Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.448890595749396
Filename:	file.exe
Filesize:	209408
MD5:	efbdd62a08b28e63464f97d0600eaef8
SHA1:	ee2037450f52a6095cd4365b0035072ee52bd7c2
SHA256:	3c96f5e66f70af3b7340f1d26163a6f299f6e48e53915f3e5a2d0d8402c15b15
SHA512:	31c0a4e522865bc0aa653acf25c83c82a997c1dfe04e1d9b0398857b4b26d4c83f5790773663dd4980f8bd807e88273d3cd23258d1fb1cb60ba51ff3a7514c77
SSDEEP:	3072:VDiatiyRJG2AUp508sUPHK5dsLIZ7WDvACjOm35PiYj+ZH1CagcZPakhYG/1qOl+:Y2i0G2P6SACD35PTjoCago9713+
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q.'.5.I.5.I.5.I.....4.I.+...$.I.+...].I..]2.2.I.5.H...I.+.....I.+...4.I.+...4.I.Rich5.I.................PE..L...Z_\a...........

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Security Software Discovery
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Machine Learning detection for sample	AV Detection
Contains functionality to inject code into remote processes	HIPS / PFW / Operating System Protection Evasion
Uses 32bit PE files	Compliance, System Summary	Masquerading
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information Security Software Discovery
Detected potential crypto function	System Summary	System Time Discovery Process Discovery Archive Collected Data Encrypted Channel
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
Contains functionality to record screenshots	Key, Mouse, Clipboard, Microphone and Screen Capturing	Screen Capture
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
PE file contains executable resources (Code or Archives)	System Summary
Creates a DirectInput object (often for capturing keystrokes)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Contains functionality to read the PEB	Anti Debugging	Security Software Discovery
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Found large amount of non-executed APIs	Malware Analysis System Evasion	System Time Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary	Security Software Discovery
Contains functionality to query system information	Malware Analysis System Evasion	System Information Discovery
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Uses an in-process (OLE) Automation server	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection
Creates temporary files	System Summary	Security Software Discovery
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Reads ini files	System Summary	File and Directory Discovery
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery Security Software Discovery System Owner/User Discovery
Contains functionality to modify the execution of threads in other processes		Exploitation for Privilege Escalation Security Software Discovery
PE file contains a debug data directory	System Summary
Uses new MSVCR Dlls	Compliance, System Summary	Exploitation for Privilege Escalation

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll
Category:	dropped
Dump:	cred64[1].dll.5.dr
ID:	dr_3
Target ID:	5
Process:	C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.5119837978161605
Encrypted:	false
Ssdeep:	3072:ox7pOYzBektmWDWCMq6As523HeS9FAiZ87vO2rlL3Rne9:ox7ZNht/dMq6AO0a7vVlT
Size:	129024
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Yara detected Amadeys stealer DLL	Stealing of Sensitive Information
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe
Category:	dropped
Dump:	rovwer.exe.2.dr
ID:	dr_1
Target ID:	2
Process:	C:\Users\user\Desktop\file.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.448890595749396
Encrypted:	false
Ssdeep:	3072:VDiatiyRJG2AUp508sUPHK5dsLIZ7WDvACjOm35PiYj+ZH1CagcZPakhYG/1qOl+:Y2i0G2P6SACD35PTjoCago9713+
Size:	209408
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates an undocumented autostart registry key	Boot Survival	Registry Run Keys / Startup Folder
Machine Learning detection for dropped file	AV Detection
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Abnormal high CPU Usage	System Summary
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Found large amount of non-executed APIs	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe:Zone.Identifier

ASCII text, with CRLF line terminators

modified

Details

File:	C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe:Zone.Identifier
Category:	modified
Dump:	rovwer.exe_Zone.Identifier.2.dr
ID:	dr_0
Target ID:	2
Process:	C:\Users\user\Desktop\file.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Creates an undocumented autostart registry key	Boot Survival	Registry Run Keys / Startup Folder
Machine Learning detection for dropped file	AV Detection
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Abnormal high CPU Usage	System Summary
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Found large amount of non-executed APIs	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\bf045808586a24\cred64.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\bf045808586a24\cred64.dll
Category:	dropped
Dump:	cred64.dll.5.dr
ID:	dr_4
Target ID:	5
Process:	C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.5119837978161605
Encrypted:	false
Ssdeep:	3072:ox7pOYzBektmWDWCMq6As523HeS9FAiZ87vO2rlL3Rne9:ox7ZNht/dMq6AO0a7vVlT
Size:	129024
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Yara detected Amadeys stealer DLL	Stealing of Sensitive Information
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\853321935212

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\853321935212
Category:	dropped
Dump:	853321935212.5.dr
ID:	dr_2
Target ID:	5
Process:	C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe
Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Entropy:	7.897756904424589
Encrypted:	false
Ssdeep:	1536:C14NsHjQAGVnUHzSstBBJ7NTz0E0dv1sgjGrGAEKHq+B8yvPvcq1sO6jEroWovg7:JNsHO10G4BBP/Ol1s51HqTykad2gd5
Size:	83613
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

Details

Is windows:	false
Is dropped:	false
PID:	5520
Target ID:	2
Parent PID:	3324
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	C:\Users\user\Desktop\file.exe
Size:	209408
MD5:	EFBDD62A08B28E63464F97D0600EAEF8
Time:	00:08:56
Date:	30/11/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	430080
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains executable resources (Code or Archives)	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary

C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe

"C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe"

Details

Is windows:	false
Is dropped:	true
PID:	4360
Target ID:	5
Parent PID:	5520
Name:	rovwer.exe
Path:	C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe
Commandline:	"C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe"
Size:	209408
MD5:	EFBDD62A08B28E63464F97D0600EAEF8
Time:	00:09:00
Date:	30/11/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	430080
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe" /F

Details

Is windows:	true
Is dropped:	false
PID:	5492
Target ID:	6
Parent PID:	4360
Name:	schtasks.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\schtasks.exe
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe" /F
Size:	185856
MD5:	15FF7D8324231381BAD48A052F85DF04
Time:	00:09:02
Date:	30/11/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xe30000
Modulesize:	204800
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe

Details

Is windows:	false
Is dropped:	true
PID:	1248
Target ID:	8
Parent PID:	1084
Name:	rovwer.exe
Path:	C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe
Commandline:	C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe
Size:	209408
MD5:	EFBDD62A08B28E63464F97D0600EAEF8
Time:	00:09:04
Date:	30/11/2022
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff6ffff0000
Modulesize:	65536
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\bf045808586a24\cred64.dll, Main

Details

Is windows:	true
Is dropped:	false
PID:	3972
Target ID:	9
Parent PID:	4360
Name:	rundll32.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\rundll32.exe
Commandline:	"C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\bf045808586a24\cred64.dll, Main
Size:	61952
MD5:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Time:	00:09:04
Date:	30/11/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xe60000
Modulesize:	81920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	5456
Target ID:	7
Parent PID:	5492
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	625664
MD5:	EA777DEEA782E8B4D7C7C33BBF8A4496
Time:	00:09:03
Date:	30/11/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7fcd70000
Modulesize:	651264
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

193.56.146.194/h49vlBP/index.php

Details

Name:	193.56.146.194/h49vlBP/index.php
TargetID:	0
From Memory:	false
Source:	config extactor
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Found malware configuration	AV Detection

IPs

Domain

Country

Malicious

193.56.146.194

unknown

Details

IP:	193.56.146.194
TargetID:	5
Current Path:	C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe
ASN number:	10753
ASN name:	LVLT-10753US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Found malware configuration	AV Detection

192.168.2.5

unknown

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Startup

Memdumps

Base Address

Regiontype

Protect

Malicious

674000

heap

page read and write

674000

heap

page read and write

3F55000

trusted library allocation

page read and write

465000

unkown

page readonly

213F7C3C000

heap

page read and write

2E60000

heap

page read and write

45E1000

heap

page read and write

BE0000

heap

page read and write

45E1000

heap

page read and write

229F47A0000

heap

page read and write

45E1000

heap

page read and write

45E1000

heap

page read and write

3943000

trusted library allocation

page read and write

1B0000

remote allocation

page read and write

A8430FF000

stack

page read and write

4EA000

stack

page read and write

1B0000

remote allocation

page read and write

1FFEDC90000

trusted library allocation

page read and write

E3801FE000

stack

page read and write

45E1000

heap

page read and write

2D8C000

stack

page read and write

45E1000

heap

page read and write

3F5D000

trusted library allocation

page read and write

45E1000

heap

page read and write

A842D7A000

stack

page read and write

45E1000

heap

page read and write

229F4B02000

heap

page read and write

A3A000

heap

page read and write

3640000

heap

page read and write

43E000

unkown

page execute and read and write

465000

unkown

page readonly

3F50000

trusted library allocation

page read and write

5CE000

stack

page read and write

AEAE07D000

stack

page read and write

3E51000

trusted library allocation

page read and write

213F8813000

heap

page read and write

229F4940000

remote allocation

page read and write

213F7C2A000

heap

page read and write

8B4000

heap

page read and write

213F8712000

heap

page read and write

3F5D000

trusted library allocation

page read and write

8B4000

heap

page read and write

213F7C91000

heap

page read and write

213F7C8B000

heap

page read and write

401000

unkown

page execute read

2E10000

heap

page read and write

2EDA000

heap

page read and write

45E1000

heap

page read and write

2B0F000

stack

page read and write

2C8E000

stack

page read and write

2FE0000

heap

page read and write

45E1000

heap

page read and write

45E1000

heap

page read and write

3E51000

trusted library allocation

page read and write

45E1000

heap

page read and write

57E000

stack

page read and write

213F7C70000

heap

page read and write

45E1000

heap

page read and write

45E1000

heap

page read and write

2220000

heap

page read and write

45E1000

heap

page read and write

213F7C88000

heap

page read and write

440000

heap

page read and write

9CF000

stack

page read and write

1FFED426000

heap

page read and write

3E51000

trusted library allocation

page read and write

45E1000

heap

page read and write

2260000

heap

page read and write

45E1000

heap

page read and write

9E0000

heap

page read and write

3E51000

trusted library allocation

page read and write

45E1000

heap

page read and write

3F51000

trusted library allocation

page read and write

213F876B000

heap

page read and write

213F7D13000

heap

page read and write

2EB0000

heap

page read and write

3F59000

trusted library allocation

page read and write

649000

heap

page read and write

C17000

heap

page read and write

45E1000

heap

page read and write

1FFED454000

heap

page read and write

2E1A000

heap

page read and write

697000

heap

page read and write

2B4E000

stack

page read and write

7F0000

heap

page read and write

213F7C77000

heap

page read and write

412000

unkown

page write copy

2C4F000

stack

page read and write

229F4940000

remote allocation

page read and write

3F5F000

trusted library allocation

page read and write

400000

unkown

page execute and read and write

1FFED440000

heap

page read and write

66D000

heap

page read and write

401000

unkown

page execute read

8AE000

stack

page read and write

213F8754000

heap

page read and write

AEAE1FD000

stack

page read and write

410000

unkown

page execute read

770000

heap

page read and write

E3800FC000

stack

page read and write

3E51000

trusted library allocation

page read and write

412000

unkown

page write copy

3E51000

trusted library allocation

page read and write

45E1000

heap

page read and write

400000

unkown

page readonly

3E51000

trusted library allocation

page read and write

5D0000

heap

page read and write

AEADDFC000

stack

page read and write

3E51000

trusted library allocation

page read and write

30000

heap

page read and write

45E1000

heap

page read and write

A842FF9000

stack

page read and write

AEADE7C000

stack

page read and write

463000

unkown

page read and write

45E1000

heap

page read and write

278E000

stack

page read and write

1FFED402000

heap

page read and write

2E1A000

heap

page read and write

A84337E000

stack

page read and write

45E1000

heap

page read and write

670000

heap

page read and write

2A0E000

stack

page read and write

213F8800000

heap

page read and write

83F000

stack

page read and write

69E000

heap

page execute and read and write

3F53000

trusted library allocation

page read and write

3E51000

trusted library allocation

page read and write

197000

stack

page read and write

7BB000

heap

page read and write

2EE1000

trusted library allocation

page read and write

45E1000

heap

page read and write

401000

unkown

page execute read

45E1000

heap

page read and write

620000

direct allocation

page read and write

45E1000

heap

page read and write

221E000

stack

page read and write

680000

heap

page read and write

400000

unkown

page readonly

5BE000

stack

page read and write

A842E7E000

stack

page read and write

213F8802000

heap

page read and write

80A000

heap

page read and write

3E51000

trusted library allocation

page read and write

213F7C55000

heap

page read and write

410000

unkown

page execute read

3E51000

trusted library allocation

page read and write

352A000

heap

page read and write

465000

unkown

page readonly

45E1000

heap

page read and write

400000

unkown

page readonly

A8431FA000

stack

page read and write

213F7DB9000

heap

page read and write

9C000

stack

page read and write

213F8722000

heap

page read and write

45E1000

heap

page read and write

E3FFC7B000

stack

page read and write

3F59000

trusted library allocation

page read and write

229F4A13000

heap

page read and write

45E1000

heap

page read and write

369A000

heap

page read and write

213F878C000

heap

page read and write

213F87BB000

heap

page read and write

323A000

heap

page read and write

213F7C69000

heap

page read and write

45E1000

heap

page read and write

580000

heap

page read and write

45E1000

heap

page read and write

213F7B40000

heap

page read and write

213F87AD000

heap

page read and write

1FFED3F0000

heap

page read and write

35EA000

heap

page read and write

1FFED449000

heap

page read and write

683000

heap

page read and write

6E0000

direct allocation

page execute and read and write

3F57000

trusted library allocation

page read and write

410000

unkown

page execute read

91F000

stack

page read and write

213F8743000

heap

page read and write

3E51000

trusted library allocation

page read and write

A00000

trusted library allocation

page read and write

45E1000

heap

page read and write

3E51000

trusted library allocation

page read and write

45E1000

heap

page read and write

1F0000

trusted library allocation

page read and write

690000

heap

page read and write

8B0000

heap

page read and write

AEAE0FF000

stack

page read and write

2330000

heap

page read and write

45E1000

heap

page read and write

35E0000

heap

page read and write

213F7B30000

heap

page read and write

229F4A00000

heap

page read and write

763000

heap

page read and write

45E1000

heap

page read and write

45E1000

heap

page read and write

465000

unkown

page readonly

3E51000

trusted library allocation

page read and write

368A000

heap

page read and write

213F7C43000

heap

page read and write

229F4A40000

heap

page read and write

45E1000

heap

page read and write

2D80000

heap

page read and write

465000

unkown

page readonly

20C0000

direct allocation

page read and write

A53000

heap

page read and write

3230000

heap

page read and write

213F8700000

heap

page read and write

45E1000

heap

page read and write

1FFED3A0000

heap

page read and write

400000

unkown

page readonly

4420000

direct allocation

page read and write

45E1000

heap

page read and write

AEAD90B000

stack

page read and write

3F5B000

trusted library allocation

page read and write

465000

unkown

page readonly

A54000

heap

page read and write

2EBA000

heap

page read and write

410000

unkown

page execute read

213F8722000

heap

page read and write

C10000

heap

page read and write

45E1000

heap

page read and write

364A000

heap

page read and write

3E51000

trusted library allocation

page read and write

3E51000

trusted library allocation

page read and write

213F7C00000

heap

page read and write

3948000

trusted library allocation

page read and write

465000

unkown

page readonly

3947000

trusted library allocation

page read and write

43E000

unkown

page execute and read and write

626000

heap

page read and write

45E1000

heap

page read and write

213F7C91000

heap

page read and write

2110000

direct allocation

page read and write

88F000

stack

page read and write

45E1000

heap

page read and write

3F58000

trusted library allocation

page read and write

5E0000

direct allocation

page execute and read and write

213F8827000

heap

page read and write

45E1000

heap

page read and write

3F5C000

trusted library allocation

page read and write

3F56000

trusted library allocation

page read and write

45E1000

heap

page read and write

410000

unkown

page execute read

45E1000

heap

page read and write

3690000

heap

page read and write

1B0000

remote allocation

page read and write

1F0000

trusted library allocation

page read and write

9D000

stack

page read and write

A84290B000

stack

page read and write

45E1000

heap

page read and write

720000

heap

page read and write

45E1000

heap

page read and write

45E1000

heap

page read and write

3E51000

trusted library allocation

page read and write

87A000

heap

page read and write

45E1000

heap

page read and write

E3802FF000

stack

page read and write

213F8470000

trusted library allocation

page read and write

45E1000

heap

page read and write

2FEA000

heap

page read and write

401000

unkown

page execute read

45E1000

heap

page read and write

3680000

heap

page read and write

213F7C43000

heap

page read and write

45E1000

heap

page read and write

412000

unkown

page write copy

213F7D8E000

heap

page read and write

45E1000

heap

page read and write

45E1000

heap

page read and write

4AC000

stack

page read and write

8F0000

heap

page read and write

3F5A000

trusted library allocation

page read and write

401000

unkown

page execute read

6CE000

stack

page read and write

45E1000

heap

page read and write

2120000

heap

page read and write

213F8823000

heap

page read and write

400000

unkown

page readonly

45E1000

heap

page read and write

2220000

heap

page read and write

45E1000

heap

page read and write

3520000

heap

page read and write

1FFED400000

heap

page read and write

2D8A000

heap

page read and write

45E1000

heap

page read and write

45E0000

heap

page read and write

229F4810000

heap

page read and write

288F000

stack

page read and write

A84347E000

stack

page read and write

412000

unkown

page write copy

29CF000

stack

page read and write

AEAE27F000

stack

page read and write

30000

heap

page read and write

739000

heap

page execute and read and write

1FFED413000

heap

page read and write

1FFED390000

heap

page read and write

45E1000

heap

page read and write

2130000

heap

page read and write

229F4A02000

heap

page read and write

45E1000

heap

page read and write

45E1000

heap

page read and write

45E1000

heap

page read and write

A30000

heap

page read and write

400000

unkown

page readonly

1FFED429000

heap

page read and write

2E6A000

heap

page read and write

3E51000

trusted library allocation

page read and write

45E1000

heap

page read and write

870000

heap

page read and write

213F7C13000

heap

page read and write

45E1000

heap

page read and write

28CE000

stack

page read and write

A8432FE000

stack

page read and write

412000

unkown

page write copy

213F7C59000

heap

page read and write

7FA000

heap

page read and write

2EB0000

heap

page read and write

213F7BA0000

heap

page read and write

213F8602000

heap

page read and write

45E1000

heap

page read and write

229F4A58000

heap

page read and write

229F5202000

trusted library allocation

page read and write

2ED0000

heap

page read and write

367A000

heap

page read and write

8FA000

heap

page read and write

45E1000

heap

page read and write

758000

heap

page read and write

2EBA000

heap

page read and write

3F54000

trusted library allocation

page read and write

229F4910000

trusted library allocation

page read and write

2E10000

heap

page read and write

45E1000

heap

page read and write

800000

heap

page read and write

45E1000

heap

page read and write

1FFEDE02000

trusted library allocation

page read and write

1FFED43C000

heap

page read and write

213F7DE5000

heap

page read and write

45E1000

heap

page read and write

E3FFF7A000

stack

page read and write

45E1000

heap

page read and write

68F000

stack

page read and write

229F4A29000

heap

page read and write

213F8830000

heap

page read and write

45E1000

heap

page read and write

229F4940000

remote allocation

page read and write

45E1000

heap

page read and write

213F7C75000

heap

page read and write

3F53000

trusted library allocation

page read and write

45E1000

heap

page read and write

274F000

stack

page read and write

3670000

heap

page read and write

1FFED502000

heap

page read and write

45E1000

heap

page read and write

213F8702000

heap

page read and write

6BD000

heap

page read and write

229F47B0000

heap

page read and write

3E51000

trusted library allocation

page read and write

45E1000

heap

page read and write

45E1000

heap

page read and write

45E1000

heap

page read and write

410000

unkown

page execute read

98F000

stack

page read and write

629000

heap

page read and write

45E1000

heap

page read and write

401000

unkown

page execute read

1FFED445000

heap

page read and write

465000

unkown

page readonly

400000

unkown

page execute and read and write

57E000

stack

page read and write

19B000

stack

page read and write

72A000

heap

page read and write

463000

unkown

page read and write

213F7C2C000

heap

page read and write

45E1000

heap

page read and write

1FFED430000

heap

page read and write

45E1000

heap

page read and write

A842F7B000

stack

page read and write

45E1000

heap

page read and write

550000

trusted library allocation

page read and write

3E51000

trusted library allocation

page read and write

213F7BD0000

trusted library allocation

page read and write

45E1000

heap

page read and write

412000

unkown

page write copy

45E1000

heap

page read and write

45E1000

heap

page read and write

There are 375 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
file.exe