Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

XShSI2OXaC.exe

PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy:	7.775192199206559
Filename:	XShSI2OXaC.exe
Filesize:	192936
MD5:	b69c9170ffab277e1bd13fde891a5ae5
SHA1:	8928e5d360edbecd1547cf61831d4f055bed92af
SHA256:	a81489460818664146f756543f081b702bcb69244ebf8f6a240b02b2357c577c
SHA512:	0bf095bdc0bd8c0898952e83249930fd02f68415915681a11cfed7276f7949384ed8cea8ee2339dfd567ca298402768e86a6e795086629c642c11a9d932d0196
SSDEEP:	3072:PSrFD0QAGq6muqIpb5Hp15W0Om6GHAPulczSd8/Zjx5lY8pV+DdhLeWxSbTEZfSu:7QA4WaniPVSd8xflY8Ygmjd
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........18..PV..PV..PV._...PV..PW.MPV._...PV..sf..PV..VP..PV.Rich.PV.........PE..L......].................f...*.......5............@

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Tries to detect Any.run	Malware Analysis System Evasion	Virtualization/Sandbox Evasion Security Software Discovery
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
Uses 32bit PE files	Compliance, System Summary
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data Encrypted Channel
Contains functionality to call native functions	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality for execution timing, often used to detect debuggers	Malware Analysis System Evasion, Anti Debugging
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
Contains functionality to read the PEB	Anti Debugging	Access Token Manipulation
Checks if the current process is being debugged	Anti Debugging
PE / OLE file has an invalid certificate	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Sample is known by Antivirus	System Summary	Windows Service Access Token Manipulation
Sample reads its own file content	System Summary	Access Token Manipulation
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Contains functionality to instantiate COM classes	System Summary	Access Token Manipulation
Reads ini files	System Summary	File and Directory Discovery
Contains functionality to check free disk space	System Summary	System Information Discovery
Queries a list of all running drivers	Malware Analysis System Evasion
Contains functionality to query windows version	Language, Device and Operating System Detection	System Information Discovery
Program exit points	Malware Analysis System Evasion	Windows Service
Writes ini files	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Creates a software uninstall entry	Compliance, System Summary	Windows Service

C:\Users\user\AppData\Local\Temp\hale4r.lnk

MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\hale4r.lnk
Category:	dropped
Dump:	hale4r.lnk.1.dr
ID:	dr_0
Target ID:	1
Process:	C:\Users\user\Desktop\XShSI2OXaC.exe
Type:	MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Entropy:	2.9117096340611166
Encrypted:	false
Ssdeep:	12:8gl0ARsXUCV/tz+7RafgKDuKiP/rNJkKAh4t2YCBTo8:8jraRMgKxiX5HALJT
Size:	856
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Local\Temp\nszEF27.tmp\System.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

modified

Details

File:	C:\Users\user\AppData\Local\Temp\nszEF27.tmp\System.dll
Category:	modified
Dump:	System.dll.1.dr
ID:	dr_5
Target ID:	1
Process:	C:\Users\user\Desktop\XShSI2OXaC.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	5.737504888129487
Encrypted:	false
Ssdeep:	192:BenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XB9IwL:B8+Qlt70Fj/lQRY/9VjjlL
Size:	12288
Whitelisted:	true
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tonefilmsgengiveren\Contentness\Filialbestyrerens\Talkability\Platybrachycephalous\Plugin_Status.ini

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tonefilmsgengiveren\Contentness\Filialbestyrerens\Talkability\Platybrachycephalous\Plugin_Status.ini
Category:	dropped
Dump:	Plugin_Status.ini.1.dr
ID:	dr_2
Target ID:	1
Process:	C:\Users\user\Desktop\XShSI2OXaC.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.52328456258532
Encrypted:	false
Ssdeep:	3:Q++l3293myVfslYx5hev/LmRlfVRlVl:Q++lQWyVkixm3up
Size:	102
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Writes ini files	System Summary	File and Directory Discovery

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tonefilmsgengiveren\Contentness\Filialbestyrerens\Talkability\Platybrachycephalous\vfslog.c

C source, ASCII text

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tonefilmsgengiveren\Contentness\Filialbestyrerens\Talkability\Platybrachycephalous\vfslog.c
Category:	dropped
Dump:	vfslog.c.1.dr
ID:	dr_3
Target ID:	1
Process:	C:\Users\user\Desktop\XShSI2OXaC.exe
Type:	C source, ASCII text
Entropy:	5.11077967265171
Encrypted:	false
Ssdeep:	384:mF+fT69ihYf2GM4R07AZI5dNkWb5jaxZBqOVSSZREtMOPSXCm:mf6AZINJb5jaxDqRSZgk
Size:	22849
Whitelisted:	false
Reputation:	timeout

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tonefilmsgengiveren\Coronoid.Ano

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tonefilmsgengiveren\Coronoid.Ano
Category:	dropped
Dump:	Coronoid.Ano.1.dr
ID:	dr_1
Target ID:	1
Process:	C:\Users\user\Desktop\XShSI2OXaC.exe
Type:	data
Entropy:	6.943066252449536
Encrypted:	false
Ssdeep:	1536:kYNzSfaJrHw2kpeuoo3koyTLZbsBnqxlkTfIYsZYR0JY6nue2HSPKb4aBSBXPVso:OaRSpXo/DLZe9rlsU0JDnUAKb4USV2M
Size:	169398
Whitelisted:	false
Reputation:	timeout

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tonefilmsgengiveren\Parfaits\Produktoversigts\Newcomers\Igennen\view-more-horizontal-symbolic.symbolic.png

PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tonefilmsgengiveren\Parfaits\Produktoversigts\Newcomers\Igennen\view-more-horizontal-symbolic.symbolic.png
Category:	dropped
Dump:	view-more-horizontal-symbolic.symbolic.png.1.dr
ID:	dr_4
Target ID:	1
Process:	C:\Users\user\Desktop\XShSI2OXaC.exe
Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Entropy:	5.506031499655005
Encrypted:	false
Ssdeep:	3:yionv//thPl9vt3lAnsrtxBll8xn9gR5XfixtIS2kj7QJ/lsg1p:6v/lhPys6aorIStC2up
Size:	136
Whitelisted:	true
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\XShSI2OXaC.exe

Details

Is windows:	false
Is dropped:	false
PID:	8340
Target ID:	1
Parent PID:	4548
Name:	XShSI2OXaC.exe
Path:	C:\Users\user\Desktop\XShSI2OXaC.exe
Commandline:	C:\Users\user\Desktop\XShSI2OXaC.exe
Size:	192936
MD5:	B69C9170FFAB277E1BD13FDE891A5AE5
Time:	12:50:56
Date:	03/11/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	430080
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE / OLE file has an invalid certificate	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

C:\Users\user\Desktop\XShSI2OXaC.exe

Details

Is windows:	true
Is dropped:	false
PID:	8684
Target ID:	5
Parent PID:	8340
Name:	CasPol.exe
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
Commandline:	C:\Users\user\Desktop\XShSI2OXaC.exe
Size:	106496
MD5:	7BAE06CBE364BB42B8C34FCFB90E3EBD
Time:	12:51:19
Date:	03/11/2022
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xbd0000
Modulesize:	122880
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	8712
Target ID:	6
Parent PID:	8684
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	875008
MD5:	81CA40085FC75BABD2C91D18AA9FFA68
Time:	12:51:19
Date:	03/11/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff630850000
Modulesize:	901120
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://194.55.186.93/vUKwYAjoM37.ocx)Dp5

unknown

http://194.55.186.93/vUKwYAjoM37.ocx2S

unknown

http://crl.certum.pl/ctsca2021.crl0o

unknown

http://194.55.186.93/vUKwYAjoM37.ocx4S

unknown

http://194.55.186.93/vUKwYAjoM37.ocx9

unknown

http://repository.certum.pl/ctnca.cer09

unknown

http://194.55.186.93/vUKwYAjoM37.ocxx

unknown

http://194.55.186.93/vUKwYAjoM37.ocxw

unknown

http://crl.certum.pl/ctnca.crl0k

unknown

http://194.55.186.93/vUKwYAjoM37.ocxD

unknown

http://194.55.186.93/vUKwYAjoM37.ocxH

unknown

http://194.55.186.93/vUKwYAjoM37.ocxft

unknown

http://nsis.sf.net/NSIS_ErrorError

unknown

http://194.55.186.93/vUKwYAjoM37.ocxV

unknown

http://194.55.186.93/

unknown

http://repository.certum.pl/ctsca2021.cer0

unknown

http://subca.ocsp-certum.com05

unknown

http://194.55.186.93/vUKwYAjoM37.ocxb

unknown

http://subca.ocsp-certum.com02

unknown

http://194.55.186.93/vUKwYAjoM37.ocxa

unknown

http://subca.ocsp-certum.com01

unknown

http://194.55.186.93/vUKwYAjoM37.ocxf

unknown

http://crl.certum.pl/ctnca2.crl0l

unknown

http://repository.certum.pl/ctnca2.cer09

unknown

http://194.55.186.93/vUKwYAjoM37.ocx7DJ5

unknown

http://194.55.186.93/vUKwYAjoM37.ocxj

unknown

http://194.55.186.93/vUKwYAjoM37.ocxi

unknown

http://194.55.186.93/vUKwYAjoM37.ocxl

unknown

http://www.certum.pl/CPS0

unknown

http://194.55.186.93/vUKwYAjoM37.ocxr

unknown

http://194.55.186.93/vUKwYAjoM37.ocx1

unknown

http://194.55.186.93/vUKwYAjoM37.ocx

194.55.186.93

There are 22 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

194.55.186.93

unknown

Germany

Details

IP:	194.55.186.93
TargetID:	5
Current Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
Country:	Germany
Countrycode:	DEU
ASN number:	39855
ASN name:	MOD-EUNL
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Undeprecative

Reinfestation

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\One

Guli

HKEY_LOCAL_MACHINE\SOFTWARE\Limulus\tidliges

Arteriolith123

HKEY_CURRENT_USER\SOFTWARE\Tg\Cocinero\Kejserdoemme

Ordentlig

HKEY_LOCAL_MACHINE\SOFTWARE\jerkies

idiotiskes

HKEY_CURRENT_USER\SOFTWARE\forlagsboghandlerne\refugium

Summerendes

Memdumps

Base Address

Regiontype

Protect

Malicious

FB0000

remote allocation

page execute and read and write

3390000

direct allocation

page execute and read and write

838000

heap

page read and write

838000

heap

page read and write

225EFAA0000

heap

page read and write

838000

heap

page read and write

450000

unkown

page read and write

40A000

unkown

page read and write

225EFCC7000

heap

page read and write

838000

heap

page read and write

225EFC89000

heap

page read and write

225EFC9E000

heap

page read and write

225EFC73000

heap

page read and write

838000

heap

page read and write

BF0000

heap

page read and write

838000

heap

page read and write

225EFCE5000

heap

page read and write

838000

heap

page read and write

838000

heap

page read and write

838000

heap

page read and write

838000

heap

page read and write

838000

heap

page read and write

635000

heap

page read and write

225EFCB5000

heap

page read and write

838000

heap

page read and write

FA0000

remote allocation

page read and write

140C000

heap

page read and write

225EFCC7000

heap

page read and write

46364FE000

stack

page read and write

1D0000

unclassified section

page readonly

225EFCC7000

heap

page read and write

2400000

heap

page read and write

23C0000

trusted library allocation

page read and write

838000

heap

page read and write

46361DD000

stack

page read and write

838000

heap

page read and write

FD7000

remote allocation

page execute and read and write

838000

heap

page read and write

1C48C000

heap

page read and write

FB0000

remote allocation

page execute and read and write

838000

heap

page read and write

29C711F0000

unclassified section

page readonly

225EFCB5000

heap

page read and write

20000

unclassified section

page readonly

2A0F000

stack

page read and write

838000

heap

page read and write

225EFC5F000

heap

page read and write

838000

heap

page read and write

838000

heap

page read and write

408000

unkown

page readonly

29C7122A000

heap

page read and write

250F000

stack

page read and write

230E000

stack

page read and write

73C61000

unkown

page execute read

838000

heap

page read and write

838000

heap

page read and write

1418000

heap

page read and write

838000

heap

page read and write

401000

unkown

page execute read

838000

heap

page read and write

29C71265000

heap

page read and write

158E000

stack

page read and write

400000

unkown

page readonly

838000

heap

page read and write

838000

heap

page read and write

29C71254000

heap

page read and write

838000

heap

page read and write

838000

heap

page read and write

F9096FF000

stack

page read and write

465000

unkown

page readonly

1408000

heap

page read and write

838000

heap

page read and write

838000

heap

page read and write

2842DBF0000

heap

page read and write

225EFCC7000

heap

page read and write

838000

heap

page read and write

225F0C20000

trusted library allocation

page read and write

2510000

trusted library allocation

page read and write

13EB000

heap

page read and write

13F9000

heap

page read and write

225EFCE0000

heap

page read and write

838000

heap

page read and write

225EFDE0000

trusted library allocation

page read and write

1590000

trusted library allocation

page read and write

1D03E000

stack

page read and write

29C71200000

heap

page read and write

837000

heap

page read and write

838000

heap

page read and write

F90967C000

stack

page read and write

225EFCB5000

heap

page read and write

838000

heap

page read and write

1CBD0000

heap

page read and write

838000

heap

page read and write

400000

unkown

page readonly

838000

heap

page read and write

225EFCB5000

heap

page read and write

826000

heap

page read and write

838000

heap

page read and write

838000

heap

page read and write

401000

unkown

page execute read

838000

heap

page read and write

11E0000

heap

page read and write

1CBD1000

heap

page read and write

838000

heap

page read and write

29C7127D000

heap

page read and write

637000

heap

page read and write

827000

heap

page read and write

838000

heap

page read and write

838000

heap

page read and write

225EFCC7000

heap

page read and write

29C71286000

heap

page read and write

821000

heap

page read and write

838000

heap

page read and write

11E4000

heap

page read and write

838000

heap

page read and write

838000

heap

page read and write

1403000

heap

page read and write

838000

heap

page read and write

838000

heap

page read and write

225F0880000

trusted library allocation

page read and write

838000

heap

page read and write

2842DBF5000

heap

page read and write

225EFE25000

heap

page read and write

838000

heap

page read and write

838000

heap

page read and write

13F9000

heap

page read and write

225EFC09000

heap

page read and write

225EFC24000

heap

page read and write

838000

heap

page read and write

838000

heap

page read and write

225EFCC7000

heap

page read and write

838000

heap

page read and write

838000

heap

page read and write

29C7128F000

heap

page read and write

838000

heap

page read and write

2A13000

trusted library allocation

page read and write

29C71246000

heap

page read and write

225EFCD9000

heap

page read and write

838000

heap

page read and write

225EFCE5000

heap

page read and write

225F0C10000

trusted library allocation

page read and write

838000

heap

page read and write

838000

heap

page read and write

2260000

heap

page read and write

225EFCE5000

heap

page read and write

30000

heap

page read and write

1D050000

heap

page read and write

465000

unkown

page readonly

225EFCBA000

heap

page read and write

838000

heap

page read and write

29C71213000

heap

page read and write

225F0650000

trusted library allocation

page read and write

838000

heap

page read and write

838000

heap

page read and write

34C0000

trusted library allocation

page read and write

29C71090000

heap

page read and write

838000

heap

page read and write

225F0660000

trusted library allocation

page read and write

838000

heap

page read and write

225F0C00000

heap

page readonly

2842D9E8000

heap

page read and write

800000

heap

page read and write

838000

heap

page read and write

2D80000

trusted library allocation

page read and write

838000

heap

page read and write

225EFCB5000

heap

page read and write

13F1000

heap

page read and write

F7C000

stack

page read and write

225EFC35000

heap

page read and write

838000

heap

page read and write

838000

heap

page read and write

1D1FE000

stack

page read and write

838000

heap

page read and write

E7C000

stack

page read and write

29C71240000

heap

page read and write

1CD50000

trusted library allocation

page read and write

838000

heap

page read and write

838000

heap

page read and write

838000

heap

page read and write

427000

unkown

page read and write

808000

heap

page read and write

2A15000

trusted library allocation

page read and write

838000

heap

page read and write

836000

heap

page read and write

838000

heap

page read and write

29C71C02000

trusted library allocation

page read and write

838000

heap

page read and write

838000

heap

page read and write

25C0000

heap

page read and write

838000

heap

page read and write

838000

heap

page read and write

122E000

stack

page read and write

838000

heap

page read and write

13EB000

heap

page read and write

838000

heap

page read and write

199000

stack

page read and write

463615F000

stack

page read and write

1D34B000

stack

page read and write

29C71400000

unclassified section

page readonly

408000

unkown

page readonly

838000

heap

page read and write

838000

heap

page read and write

225EFC00000

heap

page read and write

838000

heap

page read and write

838000

heap

page read and write

2320000

heap

page read and write

462000

unkown

page read and write

40A000

unkown

page write copy

1D24D000

stack

page read and write

225F0C70000

trusted library allocation

page read and write

225EFD00000

heap

page read and write

29C7126E000

heap

page read and write

838000

heap

page read and write

139B000

heap

page read and write

132F000

stack

page read and write

1CF3E000

stack

page read and write

1C7E0000

heap

page read and write

73C64000

unkown

page readonly

5C0000

trusted library allocation

page read and write

F90977D000

stack

page read and write

225EFCE0000

heap

page read and write

838000

heap

page read and write

7EE000

heap

page read and write

225EFCB3000

heap

page read and write

838000

heap

page read and write

2842DAE0000

heap

page read and write

225EFC36000

heap

page read and write

838000

heap

page read and write

1402000

heap

page read and write

2325000

heap

page read and write

225EFCE5000

heap

page read and write

225F0BF0000

trusted library allocation

page read and write

225EFCD9000

heap

page read and write

73C66000

unkown

page readonly

838000

heap

page read and write

29C71A00000

trusted library allocation

page read and write

137E000

stack

page read and write

29C71249000

heap

page read and write

838000

heap

page read and write

7C7000

heap

page read and write

838000

heap

page read and write

7C0000

heap

page read and write

73C60000

unkown

page readonly

1390000

heap

page read and write

13D7000

heap

page read and write

225EFE30000

trusted library allocation

page read and write

42D000

unkown

page read and write

29C71410000

heap

page read and write

225EFCB5000

heap

page read and write

1C480000

heap

page read and write

225EFCD2000

heap

page read and write

838000

heap

page read and write

838000

heap

page read and write

29C710F0000

heap

page read and write

225EFCB5000

heap

page read and write

838000

heap

page read and write

1CD10000

trusted library allocation

page read and write

838000

heap

page read and write

1330000

heap

page read and write

225EFCC7000

heap

page read and write

838000

heap

page read and write

13F1000

heap

page read and write

838000

heap

page read and write

29C71302000

heap

page read and write

435000

unkown

page read and write

FD2DEBB000

stack

page read and write

FD2E47E000

stack

page read and write

25C4000

heap

page read and write

225EFCE5000

heap

page read and write

96000

stack

page read and write

1D0FD000

stack

page read and write

838000

heap

page read and write

838000

heap

page read and write

225EFCE5000

heap

page read and write

838000

heap

page read and write

838000

heap

page read and write

29C71251000

heap

page read and write

838000

heap

page read and write

225F05F0000

trusted library allocation

page read and write

225EFE20000

heap

page read and write

46360DB000

stack

page read and write

225EFCD2000

heap

page read and write

82C000

heap

page read and write

3310000

trusted library allocation

page read and write

29C71232000

heap

page read and write

2842DB50000

heap

page read and write

838000

heap

page read and write

34F9000

trusted library allocation

page read and write

13F1000

heap

page read and write

FD2E57E000

stack

page read and write

236E000

stack

page read and write

2842DA3C000

heap

page read and write

225EFD70000

heap

page read and write

29C7123C000

heap

page read and write

FD2E67A000

stack

page read and write

2842D840000

heap

page read and write

29C7127E000

heap

page read and write

630000

heap

page read and write

2842D9E0000

heap

page read and write

225EFC23000

heap

page read and write

There are 290 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
XShSI2OXaC.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportXShSI2OXaC.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
XShSI2OXaC.exe