read and write

2C90000

unkown

page readonly

1C42F000

unkown

page read and write

1C0A0000

unkown

page read and write

9026CFE000

unkown

page read and write

BF2000

unkown image

page readonly

E78000

unkown image

page readonly

BA8000

unkown image

page readonly

1B930000

unkown

page read and write

2DC0000

unkown

page read and write

2DA0000

unkown

page read and write

7FFA35F80000

unkown

page read and write

7FF50E8AC000

unkown

page readonly

1C680000

unkown

page readonly

8E8000

unkown image

page readonly

1B9D0000

unkown

page read and write

23785550000

unkown

page read and write

1B960000

unkown

page read and write

7FF50E8F9000

unkown

page readonly

12B0000

unkown

page read and write

2DA0000

unkown

page read and write

7FFA35E8B000

unkown

page execute and read and write

7FF50E446000

unkown

page readonly

1B930000

unkown

page read and write

1C750000

unkown

page read and write

23785681000

unkown

page read and write

1B960000

unkown

page read and write

1B830000

unkown

page read and write

12E0000

heap private

page read and write

CD8000

unkown image

page readonly

1C0A0000

unkown

page read and write

1C140000

unkown

page read and write

1B930000

unkown

page read and write

D98000

unkown image

page readonly

1B830000

unkown

page read and write

A82000

unkown image

page readonly

7FF44A210000

unkown

page execute and read and write

1B960000

unkown

page read and write

23785E02000

unkown

page read and write

12F58000

unkown

page read and write

1B960000

unkown

page read and write

7FF50E440000

unkown

page readonly

7FFA35EBC000

unkown

page execute and read and write

2DB0000

unkown

page read and write

1B930000

unkown

page read and write

330B000

unkown

page read and write

1C52E000

unkown

page read and write

1BA90000

unkown

page read and write

1B9A0000

unkown

page read and write

2DA0000

unkown

page read and write

1B930000

unkown

page read and write

BB0000

unkown image

page readonly

1B930000

unkown

page read and write

1B960000

unkown

page read and write

7FF50E8CA000

unkown

page readonly

BF0000

unkown image

page readonly

1B950000

heap private

page read and write

2378566D000

unkown

page read and write

1B4D0000

unkown

page readonly

1C22E000

unkown

page read and write

7FF50E7E4000

unkown

page readonly

1B930000

unkown

page read and write

106F000

heap default

page read and write

D18000

unkown image

page readonly

1B817000

unkown

page read and write

2F4E000

unkown

page read and write

7FF50E96A000

unkown

page readonly

1010000

unkown

page read and write

1B960000

unkown

page read and write

1B930000

unkown

page read and write

1C32E000

unkown

page read and write

1C62E000

unkown

page read and write

1BA8E000

unkown

page read and write

There are 369 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Files

Processes

URLs

Memdumps