Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

z34PDnVzyEItkXaInw.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.773389654096087
Filename:	z34PDnVzyEItkXaInw.exe
Filesize:	790528
MD5:	c85149f68536d2bccb60ad32e88d6895
SHA1:	703e4b9d6db31ad5b83048b3ebf2fea81492df02
SHA256:	4fc57cfe6ad19b764721faf9215457a09ddeebc7402c8833f290181af0b20d5e
SHA512:	a766ce5265f8a33eb86fe2686a7a02d6df5661c4a7859ff9cc05c10f41d3600bf55f9fcee76197010d0b1d27b4d76e64df3de5143cf4ec8a6a34299362d0db7c
SSDEEP:	24576:3/zD1ArxfnREzkQsImlHqocz5dqIzmarw7w:3/tixfmYQsxFPudLSar
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...I*.f.............................%... ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation
.NET source code contains very large array initializations	System Summary	Disable or Modify Tools
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)	Malware Analysis System Evasion
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information	Credentials in Registry
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities	Obfuscated Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z34PDnVzyEItkXaInw.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z34PDnVzyEItkXaInw.exe.log
Category:	dropped
Dump:	z34PDnVzyEItkXaInw.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe

"C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5040
Target ID:	0
Parent PID:	1028
Name:	z34PDnVzyEItkXaInw.exe
Path:	C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe
Commandline:	"C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe"
Size:	790528
MD5:	C85149F68536D2BCCB60AD32E88D6895
Time:	22:51:51
Date:	16/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x30000
Modulesize:	819200
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe

"C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe"

Details

Is windows:	false
Is dropped:	false
PID:	1864
Target ID:	3
Parent PID:	5040
Name:	z34PDnVzyEItkXaInw.exe
Path:	C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe
Commandline:	"C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe"
Size:	790528
MD5:	C85149F68536D2BCCB60AD32E88D6895
Time:	22:51:52
Date:	16/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xb90000
Modulesize:	819200
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

https://api.ipify.org/

172.67.74.152

Details

Name:	https://api.ipify.org/
IP:	172.67.74.152
TargetID:	3
From Memory:	false
Current Path:	C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://api.ipify.org

unknown

Details

Name:	https://api.ipify.org
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe
Source:	z34PDnVzyEItkXaInw.exe, 00000000.00000002.2024453541.0000000003776000.00000004.00000800.00020000.00000000.sdmp, z34PDnVzyEItkXaInw.exe, 00000003.00000002.4448567496.0000000003051000.00000004.00000800.00020000.00000000.sdmp, z34PDnVzyEItkXaInw.exe, 00000003.00000002.4445884257.0000000000402000.00000040.00000400.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://account.dyn.com/

unknown

Details

Name:	https://account.dyn.com/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe
Source:	z34PDnVzyEItkXaInw.exe, 00000000.00000002.2024453541.0000000003776000.00000004.00000800.00020000.00000000.sdmp, z34PDnVzyEItkXaInw.exe, 00000003.00000002.4445884257.0000000000402000.00000040.00000400.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://api.telegram.org

unknown

Details

Name:	https://api.telegram.org
TargetID:	3
From Memory:	true
Current Path:	C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe
Source:	z34PDnVzyEItkXaInw.exe, 00000003.00000002.4448567496.00000000030C7000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
URLs found in memory or binary data	Networking

https://api.ipify.org/t

unknown

Details

Name:	https://api.ipify.org/t
TargetID:	3
From Memory:	true
Current Path:	C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe
Source:	z34PDnVzyEItkXaInw.exe, 00000003.00000002.4448567496.0000000003051000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://api.telegram.org

unknown

Details

Name:	http://api.telegram.org
TargetID:	3
From Memory:	true
Current Path:	C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe
Source:	z34PDnVzyEItkXaInw.exe, 00000003.00000002.4448567496.00000000030C7000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	3
From Memory:	true
Current Path:	C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe
Source:	z34PDnVzyEItkXaInw.exe, 00000003.00000002.4448567496.0000000003051000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

api.ipify.org

172.67.74.152

Details

Name:	api.ipify.org
IP:	172.67.74.152
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

api.telegram.org

149.154.167.220

Details

Name:	api.telegram.org
IP:	149.154.167.220
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
Uses the Telegram API (likely for C&C communication)	Networking	Web Service
HTTP GET or POST without a user agent	Networking
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

149.154.167.220

api.telegram.org

United Kingdom

Details

IP:	149.154.167.220
TargetID:	3
Current Path:	C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	62041
ASN name:	TELEGRAMRU
Private:	false
Domain:	api.telegram.org

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

172.67.74.152

api.ipify.org

United States

Details

IP:	172.67.74.152
TargetID:	3
Current Path:	C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z34PDnVzyEItkXaInw_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z34PDnVzyEItkXaInw_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z34PDnVzyEItkXaInw_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z34PDnVzyEItkXaInw_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z34PDnVzyEItkXaInw_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z34PDnVzyEItkXaInw_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z34PDnVzyEItkXaInw_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z34PDnVzyEItkXaInw_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z34PDnVzyEItkXaInw_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z34PDnVzyEItkXaInw_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z34PDnVzyEItkXaInw_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z34PDnVzyEItkXaInw_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z34PDnVzyEItkXaInw_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z34PDnVzyEItkXaInw_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

30A1000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

3776000

trusted library allocation

page read and write

30C7000

trusted library allocation

page read and write

7FB000

trusted library allocation

page execute and read and write

8970000

heap

page read and write

726000

heap

page read and write

4A9B000

stack

page read and write

1480000

trusted library allocation

page execute and read and write

73A0000

trusted library allocation

page execute and read and write

6CFE000

stack

page read and write

25D5000

trusted library allocation

page read and write

309D000

trusted library allocation

page read and write

4B60000

heap

page read and write

2FA6000

trusted library allocation

page read and write

1098000

heap

page read and write

1446000

trusted library allocation

page execute and read and write

32000

unkown

page readonly

61E000

stack

page read and write

8680000

heap

page read and write

6853000

heap

page read and write

514E000

stack

page read and write

F4000

unkown

page readonly

70EE000

stack

page read and write

1420000

trusted library allocation

page read and write

6892000

heap

page read and write

24A0000

heap

page execute and read and write

4E2E000

stack

page read and write

22C0000

trusted library allocation

page read and write

6832000

trusted library allocation

page read and write

291B000

trusted library allocation

page read and write

1452000

trusted library allocation

page read and write

2939000

trusted library allocation

page read and write

292F000

trusted library allocation

page read and write

2927000

trusted library allocation

page read and write

5490000

heap

page read and write

30000

unkown

page readonly

647000

heap

page read and write

6BFD000

stack

page read and write

6FFE000

stack

page read and write

886F000

stack

page read and write

6B98000

trusted library allocation

page read and write

640000

heap

page read and write

1F0000

heap

page read and write

7E2000

trusted library allocation

page read and write

4957000

trusted library allocation

page read and write

7E6000

trusted library allocation

page execute and read and write

4E70000

trusted library allocation

page read and write

8AAE000

stack

page read and write

6C3000

trusted library allocation

page execute and read and write

4EC0000

heap

page read and write

896D000

stack

page read and write

2937000

trusted library allocation

page read and write

4CD0000

trusted library allocation

page read and write

1440000

trusted library allocation

page read and write

6630000

heap

page read and write

4EE0000

heap

page read and write

681A000

heap

page read and write

30E9000

trusted library allocation

page read and write

73F0000

trusted library allocation

page read and write

10C4000

heap

page read and write

292B000

trusted library allocation

page read and write

4CE0000

trusted library allocation

page execute and read and write

4980000

trusted library allocation

page execute and read and write

3085000

trusted library allocation

page read and write

1050000

heap

page read and write

3508000

trusted library allocation

page read and write

1430000

trusted library allocation

page read and write

6BA0000

trusted library allocation

page read and write

2FE0000

trusted library allocation

page read and write

29B0000

trusted library allocation

page read and write

1423000

trusted library allocation

page execute and read and write

10F9000

heap

page read and write

2621000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

4EA0000

trusted library allocation

page execute and read and write

40BA000

trusted library allocation

page read and write

4AA0000

heap

page read and write

6C00000

trusted library allocation

page execute and read and write

4E7C000

trusted library allocation

page read and write

2E30000

heap

page read and write

2921000

trusted library allocation

page read and write

5060000

trusted library allocation

page execute and read and write

6F80000

heap

page read and write

77C000

heap

page read and write

26F4000

trusted library allocation

page read and write

2919000

trusted library allocation

page read and write

6D00000

trusted library allocation

page read and write

3735000

trusted library allocation

page read and write

9EBE000

stack

page read and write

7A1000

heap

page read and write

4E73000

trusted library allocation

page read and write

2FE4000

trusted library allocation

page read and write

12DE000

stack

page read and write

4940000

heap

page read and write

6BB0000

trusted library allocation

page read and write

6B90000

trusted library allocation

page read and write

1470000

trusted library allocation

page read and write

189000

stack

page read and write

5050000

trusted library allocation

page execute and read and write

159E000

stack

page read and write

6F70000

heap

page read and write

6E0E000

stack

page read and write

2E50000

heap

page read and write

870000

heap

page read and write

7F7000

trusted library allocation

page execute and read and write

860000

trusted library allocation

page execute and read and write

4F7000

stack

page read and write

4E90000

trusted library allocation

page read and write

2441000

trusted library allocation

page read and write

34B1000

trusted library allocation

page read and write

73E0000

trusted library allocation

page execute and read and write

2480000

trusted library allocation

page read and write

647D000

stack

page read and write

6CBF000

stack

page read and write

292D000

trusted library allocation

page read and write

10C6000

heap

page read and write

6D0000

trusted library allocation

page read and write

243E000

trusted library allocation

page read and write

7100000

trusted library section

page read and write

810000

trusted library allocation

page read and write

35A4000

trusted library allocation

page read and write

2584000

trusted library allocation

page read and write

85E000

stack

page read and write

241C000

stack

page read and write

4F00000

heap

page read and write

45AC000

stack

page read and write

4E80000

trusted library allocation

page execute and read and write

2929000

trusted library allocation

page read and write

2E20000

trusted library allocation

page read and write

4AC0000

heap

page execute and read and write

135E000

stack

page read and write

6F80000

trusted library section

page read and write

139E000

stack

page read and write

6EE000

heap

page read and write

2F9C000

stack

page read and write

5D0000

heap

page read and write

650000

heap

page read and write

7F2000

trusted library allocation

page read and write

2FA0000

trusted library allocation

page read and write

7E0000

trusted library allocation

page read and write

4EC5000

heap

page read and write

26D7000

trusted library allocation

page read and write

49B3000

heap

page read and write

6D10000

trusted library allocation

page read and write

1450000

trusted library allocation

page read and write

1060000

heap

page read and write

2F5E000

stack

page read and write

2470000

trusted library allocation

page read and write

657E000

stack

page read and write

6CD000

trusted library allocation

page execute and read and write

71AD000

stack

page read and write

1417000

heap

page read and write

2420000

trusted library allocation

page read and write

291F000

trusted library allocation

page read and write

78D000

heap

page read and write

2D7E000

stack

page read and write

6B0000

trusted library allocation

page read and write

2935000

trusted library allocation

page read and write

6D0F000

stack

page read and write

4AB0000

heap

page read and write

6C20000

trusted library allocation

page execute and read and write

23DE000

stack

page read and write

2925000

trusted library allocation

page read and write

3051000

trusted library allocation

page read and write

4C60000

trusted library allocation

page read and write

581C000

stack

page read and write

591E000

stack

page read and write

7CA000

heap

page read and write

715000

heap

page read and write

5B40000

heap

page read and write

721F000

stack

page read and write

4079000

trusted library allocation

page read and write

144A000

trusted library allocation

page execute and read and write

1490000

heap

page read and write

6D07000

trusted library allocation

page read and write

3556000

trusted library allocation

page read and write

7400000

trusted library allocation

page read and write

4CAE000

stack

page read and write

49B0000

heap

page read and write

368E000

trusted library allocation

page read and write

782000

heap

page read and write

2915000

trusted library allocation

page read and write

308F000

trusted library allocation

page read and write

6FD0000

heap

page read and write

2E40000

trusted library allocation

page read and write

22D0000

heap

page read and write

24B1000

trusted library allocation

page read and write

6800000

heap

page read and write

86DC000

heap

page read and write

B62E000

stack

page read and write

2FB2000

trusted library allocation

page read and write

6EBE000

stack

page read and write

6BB7000

trusted library allocation

page read and write

1090000

heap

page read and write

2FF0000

trusted library allocation

page read and write

7F480000

trusted library allocation

page execute and read and write

7110000

trusted library allocation

page read and write

293B000

trusted library allocation

page read and write

6FC0000

trusted library allocation

page execute and read and write

2FAE000

trusted library allocation

page read and write

49A0000

trusted library section

page readonly

9BBD000

trusted library allocation

page read and write

6F40000

trusted library allocation

page read and write

6C10000

trusted library allocation

page read and write

571C000

stack

page read and write

4051000

trusted library allocation

page read and write

2490000

trusted library allocation

page read and write

DE9000

stack

page read and write

97E000

stack

page read and write

2FC1000

trusted library allocation

page read and write

8B20000

trusted library section

page read and write

2FCD000

trusted library allocation

page read and write

1455000

trusted library allocation

page execute and read and write

A7E000

stack

page read and write

7F110000

trusted library allocation

page execute and read and write

6886000

heap

page read and write

1139000

heap

page read and write

2E33000

heap

page read and write

7010000

trusted library section

page read and write

2913000

trusted library allocation

page read and write

6A7E000

stack

page read and write

291D000

trusted library allocation

page read and write

CE9000

stack

page read and write

73F5000

trusted library allocation

page read and write

2933000

trusted library allocation

page read and write

7EA000

trusted library allocation

page execute and read and write

6B7F000

stack

page read and write

2931000

trusted library allocation

page read and write

2923000

trusted library allocation

page read and write

4950000

trusted library allocation

page read and write

10B9000

heap

page read and write

1410000

heap

page read and write

869D000

heap

page read and write

2446000

trusted library allocation

page read and write

2FAB000

trusted library allocation

page read and write

8AED000

stack

page read and write

2FBA000

trusted library allocation

page read and write

1126000

heap

page read and write

69E000

stack

page read and write

2709000

trusted library allocation

page read and write

68C5000

heap

page read and write

22AD000

stack

page read and write

1457000

trusted library allocation

page execute and read and write

145B000

trusted library allocation

page execute and read and write

4900000

trusted library allocation

page read and write

4ED0000

heap

page read and write

6BAD000

trusted library allocation

page read and write

2460000

trusted library allocation

page read and write

225E000

stack

page read and write

2485000

trusted library allocation

page read and write

B52E000

stack

page read and write

26C5000

trusted library allocation

page read and write

6C4000

trusted library allocation

page read and write

1442000

trusted library allocation

page read and write

1070000

heap

page read and write

6DD000

trusted library allocation

page execute and read and write

6F90000

trusted library allocation

page read and write

1424000

trusted library allocation

page read and write

6FA0000

trusted library allocation

page read and write

3040000

heap

page execute and read and write

724000

heap

page read and write

4CC0000

trusted library allocation

page execute and read and write

6E0000

heap

page read and write

4960000

trusted library allocation

page read and write

4E6E000

stack

page read and write

142D000

trusted library allocation

page execute and read and write

244D000

trusted library allocation

page read and write

6F0F000

stack

page read and write

2917000

trusted library allocation

page read and write

2D88000

trusted library allocation

page read and write

799000

heap

page read and write

2FBE000

trusted library allocation

page read and write

2FC6000

trusted library allocation

page read and write

4EB0000

trusted library allocation

page read and write

1055000

heap

page read and write

4DED000

stack

page read and write

2260000

trusted library allocation

page read and write

72AE000

stack

page read and write

5590000

heap

page execute and read and write

6C0000

trusted library allocation

page read and write

1400000

trusted library allocation

page read and write

70F0000

trusted library section

page read and write

4CB0000

trusted library allocation

page read and write

6E8000

heap

page read and write

143D000

trusted library allocation

page execute and read and write

8670000

heap

page read and write

129E000

stack

page read and write

4B50000

trusted library allocation

page read and write

1497000

heap

page read and write

7000000

trusted library allocation

page execute and read and write

There are 281 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
z34PDnVzyEItkXaInw.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportz34PDnVzyEItkXaInw.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
z34PDnVzyEItkXaInw.exe