Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.164008559136768
Filename:	file.exe
Filesize:	431104
MD5:	2365cd5930c2845769177b920d4b8ad6
SHA1:	1246c7f15b215bf1ecc70294434ccd19a1778daf
SHA256:	77bfc0f4bf45082fc3c52c3c10d4394d925c116fda4b3eda7f09151a57ad4010
SHA512:	d0ce6db1b428862bdad3be0c7cafc0987a0b39e7a62ffa14222ba635ecb1c3830d53e6413615637a640599fe5a453898a1b42edc872d06f49184b0a6f3265669
SSDEEP:	6144:a9pGLNufx0o4GxBVragEIMG4rBBjG76EJXvHXhh6K9W9YGhFded89kTt:aWJufiJGxRlMG56KJIK9W9Vhmac
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.m....C...C...C...C(..C...C...C...C...C$%xC...C...C}..C...C...C...C...C...C...CRich...C........PE..L...\q.b.................n.

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Security Software Discovery
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Machine Learning detection for sample	AV Detection
Contains functionality to inject code into remote processes	HIPS / PFW / Operating System Protection Evasion
Uses 32bit PE files	Compliance, System Summary	Masquerading
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information Security Software Discovery
PE file contains sections with non-standard names	Data Obfuscation
Detected potential crypto function	System Summary	System Time Discovery Process Discovery Archive Collected Data Encrypted Channel
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
Contains functionality to record screenshots	Key, Mouse, Clipboard, Microphone and Screen Capturing	Screen Capture
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates a DirectInput object (often for capturing keystrokes)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Contains functionality to read the PEB	Anti Debugging	Security Software Discovery
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Found large amount of non-executed APIs	Malware Analysis System Evasion	System Time Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Sample reads its own file content	System Summary	Security Software Discovery
Contains functionality to query system information	Malware Analysis System Evasion	System Information Discovery
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Uses an in-process (OLE) Automation server	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection
Creates temporary files	System Summary	Security Software Discovery
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Reads ini files	System Summary	File and Directory Discovery
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery Security Software Discovery System Owner/User Discovery
Contains functionality to modify the execution of threads in other processes		Exploitation for Privilege Escalation Security Software Discovery
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Uses new MSVCR Dlls	Compliance, System Summary	Exploitation for Privilege Escalation

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll
Category:	dropped
Dump:	cred64[1].dll.1.dr
ID:	dr_3
Target ID:	1
Process:	C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.511981065302762
Encrypted:	false
Ssdeep:	3072:Yx7pOYzBek53tiINwyP7XSSJds3zhrjPcnqULv4i9:Yx7ZNh53vwyOztPc3L
Size:	129024
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Yara detected Amadeys stealer DLL	Stealing of Sensitive Information
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe
Category:	dropped
Dump:	gntuud.exe.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.164008559136768
Encrypted:	false
Ssdeep:	6144:a9pGLNufx0o4GxBVragEIMG4rBBjG76EJXvHXhh6K9W9YGhFded89kTt:aWJufiJGxRlMG56KJIK9W9Vhmac
Size:	431104
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Creates an undocumented autostart registry key	Boot Survival	Registry Run Keys / Startup Folder
Machine Learning detection for dropped file	AV Detection
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Abnormal high CPU Usage	System Summary
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Found large amount of non-executed APIs	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe:Zone.Identifier

ASCII text, with CRLF line terminators

modified

Details

File:	C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe:Zone.Identifier
Category:	modified
Dump:	gntuud.exe_Zone.Identifier.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Creates an undocumented autostart registry key	Boot Survival	Registry Run Keys / Startup Folder
Machine Learning detection for dropped file	AV Detection
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Abnormal high CPU Usage	System Summary
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Found large amount of non-executed APIs	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll
Category:	dropped
Dump:	cred64.dll.1.dr
ID:	dr_4
Target ID:	1
Process:	C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.511981065302762
Encrypted:	false
Ssdeep:	3072:Yx7pOYzBek53tiINwyP7XSSJds3zhrjPcnqULv4i9:Yx7ZNh53vwyOztPc3L
Size:	129024
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Yara detected Amadeys stealer DLL	Stealing of Sensitive Information
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\853321935212

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\853321935212
Category:	dropped
Dump:	853321935212.1.dr
ID:	dr_2
Target ID:	1
Process:	C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe
Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Entropy:	7.931081347539571
Encrypted:	false
Ssdeep:	3072:AaS3c0TNQHdOKX1TNrpF4RNpMwAwip0R+x0jZo88oH:FS3T+IKX1TFeNpMwAppu+x0jSIH
Size:	106998
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery

\Device\ConDrv

ASCII text, with no line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.12.dr
ID:	dr_8
Target ID:	12
Process:	C:\Windows\SysWOW64\cacls.exe
Type:	ASCII text, with no line terminators
Entropy:	3.240223928941852
Encrypted:	false
Ssdeep:	3:o3F:o1
Size:	15
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe

"C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe" /F

C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\85f469ce401df1\cred64.dll, Main

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y|CACLS "..\9c69749b54" /P "user:N"&&CACLS "..\9c69749b54" /P "user:R" /E&&Exit

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "gntuud.exe" /P "user:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "gntuud.exe" /P "user:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\9c69749b54" /P "user:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\9c69749b54" /P "user:R" /E

There are 4 hidden processes, click here to show them.

URLs

Name

Malicious

31.41.244.237/jg94cVd30f/index.php

Details

Name:	31.41.244.237/jg94cVd30f/index.php
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\file.exe
Source:	config extactor
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Found malware configuration	AV Detection
URLs found in memory or binary data	Networking

http://31.41.244.237/jg94cVd30f/index.phpM

unknown

Details

Name:	http://31.41.244.237/jg94cVd30f/index.phpM
TargetID:	1
From Memory:	true
Current Path:	C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe
Source:	gntuud.exe, 00000001.00000003.359344808.00000000006A6000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

31.41.244.237

unknown

Russian Federation

Details

IP:	31.41.244.237
TargetID:	1
Current Path:	C:\Users\user\AppData\Local\Temp\9c69749b54\gntuud.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	61974
ASN name:	AEROEXPRESS-ASRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Found malware configuration	AV Detection
URLs found in memory or binary data	Networking

192.168.2.4

unknown

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Startup

Memdumps

Base Address

Regiontype

Protect

Malicious

5F0000

direct allocation

page execute and read and write

650000

direct allocation

page read and write

950000

direct allocation

page execute and read and write

400000

unkown

page execute and read and write

400000

unkown

page execute and read and write

2120000

direct allocation

page read and write

990000

direct allocation

page read and write

610000

heap

page read and write

2983000

heap

page read and write

287F000

stack

page read and write

33C0000

heap

page read and write

4361000

heap

page read and write

850000

heap

page read and write

4361000

heap

page read and write

4361000

heap

page read and write

4361000

heap

page read and write

38C0000

heap

page read and write

34D6000

heap

page read and write

18571E20000

heap

page read and write

277E000

stack

page read and write

19B000

stack

page read and write

3397000

heap

page read and write

37EA000

heap

page read and write

3F11000

trusted library allocation

page read and write

3F11000

trusted library allocation

page read and write

3000000

trusted library allocation

page read and write

2E90000

heap

page read and write

2B3E000

stack

page read and write

4361000

heap

page read and write

34CF000

stack

page read and write

34D0000

heap

page read and write

4361000

heap

page read and write

42E000

unkown

page write copy

4361000

heap

page read and write

4037000

trusted library allocation

page read and write

18571F40000

heap

page read and write

4361000

heap

page read and write

335A000

heap

page read and write

4361000

heap

page read and write

401000

unkown

page execute read

27B4000

heap

page read and write

3F11000

trusted library allocation

page read and write

4361000

heap

page read and write

401000

unkown

page execute read

32F0000

heap

page read and write

28FE000

stack

page read and write

38A0000

heap

page read and write

4361000

heap

page read and write

4361000

heap

page read and write

36A6000

heap

page read and write

403C000

trusted library allocation

page read and write

87A000

heap

page read and write

442000

unkown

page write copy

18571E65000

heap

page read and write

4361000

heap

page read and write

22FC000

stack

page read and write

400000

unkown

page readonly

B10000

heap

page read and write

91207A000

stack

page read and write

30000

heap

page read and write

4361000

heap

page read and write

3F11000

trusted library allocation

page read and write

640000

heap

page read and write

30000

heap

page read and write

273F000

stack

page read and write

27B0000

heap

page read and write

4361000

heap

page read and write

4361000

heap

page read and write

6A6000

heap

page read and write

3F11000

trusted library allocation

page read and write

665000

heap

page read and write

418000

unkown

page write copy

400000

unkown

page readonly

9D000

stack

page read and write

4361000

heap

page read and write

18571CE0000

heap

page read and write

2EBA000

heap

page read and write

44C000

unkown

page read and write

2FAE000

stack

page read and write

757000

heap

page read and write

3F11000

trusted library allocation

page read and write

4AE000

stack

page read and write

4361000

heap

page read and write

80F000

stack

page read and write

4361000

heap

page read and write

2994000

heap

page read and write

27C0000

direct allocation

page read and write

401000

unkown

page execute read

4361000

heap

page read and write

33C6000

heap

page read and write

339E000

stack

page read and write

452000

unkown

page readonly

4037000

trusted library allocation

page read and write

2290000

heap

page read and write

28BE000

stack

page read and write

418000

unkown

page write copy

759000

heap

page read and write

4361000

heap

page read and write

9CF000

stack

page read and write

85A000

heap

page read and write

401000

unkown

page execute read

2D7D000

stack

page read and write

6D8000

heap

page read and write

307C000

stack

page read and write

9120F9000

stack

page read and write

2B80000

heap

page read and write

780000

heap

page read and write

27B4000

heap

page read and write

4361000

heap

page read and write

3350000

heap

page read and write

2AFF000

stack

page read and write

4361000

heap

page read and write

31D0000

heap

page read and write

2E3C000

stack

page read and write

580000

heap

page read and write

400000

unkown

page readonly

8CF000

stack

page read and write

4361000

heap

page read and write

233B000

stack

page read and write

403E000

trusted library allocation

page read and write

500000

heap

page read and write

18571E6D000

heap

page read and write

2FBC000

stack

page read and write

18571E28000

heap

page read and write

4361000

heap

page read and write

4361000

heap

page read and write

18571F20000

heap

page read and write

3F11000

trusted library allocation

page read and write

83A000

heap

page read and write

4034000

trusted library allocation

page read and write

3F11000

trusted library allocation

page read and write

2EC0000

heap

page read and write

4361000

heap

page read and write

4361000

heap

page read and write

401000

unkown

page execute read

4361000

heap

page read and write

18572090000

heap

page read and write

4361000

heap

page read and write

4361000

heap

page read and write

4361000

heap

page read and write

4361000

heap

page read and write

2960000

heap

page read and write

2E7A000

heap

page read and write

18572DF0000

trusted library allocation

page read and write

403F000

trusted library allocation

page read and write

2560000

heap

page read and write

4EE000

stack

page read and write

78A000

heap

page read and write

6E3000

heap

page execute and read and write

31BF000

stack

page read and write

2FF0000

trusted library allocation

page read and write

4361000

heap

page read and write

B00000

heap

page read and write

42E000

unkown

page write copy

403A000

trusted library allocation

page read and write

4361000

heap

page read and write

3290000

heap

page read and write

4361000

heap

page read and write

4AE000

stack

page read and write

2927000

heap

page read and write

401000

unkown

page execute read

18572070000

heap

page readonly

1F0000

trusted library allocation

page read and write

2EC0000

heap

page read and write

2F90000

heap

page read and write

4361000

heap

page read and write

44C000

unkown

page read and write

9121F9000

stack

page read and write

452000

unkown

page readonly

354F000

stack

page read and write

570000

heap

page read and write

91217E000

stack

page read and write

2DC0000

heap

page read and write

4361000

heap

page read and write

318E000

stack

page read and write

442000

unkown

page write copy

452000

unkown

page readonly

36A0000

heap

page read and write

76A000

heap

page read and write

4035000

trusted library allocation

page read and write

4361000

heap

page read and write

452000

unkown

page readonly

42E000

unkown

page write copy

4361000

heap

page read and write

43E000

unkown

page execute and read and write

3270000

trusted library allocation

page read and write

270E000

stack

page read and write

18571E6D000

heap

page read and write

29BF000

stack

page read and write

303D000

stack

page read and write

32FA000

heap

page read and write

4361000

heap

page read and write

2ECA000

heap

page read and write

18571FB0000

trusted library allocation

page read and write

4361000

heap

page read and write

33DF000

stack

page read and write

6D0000

heap

page read and write

4361000

heap

page read and write

4361000

heap

page read and write

4361000

heap

page read and write

38CA000

heap

page read and write

325E000

stack

page read and write

71F000

heap

page read and write

57A000

heap

page read and write

3260000

trusted library allocation

page read and write

3040000

heap

page read and write

4361000

heap

page read and write

830000

heap

page read and write

27A0000

trusted library allocation

page read and write

617000

heap

page read and write

18572020000

trusted library allocation

page read and write

3F11000

trusted library allocation

page read and write

18572B90000

trusted library allocation

page read and write

37E0000

heap

page read and write

4361000

heap

page read and write

4361000

heap

page read and write

3150000

heap

page read and write

3390000

heap

page read and write

4361000

heap

page read and write

4361000

heap

page read and write

4361000

heap

page read and write

2F10000

heap

page read and write

418000

unkown

page write copy

760000

heap

page read and write

4361000

heap

page read and write

702000

heap

page read and write

2D8D000

stack

page read and write

4361000

heap

page read and write

4361000

heap

page read and write

350E000

stack

page read and write

4361000

heap

page read and write

3F11000

trusted library allocation

page read and write

2BED000

stack

page read and write

38AA000

heap

page read and write

2DCB000

stack

page read and write

3F11000

trusted library allocation

page read and write

32A6000

heap

page read and write

4361000

heap

page read and write

38BA000

heap

page read and write

3250000

trusted library allocation

page read and write

452000

unkown

page readonly

4361000

heap

page read and write

1F0000

trusted library allocation

page read and write

1B0000

remote allocation

page read and write

3A08000

trusted library allocation

page read and write

418000

unkown

page write copy

3F11000

trusted library allocation

page read and write

3040000

trusted library allocation

page read and write

400000

unkown

page readonly

870000

heap

page read and write

4361000

heap

page read and write

2F9A000

heap

page read and write

423F000

stack

page read and write

1B0000

remote allocation

page read and write

310E000

stack

page read and write

2D20000

heap

page read and write

4361000

heap

page read and write

2C3F000

stack

page read and write

4036000

trusted library allocation

page read and write

61B000

heap

page execute and read and write

6C4000

heap

page read and write

3030000

trusted library allocation

page read and write

4361000

heap

page read and write

452000

unkown

page readonly

400000

unkown

page readonly

3F11000

trusted library allocation

page read and write

4038000

trusted library allocation

page read and write

1B0000

remote allocation

page read and write

9F0000

heap

page read and write

90F000

stack

page read and write

3057000

heap

page read and write

4361000

heap

page read and write

4036000

trusted library allocation

page read and write

23A0000

trusted library allocation

page read and write

3A0D000

trusted library allocation

page read and write

42E000

unkown

page write copy

4361000

heap

page read and write

4290000

heap

page read and write

400000

unkown

page readonly

18572099000

heap

page read and write

4361000

heap

page read and write

32A0000

heap

page read and write

4361000

heap

page read and write

4361000

heap

page read and write

4361000

heap

page read and write

3F11000

trusted library allocation

page read and write

296A000

heap

page read and write

650000

heap

page read and write

403F000

trusted library allocation

page read and write

3260000

trusted library allocation

page read and write

2F7D000

stack

page read and write

4361000

heap

page read and write

4361000

heap

page read and write

661000

heap

page read and write

94E000

stack

page read and write

38B0000

heap

page read and write

2E70000

heap

page read and write

185720A0000

trusted library allocation

page read and write

31CF000

stack

page read and write

4361000

heap

page read and write

3047000

heap

page read and write

4EE000

stack

page read and write

63A000

heap

page read and write

38BA000

heap

page read and write

314F000

stack

page read and write

332F000

stack

page read and write

2EB0000

heap

page read and write

75B000

heap

page read and write

274F000

stack

page read and write

4361000

heap

page read and write

4032000

trusted library allocation

page read and write

2FEF000

stack

page read and write

2900000

heap

page read and write

4361000

heap

page read and write

4361000

heap

page read and write

18572080000

trusted library allocation

page read and write

9C000

stack

page read and write

38B0000

heap

page read and write

4361000

heap

page read and write

4360000

heap

page read and write

18572095000

heap

page read and write

4361000

heap

page read and write

452000

unkown

page readonly

74C000

heap

page read and write

4036000

trusted library allocation

page read and write

403F000

trusted library allocation

page read and write

4361000

heap

page read and write

911CBB000

stack

page read and write

198000

stack

page read and write

4361000

heap

page read and write

418000

unkown

page write copy

29FE000

stack

page read and write

4361000

heap

page read and write

4361000

heap

page read and write

3F11000

trusted library allocation

page read and write

18572DA0000

trusted library allocation

page read and write

3F11000

trusted library allocation

page read and write

43E000

unkown

page execute and read and write

58A000

heap

page read and write

3F11000

trusted library allocation

page read and write

4361000

heap

page read and write

418000

unkown

page write copy

3F11000

trusted library allocation

page read and write

317E000

stack

page read and write

452000

unkown

page readonly

3F11000

trusted library allocation

page read and write

403B000

trusted library allocation

page read and write

263E000

stack

page read and write

3157000

heap

page read and write

3280000

heap

page read and write

2C7E000

stack

page read and write

4361000

heap

page read and write

4361000

heap

page read and write

18571E66000

heap

page read and write

42E000

unkown

page write copy

2920000

heap

page read and write

6B0000

heap

page read and write

4361000

heap

page read and write

2ECA000

heap

page read and write

18571E6D000

heap

page read and write

18571CF0000

trusted library allocation

page read and write

18572060000

trusted library allocation

page read and write

AFF000

stack

page read and write

18571FC0000

trusted library allocation

page read and write

32EE000

stack

page read and write

BE0000

heap

page read and write

510000

heap

page read and write

4361000

heap

page read and write

42E000

unkown

page write copy

4361000

heap

page read and write

403F000

trusted library allocation

page read and write

3F11000

trusted library allocation

page read and write

515000

heap

page read and write

3050000

heap

page read and write

4032000

trusted library allocation

page read and write

4361000

heap

page read and write

There are 366 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
file.exe