Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

xRzIkuwCyozY.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	3.8093394779449836
Filename:	xRzIkuwCyozY.exe
Filesize:	32768
MD5:	3e07cea83322232968c52e0ad1f98c03
SHA1:	093c6a9df30012c36c5231b105816b8a614feba3
SHA256:	d65e2a63a3e7cd2675134d15ae271d3b4f4920cf166e9cdfff34b2cf7b07b449
SHA512:	43da0ab1a54d86bbdef78fb3c68d1cc035601f25476b7715bd8afa65f585e9ce7e22597e6da90ac4bc07e888761d456d88ada4c59b80fca60582f9ab9fea4716
SSDEEP:	384:h0bUe5XB4e0XfODHixBr/QuWTFtTUFQqzFKObbt:6T9Bu2zifrYd4bt
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}.0f.................P... ......~g... ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation	Access Token Manipulation Software Packing
.NET source code references suspicious native API functions	HIPS / PFW / Operating System Protection Evasion	Native API
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	Access Token Manipulation File Deletion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary	Access Token Manipulation
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses new MSVCR Dlls	Compliance, System Summary	Access Token Manipulation
Uses Microsoft Silverlight	System Summary	Access Token Manipulation

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\xRzIkuwCyozY.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\xRzIkuwCyozY.exe.log
Category:	dropped
Dump:	xRzIkuwCyozY.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\xRzIkuwCyozY.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.243019596074263
Encrypted:	false
Ssdeep:	24:MLF2CpI329Iz52VMzffup26KTnKoO2+b2hHAa/:MwQd9IzoaXuY6Ux+SF/
Size:	907
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Chrome Cache Entry: 52

ASCII text, with very long lines (1746)

downloaded

Details

File:	Chrome Cache Entry: 52
Category:	downloaded
Dump:	chromecache_52.4.dr
ID:	dr_8
Target ID:	4
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	ASCII text, with very long lines (1746)
Entropy:	5.55061820245277
Encrypted:	false
Ssdeep:	3072:S0eiNiuzs8v4HHKWY8s1BgP4IDQ9GURWu8zylA/u8PemUPhDlaY/ADiZ65LpK629:S0eMhzvwHHKWY8s1BgP4IDQ9GURWu8UD
Size:	163891
Whitelisted:	false
Reputation:	moderate

Chrome Cache Entry: 53

ASCII text

downloaded

Details

File:	Chrome Cache Entry: 53
Category:	downloaded
Dump:	chromecache_53.4.dr
ID:	dr_9
Target ID:	4
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	ASCII text
Entropy:	3.9353986674667634
Encrypted:	false
Ssdeep:	3:VQAOx/1n:VQAOd1n
Size:	29
Whitelisted:	false
Reputation:	moderate

Chrome Cache Entry: 54

ASCII text, with very long lines (65531)

downloaded

Details

File:	Chrome Cache Entry: 54
Category:	downloaded
Dump:	chromecache_54.4.dr
ID:	dr_10
Target ID:	4
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	ASCII text, with very long lines (65531)
Entropy:	5.440961717394583
Encrypted:	false
Ssdeep:	1536:yMRA4a9KJXjPInWWt/usD98kiHLnRA0zqevcZ1nhaV+trbbbhYxvdU:enKJou8TMyeQ0shCO
Size:	139804
Whitelisted:	false
Reputation:	low

Chrome Cache Entry: 55

ASCII text, with very long lines (3572), with no line terminators

downloaded

Details

File:	Chrome Cache Entry: 55
Category:	downloaded
Dump:	chromecache_55.4.dr
ID:	dr_11
Target ID:	4
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	ASCII text, with very long lines (3572), with no line terminators
Entropy:	5.150542995862274
Encrypted:	false
Ssdeep:	96:RJYrcoiktfqqMghOKTEzNx8BSIMw591g8IOl8u8i8DF+Ks:wkktfqqMghxlg8Ig8u78D2
Size:	3572
Whitelisted:	false
Reputation:	timeout

Chrome Cache Entry: 56

SVG Scalable Vector Graphics image

downloaded

Details

File:	Chrome Cache Entry: 56
Category:	downloaded
Dump:	chromecache_56.4.dr
ID:	dr_12
Target ID:	4
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	SVG Scalable Vector Graphics image
Entropy:	4.301517070642596
Encrypted:	false
Ssdeep:	48:A/S9VU5IDhYYmMqPLmumtrYW2DyZ/jTq9J:A2VUSDhYYmM5trYFw/jmD
Size:	1660
Whitelisted:	false
Reputation:	timeout

Chrome Cache Entry: 57

ASCII text, with very long lines (2124)

downloaded

Details

File:	Chrome Cache Entry: 57
Category:	downloaded
Dump:	chromecache_57.4.dr
ID:	dr_13
Target ID:	4
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	ASCII text, with very long lines (2124)
Entropy:	5.506662476672723
Encrypted:	false
Ssdeep:	3072:QI9yvwslCsrCF9f/U2Dj3Fkk7rEehA5L1kx:l9ygsrieDkVaL1kx
Size:	121628
Whitelisted:	false
Reputation:	timeout

Chrome Cache Entry: 58

ASCII text

downloaded

Details

File:	Chrome Cache Entry: 58
Category:	downloaded
Dump:	chromecache_58.4.dr
ID:	dr_14
Target ID:	4
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	ASCII text
Entropy:	3.6818808028034042
Encrypted:	false
Ssdeep:	3:VQRWN:VQRWN
Size:	19
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\xRzIkuwCyozY.exe

"C:\Users\user\Desktop\xRzIkuwCyozY.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2892
Target ID:	0
Parent PID:	2580
Name:	xRzIkuwCyozY.exe
Path:	C:\Users\user\Desktop\xRzIkuwCyozY.exe
Commandline:	"C:\Users\user\Desktop\xRzIkuwCyozY.exe"
Size:	32768
MD5:	3E07CEA83322232968C52E0AD1F98C03
Time:	00:20:54
Date:	30/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x630000
Modulesize:	49152
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	File Deletion
Sigma detected: Potentially Suspicious Malware Callback Communication	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\xRzIkuwCyozY.exe"

Details

Is windows:	true
Is dropped:	false
PID:	9124
Target ID:	9
Parent PID:	2892
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\user\Desktop\xRzIkuwCyozY.exe"
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	00:21:39
Date:	30/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x240000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	File Deletion
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///

Details

Is windows:	true
Is dropped:	false
PID:	3684
Target ID:	1
Parent PID:	3912
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	00:20:59
Date:	30/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff76e190000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://%3cfnc1%3e(79)/

Details

Is windows:	true
Is dropped:	false
PID:	6532
Target ID:	2
Parent PID:	3912
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://%3cfnc1%3e(79)/
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	00:20:59
Date:	30/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff76e190000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=2036,i,3006558031417863421,7263643072710997579,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

Details

Is windows:	true
Is dropped:	false
PID:	7452
Target ID:	4
Parent PID:	3684
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=2036,i,3006558031417863421,7263643072710997579,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	00:21:00
Date:	30/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff76e190000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1832 --field-trial-handle=2036,i,5724583149837707848,3027707607016890056,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

Details

Is windows:	true
Is dropped:	false
PID:	7516
Target ID:	5
Parent PID:	6532
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1832 --field-trial-handle=2036,i,5724583149837707848,3027707607016890056,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	00:21:00
Date:	30/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff76e190000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	9132
Target ID:	10
Parent PID:	9124
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	00:21:39
Date:	30/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

berlyn777.con-ip.com

https://www.google.com/async/ddljson?async=ntp:2

142.250.190.68

https://play.google.com/log?format=json&hasfast=true

unknown

http://www.broofa.com

unknown

https://csp.withgoogle.com/csp/lcreport/

unknown

https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.SCWmpDDGjPk.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAC/rs=AHpOoo_Pl64J0IIHlj2zBtEJ3ZwdaJC3HA/cb=gapi.loaded_0

142.250.190.110

http://go.microsoft.

unknown

https://www.google.com/async/newtab_promos

142.250.190.68

https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0

142.250.190.68

https://apis.google.com

unknown

http://go.microsoft.LinkId=42127

unknown

https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1

unknown

https://domains.google.com/suggest/flow

unknown

https://clients6.google.com

unknown

https://plus.google.com

unknown

There are 5 hidden URLs, click here to show them.

Domains

Name

Malicious

berlyn777.con-ip.com

45.141.215.185

Details

Name:	berlyn777.con-ip.com
IP:	45.141.215.185
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sigma detected: Potentially Suspicious Malware Callback Communication	System Summary
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

google.com

172.217.2.46

Details

Name:	google.com
IP:	172.217.2.46
TargetID:	4
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

plus.l.google.com

142.250.190.110

www.google.com

142.250.190.68

Details

Name:	www.google.com
IP:	142.250.190.68
TargetID:	4
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

apis.google.com

unknown

Details

Name:	apis.google.com
TargetID:	4
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

45.141.215.185

berlyn777.con-ip.com

Netherlands

Details

IP:	45.141.215.185
TargetID:	0
Current Path:	C:\Users\user\Desktop\xRzIkuwCyozY.exe
Country:	Netherlands
Countrycode:	NLD
ASN number:	62068
ASN name:	SPECTRAIPSpectraIPBVNL
Private:	false
Domain:	berlyn777.con-ip.com

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Potentially Suspicious Malware Callback Communication	System Summary
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

192.168.2.4

unknown

Details

IP:	192.168.2.4
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Private:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Potentially Suspicious Malware Callback Communication	System Summary
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Uses secure TLS version for HTTPS connections	Compliance, Networking

142.250.190.110

plus.l.google.com

United States

239.255.255.250

unknown

Reserved

142.250.190.68

www.google.com

United States

Registry

Path

Value

Malicious

HKEY_CURRENT_USER

HKEY_CURRENT_USER\SOFTWARE\03f62b4542954

[kl]

Memdumps

Base Address

Regiontype

Protect

Malicious

632000

unkown

page readonly

2CD1000

trusted library allocation

page read and write

1086000

heap

page read and write

2BD0000

heap

page read and write

A70000

heap

page read and write

630000

unkown

page readonly

4E80000

heap

page read and write

5470000

heap

page read and write

BF0000

heap

page read and write

53E0000

trusted library allocation

page execute and read and write

FB0000

heap

page read and write

1270000

heap

page read and write

66C0000

heap

page read and write

F42000

trusted library allocation

page execute and read and write

4F0B000

stack

page read and write

33DF000

stack

page read and write

4E70000

trusted library allocation

page execute and read and write

2D5C000

trusted library allocation

page read and write

A20000

heap

page read and write

F57000

trusted library allocation

page execute and read and write

EEF000

stack

page read and write

298F000

stack

page read and write

F1A000

trusted library allocation

page execute and read and write

300E000

unkown

page read and write

7C6000

stack

page read and write

3213000

heap

page read and write

7C9000

stack

page read and write

2D60000

trusted library allocation

page read and write

5460000

heap

page read and write

583B000

stack

page read and write

BBE000

heap

page read and write

F0A000

trusted library allocation

page execute and read and write

C76000

heap

page read and write

DEE000

stack

page read and write

52CE000

stack

page read and write

C6D000

heap

page read and write

2D7C000

trusted library allocation

page read and write

A30000

heap

page read and write

C60000

heap

page read and write

1080000

heap

page read and write

2D94000

trusted library allocation

page read and write

67C0000

heap

page read and write

F10000

trusted library allocation

page read and write

4E60000

trusted library allocation

page read and write

ABE000

stack

page read and write

F4A000

trusted library allocation

page execute and read and write

F40000

trusted library allocation

page read and write

3170000

heap

page read and write

F2A000

trusted library allocation

page execute and read and write

F5B000

trusted library allocation

page execute and read and write

593D000

stack

page read and write

3CD1000

trusted library allocation

page read and write

638000

unkown

page readonly

31EB000

heap

page read and write

DAE000

stack

page read and write

31E0000

heap

page read and write

528E000

stack

page read and write

2D8A000

trusted library allocation

page read and write

7FDA0000

trusted library allocation

page execute and read and write

4DCF000

stack

page read and write

4ECC000

stack

page read and write

C51000

heap

page read and write

54DC000

stack

page read and write

57E0000

heap

page read and write

53CF000

stack

page read and write

EF0000

trusted library allocation

page read and write

C0F000

heap

page read and write

F12000

trusted library allocation

page execute and read and write

312F000

unkown

page read and write

504E000

stack

page read and write

F27000

trusted library allocation

page execute and read and write

569D000

stack

page read and write

F30000

heap

page execute and read and write

3202000

heap

page read and write

316E000

stack

page read and write

BB0000

heap

page read and write

AD0000

heap

page read and write

4E83000

heap

page read and write

AD5000

heap

page read and write

F52000

trusted library allocation

page read and write

4E50000

trusted library allocation

page read and write

4F4C000

stack

page read and write

54E0000

heap

page read and write

BBA000

heap

page read and write

65C0000

heap

page read and write

2EFD000

stack

page read and write

4DCC000

stack

page read and write

C67000

heap

page read and write

4DE0000

trusted library allocation

page execute and read and write

4DD0000

trusted library allocation

page read and write

518E000

stack

page read and write

C01000

heap

page read and write

F02000

trusted library allocation

page execute and read and write

514F000

stack

page read and write

2B6D000

stack

page read and write

6C9000

stack

page read and write

C05000

heap

page read and write

F9E000

stack

page read and write

2BE0000

heap

page read and write

57E5000

heap

page read and write

66D0000

heap

page read and write

3020000

heap

page read and write

125C000

stack

page read and write

4F88000

stack

page read and write

There are 94 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
xRzIkuwCyozY.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportxRzIkuwCyozY.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
xRzIkuwCyozY.exe