Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

G1lnGpOLK4.exe

MS-DOS executable PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, MZ for MS-DOS

initial sample

Details

Filetype:	MS-DOS executable PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, MZ for MS-DOS
Entropy:	7.753817895112134
Filename:	G1lnGpOLK4.exe
Filesize:	68951
MD5:	97d72efbb1f6fea3f158b136c330689d
SHA1:	43c884250ed032ced44d72d932518e831a34161d
SHA256:	2ff91319fbcc02e9dd7d80e21f5f7f48e0ae24b99a1b26625d344ab4812f37c4
SHA512:	a9937e30d19ebf33ebe4c20792f7499e79996f06b5e3bc6f28d506ba4440640ebc923d424184007f2f111c3706876c029f6d4e41d5ed144c2b8e666b32689596
SSDEEP:	1536:uuKlhoxbyGiiKkTvTiCUU8b+a1fJ3l4fLU2cjdFZPvf9G95T8KCc4:NKOyGxKIiCV8aa1fJV4zMF54ra
Preview:	MZ@.....................................!..L.!It's .NET EXE$@...PE..L....&.M............................^.... ...@....@.. ....................................@.....................................O....@..4..................................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation
.NET source code references suspicious native API functions	HIPS / PFW / Operating System Protection Evasion	Native API
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Disables Windows Defender (via service or powershell)	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Disables zone checking for all users	Lowering of HIPS / PFW / Operating System Security Settings
Machine Learning detection for sample	AV Detection
Modifies Windows Defender protection settings	HIPS / PFW / Operating System Protection Evasion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings
Abnormal high CPU Usage	System Summary
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Detected potential crypto function	System Summary	Archive Collected Data
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses new MSVCR Dlls	Compliance, System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Category:	dropped
Dump:	StartupProfileData-NonInteractive.6.dr
ID:	dr_5
Target ID:	6
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	1.1510207563435464
Encrypted:	false
Ssdeep:	3:Nlllullkv/tz:NllU+v/
Size:	64
Whitelisted:	false
Reputation:	timeout

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ojnmq5j.r54.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ojnmq5j.r54.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_5ojnmq5j.r54.ps1.6.dr
ID:	dr_1
Target ID:	6
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ed1lrobr.tzh.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ed1lrobr.tzh.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_ed1lrobr.tzh.psm1.6.dr
ID:	dr_2
Target ID:	6
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mf1svetu.2wj.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mf1svetu.2wj.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_mf1svetu.2wj.psm1.6.dr
ID:	dr_4
Target ID:	6
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wqnjg344.x0n.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wqnjg344.x0n.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_wqnjg344.x0n.ps1.6.dr
ID:	dr_3
Target ID:	6
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	timeout

Chrome Cache Entry: 51

ASCII text, with very long lines (3295)

downloaded

Details

File:	Chrome Cache Entry: 51
Category:	downloaded
Dump:	chromecache_51.3.dr
ID:	dr_6
Target ID:	3
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	ASCII text, with very long lines (3295)
Entropy:	5.866377899275874
Encrypted:	false
Ssdeep:	96:PMIBef+li0TZNHcSLVoKoHslPgMd67REaT2WVywa7B9MfQfffo:kMecHNL2KusuRZT/BSB9O
Size:	3300
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\G1lnGpOLK4.exe

"C:\Users\user\Desktop\G1lnGpOLK4.exe"

C:\Windows\System32\cmd.exe

cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\System32\cmd.exe

cmd /c sc query windefend

C:\Windows\System32\cmd.exe

cmd /c sc stop windefend

C:\Windows\System32\cmd.exe

cmd /c sc delete windefend

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=2036,i,13697505174205213952,6185066048164698462,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\sc.exe

sc query windefend

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\sc.exe

sc stop windefend

C:\Windows\System32\wbem\WmiPrvSE.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\sc.exe

sc delete windefend

There are 6 hidden processes, click here to show them.

URLs

Name

Malicious

0.tcp.eu.ngrok.io

Details

Name:	0.tcp.eu.ngrok.io
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\G1lnGpOLK4.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for domain / URL	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

https://www.google.com/async/newtab_promos

142.251.40.228

Details

Name:	https://www.google.com/async/newtab_promos
IP:	142.251.40.228
TargetID:	3
From Memory:	false
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw

142.251.40.228

https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0

142.251.40.228

https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGPufzLEGIjDTt_akc_527nJ4zoGCbAZn0AkDcVIV2VLuAM78mz4Tuc4onQdlIzVDE6yNOrZBZH0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

142.251.40.228

https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGPufzLEGIjDqkokB_Yx903z9S8-TdyWhW8iPlrZBrgRiiMPzrxlLxgoQH634QKXADTY9t1vdNmMyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

142.251.40.228

https://pastebin.com/raw/s4TipmJt

104.20.3.235

Details

Name:	https://pastebin.com/raw/s4TipmJt
IP:	104.20.3.235
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\G1lnGpOLK4.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
URLs found in memory or binary data	Networking

https://pastebin.com

unknown

Details

Name:	https://pastebin.com
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\G1lnGpOLK4.exe
Source:	G1lnGpOLK4.exe, 00000000.00000002.4072983013.00000000030A1000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

0.tcp.eu.ngrok.io

18.192.31.165

Details

Name:	0.tcp.eu.ngrok.io
IP:	18.192.31.165
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

www.google.com

142.251.40.228

Details

Name:	www.google.com
IP:	142.251.40.228
TargetID:	3
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

pastebin.com

104.20.3.235

Details

Name:	pastebin.com
IP:	104.20.3.235
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Connects to a pastebin service (likely for C&C)	Networking	Web Service
HTTP GET or POST without a user agent	Networking
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

18.192.31.165

0.tcp.eu.ngrok.io

United States

Details

IP:	18.192.31.165
TargetID:	0
Current Path:	C:\Users\user\Desktop\G1lnGpOLK4.exe
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false
Domain:	0.tcp.eu.ngrok.io

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

104.20.3.235

pastebin.com

United States

Details

IP:	104.20.3.235
TargetID:	0
Current Path:	C:\Users\user\Desktop\G1lnGpOLK4.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	pastebin.com

Signature Hits	Behavior Group	Mitre Attack
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

239.255.255.250

unknown

Reserved

3.124.142.205

unknown

United States

Details

IP:	3.124.142.205
TargetID:	0
Current Path:	C:\Users\user\Desktop\G1lnGpOLK4.exe
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

142.251.40.228

www.google.com

United States

192.168.2.4

unknown

Details

IP:	192.168.2.4
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Private:	true

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER

HKEY_CURRENT_USER\Environment

SEE_MASK_NOZONECHECKS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\G1lnGpOLK4_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\G1lnGpOLK4_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\G1lnGpOLK4_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\G1lnGpOLK4_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\G1lnGpOLK4_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\G1lnGpOLK4_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\G1lnGpOLK4_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\G1lnGpOLK4_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\G1lnGpOLK4_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\G1lnGpOLK4_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\G1lnGpOLK4_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\G1lnGpOLK4_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\G1lnGpOLK4_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\G1lnGpOLK4_RASMANCS

FileDirectory

HKEY_CURRENT_USER\SOFTWARE\f2d4732908d59805d830a49d36974ac0

[kl]

There are 7 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

130AD000

trusted library allocation

page read and write

1390000

trusted library section

page read and write

758F4FC000

stack

page read and write

2D5E000

stack

page read and write

1130000

heap

page read and write

21DF9448000

heap

page read and write

18ADDB84000

heap

page read and write

962000

unkown

page readonly

964000

unkown

page readonly

2E86D960000

heap

page read and write

EE0000

heap

page read and write

2E86DC25000

heap

page read and write

1443000

heap

page read and write

1F1A7270000

heap

page read and write

1F1A73F5000

heap

page read and write

CF4000

stack

page read and write

1D044550000

heap

page read and write

FD1000

heap

page read and write

21DF9520000

heap

page read and write

21DF9370000

heap

page read and write

F71000

heap

page read and write

EE6000

heap

page read and write

DF0000

heap

page read and write

7FFD9B7B0000

trusted library allocation

page read and write

1B100000

trusted library allocation

page read and write

28000

trusted library allocation

page read and write

18ADDB6A000

heap

page read and write

7FFD9B7B6000

trusted library allocation

page read and write

7FFD9B920000

trusted library allocation

page execute and read and write

1F1A7409000

heap

page read and write

7FF466BC0000

trusted library allocation

page execute and read and write

B23D58F000

stack

page read and write

18ADDB86000

heap

page read and write

1B77C000

heap

page read and write

7FFD9B7A0000

trusted library allocation

page read and write

F76F77E000

unkown

page readonly

960000

unkown

page readonly

F63000

heap

page read and write

7FFD9B8E0000

trusted library allocation

page execute and read and write

F76F7FE000

stack

page read and write

B23D8FF000

stack

page read and write

758F5FF000

unkown

page read and write

1B9B5000

stack

page read and write

F0A000

heap

page read and write

F0E000

heap

page read and write

1AAA8ED0000

heap

page read and write

21DF942B000

heap

page read and write

1C277000

heap

page read and write

1D044630000

heap

page read and write

21F99280000

heap

page read and write

1489000

stack

page read and write

EF4207D000

stack

page read and write

78DD32C000

stack

page read and write

7FF466BD0000

trusted library allocation

page execute and read and write

21F992F0000

heap

page read and write

1155000

heap

page read and write

18ADDDC0000

heap

page read and write

EF4217F000

stack

page read and write

130A1000

trusted library allocation

page read and write

21F99270000

heap

page read and write

1D044690000

heap

page read and write

1F1A7350000

heap

page read and write

18ADDB20000

heap

page read and write

21F99340000

heap

page read and write

1C299000

heap

page read and write

1F1A7370000

heap

page read and write

21DF9350000

heap

page read and write

1D044660000

heap

page read and write

2CE60FF000

unkown

page read and write

1446000

heap

page read and write

21DF9446000

heap

page read and write

7FFD9B85A000

trusted library allocation

page execute and read and write

1C260000

heap

page read and write

21DF9270000

heap

page read and write

F75000

heap

page read and write

1365000

heap

page read and write

10E0000

trusted library allocation

page read and write

7FFD9B86D000

trusted library allocation

page execute and read and write

EF4227E000

stack

page read and write

7FFD9B930000

trusted library allocation

page execute and read and write

E40000

heap

page read and write

96E000

unkown

page readonly

E10000

heap

page read and write

1C25E000

stack

page read and write

21DF9420000

heap

page read and write

1160000

heap

page read and write

21F992A0000

heap

page read and write

1AAA8DF6000

heap

page read and write

1AAA8EF0000

heap

page read and write

960000

unkown

page readonly

1150000

heap

page read and write

7FFD9B860000

trusted library allocation

page read and write

7FFD9B865000

trusted library allocation

page read and write

37AACFF000

unkown

page read and write

2E86DC20000

heap

page read and write

3163000

trusted library allocation

page read and write

18ADDDB0000

heap

page read and write

7FFD9B852000

trusted library allocation

page execute and read and write

2E86DAA8000

heap

page read and write

2A000

trusted library allocation

page read and write

7FFD9B79A000

trusted library allocation

page execute and read and write

18ADDAF0000

heap

page read and write

F76F6FE000

stack

page read and write

1360000

heap

page read and write

37AA90B000

stack

page read and write

DD0000

heap

page read and write

30A1000

trusted library allocation

page read and write

1D044698000

heap

page read and write

7FFD9B7A2000

trusted library allocation

page execute and read and write

318B000

trusted library allocation

page read and write

1B97E000

stack

page read and write

18ADDB60000

heap

page read and write

2CE61FF000

stack

page read and write

7FFD9B86A000

trusted library allocation

page execute and read and write

1440000

heap

page read and write

14B0000

heap

page execute and read and write

1AAA8CA0000

heap

page read and write

EEC000

heap

page read and write

21F9934A000

heap

page read and write

2E86DAA0000

heap

page read and write

20000

trusted library allocation

page read and write

F10000

heap

page read and write

1AAA8DB0000

heap

page read and write

1BF5E000

stack

page read and write

18ADDB87000

heap

page read and write

7FFD9B7F4000

trusted library allocation

page execute and read and write

7FFD9B892000

trusted library allocation

page execute and read and write

1490000

trusted library section

page read and write

7FFD9B8D2000

trusted library allocation

page read and write

2CE5D2C000

stack

page read and write

1F1A7400000

heap

page read and write

758F6FF000

stack

page read and write

13A6000

trusted library section

page read and write

78DD6FF000

unkown

page read and write

7FFD9B792000

trusted library allocation

page execute and read and write

21F99364000

heap

page read and write

78DD7FF000

stack

page read and write

F44000

heap

page read and write

1C272000

heap

page read and write

B23D87E000

unkown

page readonly

1D044670000

heap

page read and write

18ADDB00000

heap

page read and write

2E86DA40000

heap

page read and write

1AAA8DF8000

heap

page read and write

1D044665000

heap

page read and write

F1B000

heap

page read and write

313B000

trusted library allocation

page read and write

21F99510000

heap

page read and write

18ADDDB5000

heap

page read and write

7FFD9B7C3000

trusted library allocation

page execute and read and write

1AAA8D80000

heap

page read and write

9F0000

heap

page read and write

21DF9650000

heap

page read and write

7FFD9B7BF000

trusted library allocation

page execute and read and write

1AAA8DD0000

heap

page read and write

B23D48C000

stack

page read and write

F76F3ED000

stack

page read and write

130A5000

trusted library allocation

page read and write

1BC5E000

stack

page read and write

1AAA8DDB000

heap

page read and write

37AADFF000

stack

page read and write

130A7000

trusted library allocation

page read and write

1F1A73F0000

heap

page read and write

130C4000

trusted library allocation

page read and write

7FFD9B8D7000

trusted library allocation

page read and write

2E86DA60000

heap

page read and write

There are 156 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
G1lnGpOLK4.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportG1lnGpOLK4.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
G1lnGpOLK4.exe