Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

tOniaJ21lj.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5OpenGL.dll (copy)

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5WinExtras.dll (copy)

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5Xml.dll (copy)

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\QtAVWidgets1.dll (copy)

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\avdevice-58.dll (copy)

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-0C056.tmp

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-6P98M.tmp

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-8ECK7.tmp

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-JNDNQ.tmp

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-KI2RB.tmp

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-O2PKH.tmp

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-PRP4U.tmp

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-RV2D1.tmp

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-UCHQL.tmp

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-UTKLG.tmp

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-VDBC5.tmp

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\libcurl.dll (copy)

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\libeay32.dll (copy)

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\libmp3lame.dll (copy)

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\mousehelper.dll (copy)

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\openh264.dll (copy)

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

PE32 executable (GUI) Intel 80386, for MS Windows

modified

C:\Users\user\AppData\Local\RecordPad Sound Recorder\unins000.exe (copy)

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\is-NO26A.tmp\_isetup\_RegDLL.tmp

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\is-NO26A.tmp\_isetup\_iscrypt.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\is-NO26A.tmp\_isetup\_setup64.tmp

PE32+ executable (console) x86-64, for MS Windows

dropped

C:\ProgramData\uit_66.dat

Non-ISO extended-ASCII text, with no line terminators

dropped

C:\ProgramData\urc_66.dat

data

dropped

C:\ProgramData\ures-a.dat

ASCII text, with no line terminators

dropped

C:\ProgramData\ures-b.dat

ASCII text, with no line terminators

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5Svg.dll (copy)

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-BRGIM.tmp

ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-C4R5U.tmp

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-EAHN0.tmp

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-FR4FM.tmp

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-K3HBS.tmp

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-KU10K.tmp

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-L7B6O.tmp

ASCII text

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-OIVVM.tmp

data

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp120.dll (copy)

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp140.dll (copy)

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp140_1.dll (copy)

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcr120.dll (copy)

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\openh264_license.txt (copy)

ASCII text

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\proportions.txt (copy)

ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\RecordPad Sound Recorder\unins000.dat

InnoSetup Log RecordPad Sound Recorder, version 0x30, 5453 bytes, 123716\user, "C:\Users\user\AppData\Local\RecordPad Sound Recorder"

dropped

C:\Users\user\AppData\Local\Temp\is-NO26A.tmp\_isetup\_shfoldr.dll

PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

dropped

There are 40 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\tOniaJ21lj.exe

"C:\Users\user\Desktop\tOniaJ21lj.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6220
Target ID:	0
Parent PID:	1028
Name:	tOniaJ21lj.exe
Path:	C:\Users\user\Desktop\tOniaJ21lj.exe
Commandline:	"C:\Users\user\Desktop\tOniaJ21lj.exe"
Size:	4969628
MD5:	FA367A7D44377D2C3F684C3912FEC827
Time:	13:41:54
Date:	11/06/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	81920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
PE file contains executable resources (Code or Archives)	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

"C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -i

Details

Is windows:	false
Is dropped:	true
PID:	4368
Target ID:	3
Parent PID:	2836
Name:	recordpadsoundrecorder32.exe
Path:	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
Commandline:	"C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -i
Size:	2963553
MD5:	1F7ED6F21708581170C4BF77C64A9D32
Time:	13:41:55
Date:	11/06/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	2973696
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Yara detected Socks5Systemz	Stealing of Sensitive Information, Remote Access Functionality
Drops PE files	Persistence and Installation Behavior
Detected Delphi use of System.ParamCount	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe

"C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -s

Details

Is windows:	false
Is dropped:	true
PID:	1412
Target ID:	4
Parent PID:	2836
Name:	recordpadsoundrecorder32.exe
Path:	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
Commandline:	"C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -s
Size:	2963553
MD5:	1F7ED6F21708581170C4BF77C64A9D32
Time:	13:41:56
Date:	11/06/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	2973696
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Yara detected Socks5Systemz	Stealing of Sensitive Information, Remote Access Functionality
Drops PE files	Persistence and Installation Behavior
Detected Delphi use of System.ParamCount	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp

"C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp" /SL5="$10474,4719378,54272,C:\Users\user\Desktop\tOniaJ21lj.exe"

Details

Is windows:	false
Is dropped:	true
PID:	2836
Target ID:	1
Parent PID:	6220
Name:	tOniaJ21lj.tmp
Path:	C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp
Commandline:	"C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp" /SL5="$10474,4719378,54272,C:\Users\user\Desktop\tOniaJ21lj.exe"
Size:	696832
MD5:	8EF7001015E126E74BC41268504CA1E2
Time:	13:41:54
Date:	11/06/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	761856
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Spawns processes	System Summary	Process Injection

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

Details

Is windows:	true
Is dropped:	false
PID:	5356
Target ID:	7
Parent PID:	632
Name:	svchost.exe
Path:	C:\Windows\System32\svchost.exe
Commandline:	C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Size:	55320
MD5:	B7F884C1B74A263F746EE12A5F7C9F6A
Time:	13:42:40
Date:	11/06/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	true
Modulebase:	0x7ff7e52b0000
Modulesize:	65536
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://aaxeeeo.ru/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c645db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ff710c2e8929d3d

94.156.8.14

aaxeeeo.ru

http://aaxeeeo.ru/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110

94.156.8.14

http://www.innosetup.com/

unknown

http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0

unknown

https://sectigo.com/CPS0

unknown

http://ocsp.sectigo.com0

unknown

http://lame.sf.net32bits64bits

unknown

http://ocsp.thawte.com0

unknown

http://qt-project.org/xml/features/report-whitespace-only-CharData

unknown

http://xml.org/sax/features/namespaces

unknown

http://ocsps.ssl.com0?

unknown

http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0

unknown

http://xml.org/sax/features/namespaceshttp://xml.org/sax/features/namespace-prefixeshttp://trolltech

unknown

http://94.156.8.14/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d

unknown

http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q

unknown

http://lame.sf.netB

unknown

http://ocsps.ssl.com0

unknown

http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s

unknown

http://xml.org/sax/features/namespace-prefixes

unknown

http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#

unknown

http://qtav.org2

unknown

http://94.156.8.14/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f8

unknown

https://curl.haxx.se/docs/http-cookies.html

unknown

http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t

unknown

http://crls.ssl.com/ssl.com-rsa-RootCA.crl0

unknown

http://www.remobjects.com/psU

unknown

http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0

unknown

http://lame.sf.net

unknown

http://crl.thawte.com/ThawteTimestampingCA.crl0

unknown

https://www.thawte.com/cps0/

unknown

http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#

unknown

https://www.thawte.com/repository0W

unknown

http://qt-project.org/xml/features/report-start-end-entity

unknown

https://curl.haxx.se/docs/copyright.htmlD

unknown

https://curl.haxx.se/V

unknown

https://www.ssl.com/repository0

unknown

http://trolltech.com/xml/features/report-start-end-entity

unknown

http://www.mpegla.com

unknown

http://www.remobjects.com/ps

unknown

http://trolltech.com/xml/features/report-whitespace-only-CharData

unknown

http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0

unknown

http://ocsps.ssl.com0Q

unknown

There are 33 hidden URLs, click here to show them.

Domains

Name

Malicious

aaxeeeo.ru

94.156.8.14

Details

Name:	aaxeeeo.ru
IP:	94.156.8.14
TargetID:	4
Current Path:	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

94.156.8.14

aaxeeeo.ru

Bulgaria

Details

IP:	94.156.8.14
TargetID:	4
Current Path:	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
Country:	Bulgaria
Countrycode:	BGR
ASN number:	43561
ASN name:	NET1-ASBG
Private:	false
Domain:	aaxeeeo.ru

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
URLs found in memory or binary data	Networking

194.59.31.219

unknown

Germany

Details

IP:	194.59.31.219
TargetID:	4
Current Path:	C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe
Country:	Germany
Countrycode:	DEU
ASN number:	30823
ASN name:	COMBAHTONcombahtonGmbHDE
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\RecordPad Sound Recorder_is1

Inno Setup: Setup Version

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\RecordPad Sound Recorder_is1

Inno Setup: App Path

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\RecordPad Sound Recorder_is1

InstallLocation

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\RecordPad Sound Recorder_is1

Inno Setup: Icon Group

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\RecordPad Sound Recorder_is1

Inno Setup: User

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\RecordPad Sound Recorder_is1

DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\RecordPad Sound Recorder_is1

UninstallString

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\RecordPad Sound Recorder_is1

QuietUninstallString

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\RecordPad Sound Recorder_is1

NoModify

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\RecordPad Sound Recorder_is1

NoRepair

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\RecordPad Sound Recorder_is1

InstallDate

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\SVGALabel

uidf_i66_0

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\SVGALabel

uidf_s66_11

There are 3 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

2601000

direct allocation

page execute and read and write

97E000

heap

page read and write

401000

unkown

page execute read

355F000

stack

page read and write

BD0000

heap

page read and write

494000

unkown

page write copy

21635C02000

heap

page read and write

BC0000

heap

page read and write

BC0000

direct allocation

page read and write

BA0000

direct allocation

page read and write

5F0000

direct allocation

page execute and read and write

4C3000

unkown

page write copy

401000

unkown

page execute read

297F000

heap

page read and write

2144000

direct allocation

page read and write

400000

unkown

page execute and read and write

3310000

heap

page read and write

620000

heap

page read and write

496000

unkown

page read and write

10002000

unkown

page readonly

411000

unkown

page readonly

94A000

heap

page read and write

10000000

unkown

page readonly

263A000

direct allocation

page execute and read and write

25B0000

direct allocation

page read and write

401000

unkown

page execute read

6EE000

heap

page read and write

5AA000

unkown

page execute and write copy

93E000

stack

page read and write

2530000

direct allocation

page read and write

91C000

heap

page read and write

420000

heap

page read and write

2830000

heap

page read and write

369F000

stack

page read and write

21635A20000

heap

page read and write

345E000

stack

page read and write

40B000

unkown

page execute and read and write

4C90000

heap

page read and write

4C0000

unkown

page readonly

922000

heap

page read and write

B80000

direct allocation

page read and write

21635D02000

heap

page read and write

5AA000

unkown

page execute and write copy

F7800FE000

unkown

page readonly

A7E000

stack

page read and write

25B4000

heap

page read and write

6CC000

heap

page read and write

4B1E000

stack

page read and write

F7801FE000

stack

page read and write

810000

heap

page read and write

6E8000

heap

page read and write

700000

heap

page read and write

BA2000

direct allocation

page read and write

2310000

direct allocation

page read and write

21635C24000

heap

page read and write

21635B00000

heap

page read and write

40B000

unkown

page write copy

306E000

stack

page read and write

B90000

direct allocation

page read and write

253B000

direct allocation

page read and write

B80000

direct allocation

page read and write

2328000

direct allocation

page read and write

400000

unkown

page execute and read and write

359E000

stack

page read and write

32BE000

stack

page read and write

4D90000

direct allocation

page read and write

878000

heap

page read and write

F7FFA7D000

stack

page read and write

4A1E000

stack

page read and write

669000

heap

page read and write

969000

heap

page read and write

400000

unkown

page readonly

2C9E000

stack

page read and write

C80000

heap

page read and write

498000

unkown

page write copy

4C5000

unkown

page write copy

B90000

heap

page read and write

9B000

stack

page read and write

2B1B000

stack

page read and write

4C9000

unkown

page readonly

2098000

direct allocation

page read and write

21635A00000

heap

page read and write

400000

unkown

page readonly

4C9000

unkown

page readonly

2342000

direct allocation

page read and write

6E0000

heap

page read and write

2318000

direct allocation

page read and write

756000

heap

page read and write

2580000

direct allocation

page read and write

19D000

stack

page read and write

2D9E000

stack

page read and write

2328000

direct allocation

page read and write

2310000

direct allocation

page read and write

4D90000

trusted library allocation

page read and write

2900000

trusted library allocation

page read and write

2091000

direct allocation

page read and write

36A0000

heap

page read and write

21636190000

trusted library allocation

page read and write

25B0000

heap

page read and write

400000

unkown

page readonly

BB0000

direct allocation

page read and write

6E0000

heap

page read and write

7F0000

heap

page read and write

B7E000

stack

page read and write

332D000

heap

page read and write

401000

unkown

page execute read

9C000

stack

page read and write

2480000

direct allocation

page read and write

590000

heap

page read and write

40D000

unkown

page write copy

730000

heap

page read and write

F7FFD7E000

stack

page read and write

2317000

direct allocation

page read and write

9C000

stack

page read and write

2290000

heap

page read and write

B70000

heap

page read and write

21635C13000

heap

page read and write

2091000

direct allocation

page read and write

21635C43000

heap

page read and write

331E000

heap

page read and write

4B5E000

stack

page read and write

BB2000

direct allocation

page read and write

10001000

unkown

page execute read

F7FFF7C000

stack

page read and write

BF0000

direct allocation

page read and write

A3F000

stack

page read and write

BA0000

direct allocation

page read and write

62A000

heap

page read and write

A5C000

stack

page read and write

3314000

heap

page read and write

F7FFB7E000

unkown

page readonly

4D0000

heap

page read and write

2340000

direct allocation

page read and write

401000

unkown

page execute read

6AD000

heap

page read and write

3351000

heap

page read and write

231C000

direct allocation

page read and write

2309000

heap

page read and write

401000

unkown

page execute read

22A0000

heap

page read and write

F7FFE7E000

unkown

page readonly

4C5000

unkown

page write copy

500000

heap

page read and write

820000

heap

page read and write

595000

heap

page read and write

400000

unkown

page readonly

6AC000

heap

page read and write

4A6000

unkown

page readonly

2DDE000

stack

page read and write

2EDF000

stack

page read and write

4C3000

unkown

page write copy

22E0000

heap

page read and write

235C000

direct allocation

page read and write

6EA000

heap

page read and write

250B000

direct allocation

page read and write

411000

unkown

page readonly

BE0000

heap

page read and write

19C000

stack

page read and write

2391000

heap

page read and write

2300000

heap

page read and write

BB0000

direct allocation

page read and write

3280000

direct allocation

page read and write

95F000

heap

page read and write

6E0000

heap

page read and write

6AC000

heap

page read and write

33D8000

heap

page read and write

2084000

direct allocation

page read and write

96000

stack

page read and write

2305000

heap

page read and write

316F000

stack

page read and write

494000

unkown

page read and write

19D000

stack

page read and write

40B000

unkown

page read and write

3280000

direct allocation

page read and write

66F000

heap

page read and write

400000

unkown

page readonly

2F1E000

stack

page read and write

750000

heap

page read and write

7E0000

heap

page read and write

40B000

unkown

page execute and read and write

21635C55000

heap

page read and write

F7802FE000

unkown

page readonly

870000

heap

page read and write

301D000

stack

page read and write

4C0000

heap

page read and write

26D0000

heap

page read and write

31BE000

stack

page read and write

F7FF4AB000

stack

page read and write

570000

heap

page read and write

36E2000

heap

page read and write

18D000

stack

page read and write

4A6000

unkown

page readonly

2310000

direct allocation

page read and write

2500000

direct allocation

page read and write

4C0000

unkown

page readonly

4C5F000

stack

page read and write

400000

unkown

page readonly

21636202000

trusted library allocation

page read and write

62E000

heap

page read and write

2180000

heap

page read and write

2080000

direct allocation

page read and write

21635C00000

heap

page read and write

There are 192 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
tOniaJ21lj.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReporttOniaJ21lj.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
tOniaJ21lj.exe