Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

lqoUUYTMsL.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.849189397617287
Filename:	lqoUUYTMsL.exe
Filesize:	369664
MD5:	3113c2a7b30c1cb350e8950b4222b0c4
SHA1:	2fe0c50dd095a738788693e147c0b9d883554d2c
SHA256:	7ff1d7dd5684cd38bea4a227bf49d4ceff1de7d2f66a556ccc6ce1a382640fc6
SHA512:	4287e194b702492c3b0c960fc4a0cc1625607789e382b88276eaa9749f3ff32f38cf81da3543601cd1f9e2704366385962f421568702bb72a621cddf77aa58cd
SSDEEP:	6144:MHM3730X5T4avIrevXJZzkhq8R8ahdMSM9C/JWJu0GTY8odnR1j3hfbJHtFy7tcQ:p3cT4Ed3YQG8SM9LJV3dnRLbJHtFy7tJ
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-.f..................................... ....@.. ....................... ............@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Access Token Manipulation Process Injection
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary	Access Token Manipulation
PE file has nameless sections	System Summary	Access Token Manipulation
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information	Access Token Manipulation Credentials in Registry
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to harvest and steal ftp login credentials	Stealing of Sensitive Information	Ingress Tool Transfer
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Tries to steal Mail credentials (via file registry)	Stealing of Sensitive Information
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery
Contains functionality to read the PEB	Anti Debugging	Access Token Manipulation
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to instantiate COM classes	System Summary	Access Token Manipulation
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary	Access Token Manipulation
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary	Access Token Manipulation System Information Discovery
PE file contains a COM descriptor data directory	System Summary
Uses new MSVCR Dlls	Compliance, System Summary	Access Token Manipulation
Uses Microsoft Silverlight	System Summary	Access Token Manipulation

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\lqoUUYTMsL.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\lqoUUYTMsL.exe.log
Category:	dropped
Dump:	lqoUUYTMsL.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\lqoUUYTMsL.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.259753436570609
Encrypted:	false
Ssdeep:	12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
Size:	525
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file has nameless sections	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Roaming\188E93\31437F.lck

very short file (no magic)

dropped

Details

File:	C:\Users\user\AppData\Roaming\188E93\31437F.lck
Category:	dropped
Dump:	31437F.lck.1.dr
ID:	dr_2
Target ID:	1
Process:	C:\Users\user\Desktop\lqoUUYTMsL.exe
Type:	very short file (no magic)
Entropy:	0.0
Encrypted:	false
Ssdeep:	3:U:U
Size:	1
Whitelisted:	true
Reputation:	high

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06
Category:	dropped
Dump:	bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06.1.dr
ID:	dr_1
Target ID:	1
Process:	C:\Users\user\Desktop\lqoUUYTMsL.exe
Type:	data
Entropy:	1.0424600748477153
Encrypted:	false
Ssdeep:	3:/lbq:4
Size:	46
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\lqoUUYTMsL.exe

"C:\Users\user\Desktop\lqoUUYTMsL.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7104
Target ID:	0
Parent PID:	2580
Name:	lqoUUYTMsL.exe
Path:	C:\Users\user\Desktop\lqoUUYTMsL.exe
Commandline:	"C:\Users\user\Desktop\lqoUUYTMsL.exe"
Size:	369664
MD5:	3113C2A7B30C1CB350E8950B4222B0C4
Time:	23:01:53
Date:	18/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xd70000
Modulesize:	401408
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Lokibot	Stealing of Sensitive Information
Yara detected Lokibot	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file has nameless sections	System Summary
Yara detected aPLib compressed binary	Data Obfuscation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\lqoUUYTMsL.exe

Details

Is windows:	false
Is dropped:	false
PID:	6464
Target ID:	1
Parent PID:	7104
Name:	lqoUUYTMsL.exe
Path:	C:\Users\user\Desktop\lqoUUYTMsL.exe
Commandline:	C:\Users\user\Desktop\lqoUUYTMsL.exe
Size:	369664
MD5:	3113C2A7B30C1CB350E8950B4222B0C4
Time:	23:01:54
Date:	18/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x9d0000
Modulesize:	401408
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Lokibot	Stealing of Sensitive Information
Yara detected Lokibot	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file has nameless sections	System Summary
Yara detected aPLib compressed binary	Data Obfuscation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\lqoUUYTMsL.exe

Details

Is windows:	false
Is dropped:	false
PID:	6408
Target ID:	2
Parent PID:	7104
Name:	lqoUUYTMsL.exe
Path:	C:\Users\user\Desktop\lqoUUYTMsL.exe
Commandline:	C:\Users\user\Desktop\lqoUUYTMsL.exe
Size:	369664
MD5:	3113C2A7B30C1CB350E8950B4222B0C4
Time:	23:01:54
Date:	18/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xa20000
Modulesize:	401408
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Lokibot	Stealing of Sensitive Information
Yara detected Lokibot	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file has nameless sections	System Summary
Yara detected aPLib compressed binary	Data Obfuscation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\lqoUUYTMsL.exe

Details

Is windows:	false
Is dropped:	false
PID:	5352
Target ID:	3
Parent PID:	7104
Name:	lqoUUYTMsL.exe
Path:	C:\Users\user\Desktop\lqoUUYTMsL.exe
Commandline:	C:\Users\user\Desktop\lqoUUYTMsL.exe
Size:	369664
MD5:	3113C2A7B30C1CB350E8950B4222B0C4
Time:	23:01:54
Date:	18/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xee0000
Modulesize:	401408
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Lokibot	Stealing of Sensitive Information
Yara detected Lokibot	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file has nameless sections	System Summary
Yara detected aPLib compressed binary	Data Obfuscation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\lqoUUYTMsL.exe

Details

Is windows:	false
Is dropped:	false
PID:	5088
Target ID:	4
Parent PID:	7104
Name:	lqoUUYTMsL.exe
Path:	C:\Users\user\Desktop\lqoUUYTMsL.exe
Commandline:	C:\Users\user\Desktop\lqoUUYTMsL.exe
Size:	369664
MD5:	3113C2A7B30C1CB350E8950B4222B0C4
Time:	23:01:54
Date:	18/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x8b0000
Modulesize:	401408
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Lokibot	Stealing of Sensitive Information
Yara detected Lokibot	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file has nameless sections	System Summary
Yara detected aPLib compressed binary	Data Obfuscation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

http://tequilacofradiamx.com/minyhug/fxgsfhsdtytdjfudyjfjewrwsejyt/Panel/five/fre.php

91.92.253.228

http://kbfvzoboss.bid/alien/fre.php

Details

Name:	http://kbfvzoboss.bid/alien/fre.php
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\lqoUUYTMsL.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

http://alphastand.win/alien/fre.php

Details

Name:	http://alphastand.win/alien/fre.php
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\lqoUUYTMsL.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

http://alphastand.trade/alien/fre.php

Details

Name:	http://alphastand.trade/alien/fre.php
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\lqoUUYTMsL.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

http://alphastand.top/alien/fre.php

Details

Name:	http://alphastand.top/alien/fre.php
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\lqoUUYTMsL.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

https://tequilacofradiamx.com/minyhug/fxgsfhsdtytdjfudyjfjewrwsejyt/Panel/five/fre.php

Details

Name:	https://tequilacofradiamx.com/minyhug/fxgsfhsdtytdjfudyjfjewrwsejyt/Panel/five/fre.php
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\lqoUUYTMsL.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
URLs found in memory or binary data	Networking

http://www.ibsensoftware.com/

unknown

http://tequilacofradiamx.com/

unknown

Domains

Name

Malicious

tequilacofradiamx.com

91.92.253.228

Details

Name:	tequilacofradiamx.com
IP:	91.92.253.228
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

91.92.253.228

tequilacofradiamx.com

Bulgaria

Details

IP:	91.92.253.228
TargetID:	1
Current Path:	C:\Users\user\Desktop\lqoUUYTMsL.exe
Country:	Bulgaria
Countrycode:	BGR
ASN number:	34368
ASN name:	THEZONEBG
Private:	false
Domain:	tequilacofradiamx.com

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

3520000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

6A83000

trusted library allocation

page read and write

36C0000

trusted library allocation

page read and write

36DC000

trusted library allocation

page read and write

36A4000

trusted library allocation

page read and write

F08000

heap

page read and write

BF5000

heap

page read and write

1340000

heap

page read and write

ACC000

stack

page read and write

D5E000

stack

page read and write

7B0D000

stack

page read and write

1310000

trusted library allocation

page read and write

E88000

heap

page read and write

137F000

heap

page read and write

579E000

stack

page read and write

2930000

heap

page read and write

12CE000

stack

page read and write

2F27000

heap

page read and write

107F000

stack

page read and write

12D2000

trusted library allocation

page execute and read and write

E8D000

stack

page read and write

12E2000

trusted library allocation

page execute and read and write

167F000

stack

page read and write

69B3000

trusted library allocation

page read and write

1850000

trusted library allocation

page execute and read and write

18E0000

heap

page read and write

12F0000

trusted library allocation

page read and write

FDC000

stack

page read and write

E80000

heap

page read and write

565D000

trusted library section

page read and write

2A3F000

stack

page read and write

4A0000

remote allocation

page execute and read and write

13AB000

heap

page read and write

180E000

stack

page read and write

131B000

trusted library allocation

page execute and read and write

351C000

trusted library allocation

page read and write

D80000

heap

page read and write

184E000

stack

page read and write

ECE000

stack

page read and write

160F000

stack

page read and write

1302000

trusted library allocation

page execute and read and write

E40000

heap

page read and write

BD0000

heap

page read and write

E35000

heap

page read and write

5C5E000

stack

page read and write

2ACD000

stack

page read and write

D60000

heap

page read and write

D70000

unkown

page readonly

1398000

heap

page read and write

1A10000

heap

page execute and read and write

5C9E000

stack

page read and write

19F0000

trusted library allocation

page execute and read and write

5B5E000

stack

page read and write

1480000

heap

page read and write

11D0000

heap

page read and write

1420000

heap

page read and write

164E000

stack

page read and write

ED0000

heap

page read and write

16B0000

heap

page read and write

122E000

stack

page read and write

18D1000

trusted library allocation

page read and write

2A70000

heap

page read and write

E30000

heap

page read and write

59DE000

stack

page read and write

F00000

heap

page read and write

5600000

trusted library section

page read and write

1650000

heap

page read and write

36FA000

trusted library allocation

page read and write

13A1000

heap

page read and write

134E000

heap

page read and write

BF0000

heap

page read and write

12C0000

trusted library allocation

page read and write

5B1E000

stack

page read and write

4501000

trusted library allocation

page read and write

1348000

heap

page read and write

18A0000

heap

page read and write

B80000

heap

page read and write

12DA000

trusted library allocation

page execute and read and write

EFC000

stack

page read and write

D72000

unkown

page readonly

12FC000

stack

page read and write

106B000

stack

page read and write

130A000

trusted library allocation

page execute and read and write

BCC000

stack

page read and write

68ED000

trusted library allocation

page read and write

DA5000

heap

page read and write

F58000

heap

page read and write

67C5000

trusted library allocation

page read and write

58DE000

stack

page read and write

18B0000

trusted library allocation

page execute and read and write

7C0F000

stack

page read and write

11E0000

heap

page read and write

2F1E000

stack

page read and write

1488000

heap

page read and write

2E60000

heap

page read and write

55FE000

stack

page read and write

77E0000

trusted library allocation

page read and write

1870000

trusted library allocation

page read and write

D72000

unkown

page execute and read and write

1285000

heap

page read and write

1166000

stack

page read and write

694B000

trusted library allocation

page read and write

13D7000

heap

page read and write

F00000

heap

page read and write

1890000

trusted library section

page read and write

D10000

heap

page read and write

285E000

stack

page read and write

1383000

heap

page read and write

B1C000

stack

page read and write

147E000

stack

page read and write

DA0000

heap

page read and write

13D9000

heap

page read and write

19EE000

stack

page read and write

17C0000

trusted library section

page read and write

589D000

stack

page read and write

12FA000

trusted library allocation

page execute and read and write

6A1B000

trusted library allocation

page read and write

1317000

trusted library allocation

page execute and read and write

67C1000

trusted library allocation

page read and write

9AC000

stack

page read and write

2F23000

heap

page read and write

126E000

stack

page read and write

12E0000

trusted library allocation

page read and write

1430000

heap

page read and write

6917000

trusted library allocation

page read and write

5660000

trusted library allocation

page execute and read and write

17BE000

stack

page read and write

2AD0000

heap

page read and write

16AD000

stack

page read and write

4A0000

remote allocation

page execute and read and write

36F8000

trusted library allocation

page read and write

F20000

heap

page read and write

1340000

heap

page read and write

5A1E000

stack

page read and write

CFD000

stack

page read and write

2E30000

heap

page read and write

5D9F000

stack

page read and write

F3A000

heap

page read and write

5680000

heap

page read and write

3514000

trusted library allocation

page read and write

697F000

trusted library allocation

page read and write

12E9000

trusted library allocation

page execute and read and write

1396000

heap

page read and write

1280000

heap

page read and write

56A0000

trusted library allocation

page execute and read and write

11CE000

stack

page read and write

18C0000

trusted library allocation

page read and write

F50000

heap

page read and write

3501000

trusted library allocation

page read and write

1435000

heap

page read and write

There are 141 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
lqoUUYTMsL.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportlqoUUYTMsL.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
lqoUUYTMsL.exe