Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

PDT_7367027738832_789257820__________________________.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.924475110769334
Filename:	PDT_7367027738832_789257820__________________________.exe
Filesize:	1091584
MD5:	656aeda4f4a3ad9555f6d88c74fc0705
SHA1:	3da5e7c273689cb837de918b39c2650484cd342e
SHA256:	a3f5e3e9e01fdd51293410aa65759c2ea0ba6fd96860b6b9e9e0cea139f4d939
SHA512:	d9300bdd48c28c8f148595c6db9dcb20ee19f2f44c524f73f7af1037ca36ecaf239a124ec193143ef76611fd8dbb9f21ff2d456c626865d81ad5ed28dd6e40e3
SSDEEP:	24576:BAHnh+eWsN3skA4RV1Hom2KXMmHa5a/M0IQe5:Yh+ZkldoPK8Ya5a/M06
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary	System Information Discovery
Multi AV Scanner detection for submitted file	AV Detection
Binary is likely a compiled AutoIt script file	System Summary
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Valid Accounts
Contains functionality to launch a process as a different user	System Summary
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation Access Token Manipulation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Access Token Manipulation Process Discovery
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging	Access Token Manipulation
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Access Token Manipulation System Time Discovery Process Discovery Encrypted Channel
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found evasive API chain (date check)	Malware Analysis System Evasion	Native API Access Token Manipulation
Found large amount of non-executed APIs	Malware Analysis System Evasion	Access Token Manipulation System Time Discovery
Found potential string decryption / allocating functions	System Summary
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information	Access Token Manipulation System Shutdown/Reboot
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
Contains functionality for error logging	System Summary	Access Token Manipulation
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to check free disk space	System Summary
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion	Access Token Manipulation
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enum processes or threads	System Summary	Access Token Manipulation Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Contains functionality to instantiate COM classes	System Summary	Access Token Manipulation
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation
Contains functionality to query system information	Malware Analysis System Evasion	System Information Discovery
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Program exit points	Malware Analysis System Evasion
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\aut6466.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut6466.tmp
Category:	dropped
Dump:	aut6466.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe
Type:	data
Entropy:	7.871118629471488
Encrypted:	false
Ssdeep:	3072:ipkcINbb1VFJVkkJUg5Ljhikp84+QHFE5nXCIm:+9ibxJN5Zikpr+aFE5nXC/
Size:	135338
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\aut6503.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut6503.tmp
Category:	dropped
Dump:	aut6503.tmp.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe
Type:	data
Entropy:	7.593008664383745
Encrypted:	false
Ssdeep:	192:m+cKsSwxOCyTkff82lMdISQUNa53yJuldkiXkXA+rh+8E+h+Zo:97sSwcHkHUOSQl3yJulOiqA+rh+C0o
Size:	9886
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\electicism

ASCII text, with very long lines (29744), with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\electicism
Category:	dropped
Dump:	electicism.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe
Type:	ASCII text, with very long lines (29744), with no line terminators
Entropy:	3.542100914255066
Encrypted:	false
Ssdeep:	768:wiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbiE+I76Md4vfF3if6gyT:wiTZ+2QoioGRk6ZklputwjpjBkCiw2R2
Size:	29744
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\phytographical

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\phytographical
Category:	dropped
Dump:	phytographical.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe
Type:	data
Entropy:	6.3048884803521394
Encrypted:	false
Ssdeep:	6144:ImmywGQmmmmWOLMmmmhRgXQoGnbcP0DXj7wzehurtmtkzy7jyj30RKkyTs/Cxo4V:ImmywGQmmmmWOLMmmm7gXQoGnbcP0DTA
Size:	240128
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

"C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7440
Target ID:	0
Parent PID:	2580
Name:	PDT_7367027738832_789257820__________________________.exe
Path:	C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe
Commandline:	"C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe"
Size:	1091584
MD5:	656AEDA4F4A3AD9555F6D88C74FC0705
Time:	08:30:15
Date:	23/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x710000
Modulesize:	1118208
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Sigma detected: Suspicious Double Extension File Execution	System Summary
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Binary is likely a compiled AutoIt script file	System Summary
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7456
Target ID:	1
Parent PID:	7440
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	08:30:16
Date:	23/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x670000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://sectigo.com/CPS0

unknown

http://mail.worlorderbillions.top

unknown

Details

Name:	http://mail.worlorderbillions.top
TargetID:	1
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000001.00000002.2931527386.00000000028FE000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for domain / URL	AV Detection
URLs found in memory or binary data	Networking

https://account.dyn.com/

unknown

Details

Name:	https://account.dyn.com/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe
Source:	PDT_7367027738832_789257820__________________________.exe, 00000000.00000002.1677527485.0000000001080000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2930664399.0000000000402000.00000040.80000000.00040000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://worlorderbillions.top

unknown

Details

Name:	http://worlorderbillions.top
TargetID:	1
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000001.00000002.2931527386.00000000028FE000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for domain / URL	AV Detection
URLs found in memory or binary data	Networking

Domains

Name

Malicious

mail.worlorderbillions.top

unknown

Details

Name:	mail.worlorderbillions.top
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for domain / URL	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

worlorderbillions.top

185.244.151.84

Details

Name:	worlorderbillions.top
IP:	185.244.151.84
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

185.244.151.84

worlorderbillions.top

Netherlands

Details

IP:	185.244.151.84
TargetID:	1
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	Netherlands
Countrycode:	NLD
ASN number:	60117
ASN name:	HSAE
Private:	false
Domain:	worlorderbillions.top

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

Memdumps

Base Address

Regiontype

Protect

Malicious

28FE000

trusted library allocation

page read and write

292A000

trusted library allocation

page read and write

1080000

direct allocation

page read and write

28B1000

trusted library allocation

page read and write

402000

system

page execute and read and write

770000

heap

page read and write

120C000

heap

page read and write

C60000

heap

page read and write

4AED000

stack

page read and write

503E000

stack

page read and write

7C5000

unkown

page readonly

5C20000

heap

page read and write

68D0000

heap

page read and write

E28000

heap

page read and write

70A000

stack

page read and write

7E8000

unkown

page readonly

C04000

trusted library allocation

page read and write

5C7C000

heap

page read and write

66DE000

stack

page read and write

9F0000

direct allocation

page execute and read and write

3933000

direct allocation

page read and write

3933000

direct allocation

page read and write

4EB3000

heap

page read and write

3933000

direct allocation

page read and write

1212000

heap

page read and write

5C26000

heap

page read and write

79F000

unkown

page readonly

C2D000

trusted library allocation

page execute and read and write

27C8000

trusted library allocation

page read and write

5EBD000

stack

page read and write

1204000

heap

page read and write

C36000

trusted library allocation

page execute and read and write

1DCE000

stack

page read and write

4CA000

stack

page read and write

4E5D000

trusted library allocation

page read and write

FFC000

stack

page read and write

2918000

trusted library allocation

page read and write

538E000

stack

page read and write

FBF000

stack

page read and write

C00000

trusted library allocation

page read and write

3ADD000

direct allocation

page read and write

5E60000

trusted library allocation

page read and write

7D8000

unkown

page readonly

C30000

trusted library allocation

page read and write

1212000

heap

page read and write

5BE000

stack

page read and write

E58000

heap

page read and write

518C000

stack

page read and write

28FC000

trusted library allocation

page read and write

1331000

heap

page read and write

3ADD000

direct allocation

page read and write

3B4E000

direct allocation

page read and write

528E000

stack

page read and write

39B0000

direct allocation

page read and write

1241000

heap

page read and write

FCE000

stack

page read and write

1258000

heap

page read and write

1258000

heap

page read and write

4E36000

trusted library allocation

page read and write

C3A000

trusted library allocation

page execute and read and write

5C81000

heap

page read and write

4E4E000

trusted library allocation

page read and write

3AD9000

direct allocation

page read and write

136E000

heap

page read and write

2860000

trusted library allocation

page read and write

1231000

heap

page read and write

3933000

direct allocation

page read and write

1259000

heap

page read and write

1258000

heap

page read and write

3ADD000

direct allocation

page read and write

3ADD000

direct allocation

page read and write

4EB0000

heap

page read and write

2932000

trusted library allocation

page read and write

5B1E000

stack

page read and write

4FFC000

stack

page read and write

400000

system

page execute and read and write

3B4E000

direct allocation

page read and write

11D8000

heap

page read and write

7F910000

trusted library allocation

page execute and read and write

39B0000

direct allocation

page read and write

710000

unkown

page readonly

5E70000

trusted library allocation

page execute and read and write

1258000

heap

page read and write

4E4A000

trusted library allocation

page read and write

5E40000

trusted library allocation

page read and write

4E70000

trusted library allocation

page read and write

38D9000

trusted library allocation

page read and write

39B0000

direct allocation

page read and write

C45000

trusted library allocation

page execute and read and write

615D000

stack

page read and write

C32000

trusted library allocation

page read and write

1231000

heap

page read and write

7E8000

unkown

page readonly

C20000

trusted library allocation

page read and write

3810000

direct allocation

page read and write

65DE000

stack

page read and write

38B1000

trusted library allocation

page read and write

49EC000

stack

page read and write

5EC0000

trusted library allocation

page execute and read and write

EC5000

heap

page read and write

3AD9000

direct allocation

page read and write

C65000

heap

page read and write

C0D000

trusted library allocation

page execute and read and write

39B0000

direct allocation

page read and write

1258000

heap

page read and write

7CF000

unkown

page read and write

5FA7000

trusted library allocation

page read and write

1341000

heap

page read and write

3810000

direct allocation

page read and write

4E3B000

trusted library allocation

page read and write

7CF000

unkown

page write copy

79F000

unkown

page readonly

7E0000

heap

page read and write

6710000

heap

page read and write

E3E000

heap

page read and write

2926000

trusted library allocation

page read and write

4E42000

trusted library allocation

page read and write

1341000

heap

page read and write

5C22000

heap

page read and write

28A0000

heap

page read and write

27BE000

stack

page read and write

507E000

stack

page read and write

1258000

heap

page read and write

5C40000

heap

page read and write

530000

heap

page read and write

1258000

heap

page read and write

53CE000

stack

page read and write

3B4E000

direct allocation

page read and write

5E0000

heap

page read and write

9D0000

heap

page read and write

3810000

direct allocation

page read and write

3B4E000

direct allocation

page read and write

FDB000

stack

page read and write

4EC0000

heap

page read and write

5C7E000

heap

page read and write

D90000

heap

page read and write

3810000

direct allocation

page read and write

11D0000

heap

page read and write

3AD9000

direct allocation

page read and write

BF0000

trusted library allocation

page read and write

4E51000

trusted library allocation

page read and write

5080000

heap

page execute and read and write

5460000

trusted library allocation

page read and write

39B0000

direct allocation

page read and write

5F9E000

stack

page read and write

3AD9000

direct allocation

page read and write

12CD000

heap

page read and write

C03000

trusted library allocation

page execute and read and write

12DD000

heap

page read and write

1212000

heap

page read and write

5E66000

trusted library allocation

page read and write

3AD9000

direct allocation

page read and write

124E000

heap

page read and write

5E50000

trusted library allocation

page read and write

1258000

heap

page read and write

2880000

trusted library allocation

page read and write

391D000

trusted library allocation

page read and write

3B4E000

direct allocation

page read and write

3933000

direct allocation

page read and write

1350000

heap

page read and write

4E30000

trusted library allocation

page read and write

9C0000

heap

page read and write

DDE000

stack

page read and write

7DA000

unkown

page readonly

2890000

trusted library allocation

page read and write

120C000

heap

page read and write

124F000

heap

page read and write

C10000

heap

page read and write

3933000

direct allocation

page read and write

12B4000

heap

page read and write

4E3E000

trusted library allocation

page read and write

5FA0000

trusted library allocation

page read and write

5FB0000

trusted library allocation

page read and write

1370000

heap

page read and write

710000

unkown

page readonly

1258000

heap

page read and write

7C5000

unkown

page readonly

4E56000

trusted library allocation

page read and write

3810000

direct allocation

page read and write

E98000

heap

page read and write

1278000

heap

page read and write

1232000

heap

page read and write

7DA000

unkown

page readonly

7D8000

unkown

page readonly

3AD9000

direct allocation

page read and write

135F000

heap

page read and write

3ADD000

direct allocation

page read and write

1332000

heap

page read and write

5468000

trusted library allocation

page read and write

1241000

heap

page read and write

E20000

heap

page read and write

5C0000

heap

page read and write

1205000

heap

page read and write

7D3000

unkown

page write copy

124E000

heap

page read and write

711000

unkown

page execute read

C42000

trusted library allocation

page read and write

57D000

stack

page read and write

E55000

heap

page read and write

5F5F000

stack

page read and write

3B4E000

direct allocation

page read and write

6720000

trusted library allocation

page execute and read and write

11F5000

heap

page read and write

C4B000

trusted library allocation

page execute and read and write

4E62000

trusted library allocation

page read and write

E4A000

heap

page read and write

C47000

trusted library allocation

page execute and read and write

3810000

direct allocation

page read and write

AF9000

stack

page read and write

1350000

heap

page read and write

10E4000

heap

page read and write

66E0000

trusted library allocation

page read and write

7C0000

heap

page read and write

3ADD000

direct allocation

page read and write

711000

unkown

page execute read

39B0000

direct allocation

page read and write

1204000

heap

page read and write

D70000

trusted library allocation

page read and write

D80000

trusted library allocation

page execute and read and write

10E0000

heap

page read and write

19CE000

stack

page read and write

2870000

heap

page execute and read and write

EF3000

heap

page read and write

5E4C000

trusted library allocation

page read and write

There are 214 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
PDT_7367027738832_789257820__________________________.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportPDT_7367027738832_789257820__________________________.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
PDT_7367027738832_789257820__________________________.exe