Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

PO 32187 #290424.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.248734371115362
Filename:	PO 32187 #290424.exe
Filesize:	1117184
MD5:	229fe47707cccda45c6af54be6b852f1
SHA1:	a4657bc7114efcba18cf8293797f2c389e3f125f
SHA256:	672047c9f1f92700303fa90df3ecce9faf67138888eedce5fd47a599120e0ec5
SHA512:	984cdf2fb4c2797f112c94370d0d9bfaf67bcd5603390a1d2d6717f0fbe73734f7de207582cfb1facdc36ccd9ce54539318c0c0ff17d71b464e0c586d9e1019a
SSDEEP:	12288:nZxMPV/hEq2iNVNeU+U6+B1MLAzPDnIzOgqEnACusmKAbJE+/kBeWFm+IPaxuoUA:IPpN1gj+B1X8zOGcsPAr/wRFm+I
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..\|............... ........@.. .......................`............@................................

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains method to dynamically call methods (often used by packers)	Data Obfuscation
.NET source code contains potential unpacker	Data Obfuscation
.NET source code contains very large array initializations	System Summary	Disable or Modify Tools
Machine Learning detection for sample	AV Detection
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Contains functionality to call native functions	System Summary
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
.NET source code contains methods with suspicious names	System Summary	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO 32187 #290424.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO 32187 #290424.exe.log
Category:	dropped
Dump:	PO 32187 #290424.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\PO 32187 #290424.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.35299682261553
Encrypted:	false
Ssdeep:	48:MxHKiHKx1qHiYHKh3oPtHo6hAHKze0HKHKMRbHKnHKU57Uivj:iqiqxwCYqh3oPtI6eqzxqqMRbqnqU57n
Size:	1730
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\PO 32187 #290424.exe

"C:\Users\user\Desktop\PO 32187 #290424.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5704
Target ID:	0
Parent PID:	1028
Name:	PO 32187 #290424.exe
Path:	C:\Users\user\Desktop\PO 32187 #290424.exe
Commandline:	"C:\Users\user\Desktop\PO 32187 #290424.exe"
Size:	1117184
MD5:	229FE47707CCCDA45C6AF54BE6B852F1
Time:	07:51:51
Date:	02/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xb80000
Modulesize:	1138688
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\Desktop\PO 32187 #290424.exe

"C:\Users\user\Desktop\PO 32187 #290424.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4788
Target ID:	3
Parent PID:	5704
Name:	PO 32187 #290424.exe
Path:	C:\Users\user\Desktop\PO 32187 #290424.exe
Commandline:	"C:\Users\user\Desktop\PO 32187 #290424.exe"
Size:	1117184
MD5:	229FE47707CCCDA45C6AF54BE6B852F1
Time:	07:51:52
Date:	02/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xdc0000
Modulesize:	1138688
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

http://tempuri.org/CookBookDataSet.xsd

unknown

http://checkip.dyndns.org/

193.122.6.168

http://checkip.dyndns.org/q

unknown

https://scratchdreams.tk

unknown

http://reallyfreegeoip.org

unknown

https://reallyfreegeoip.org

unknown

https://reallyfreegeoip.org/xml/191.96.150.225

104.21.67.152

https://scratchdreams.tk/_send_.php?TS

104.21.27.85

http://checkip.dyndns.org

unknown

http://checkip.dyndns.com

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://scratchdreams.tk

unknown

https://reallyfreegeoip.org/xml/191.96.150.225$

unknown

https://reallyfreegeoip.org/xml/

unknown

There are 4 hidden URLs, click here to show them.

Domains

Name

Malicious

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

reallyfreegeoip.org

104.21.67.152

Details

Name:	reallyfreegeoip.org
IP:	104.21.67.152
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

scratchdreams.tk

104.21.27.85

Details

Name:	scratchdreams.tk
IP:	104.21.27.85
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

checkip.dyndns.com

193.122.6.168

IPs

Domain

Country

Malicious

104.21.67.152

reallyfreegeoip.org

United States

Details

IP:	104.21.67.152
TargetID:	3
Current Path:	C:\Users\user\Desktop\PO 32187 #290424.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	reallyfreegeoip.org

Signature Hits	Behavior Group	Mitre Attack
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

193.122.6.168

checkip.dyndns.com

United States

104.21.27.85

scratchdreams.tk

United States

Details

IP:	104.21.27.85
TargetID:	3
Current Path:	C:\Users\user\Desktop\PO 32187 #290424.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	scratchdreams.tk

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO 32187 #290424_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO 32187 #290424_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO 32187 #290424_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO 32187 #290424_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO 32187 #290424_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO 32187 #290424_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO 32187 #290424_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO 32187 #290424_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO 32187 #290424_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO 32187 #290424_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO 32187 #290424_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO 32187 #290424_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO 32187 #290424_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO 32187 #290424_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

2FE0000

trusted library section

page read and write

4A5F000

trusted library allocation

page read and write

31D1000

trusted library allocation

page read and write

3021000

trusted library allocation

page read and write

351B000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

7D2D000

stack

page read and write

6EC0000

trusted library allocation

page read and write

3000000

trusted library allocation

page read and write

3080000

heap

page execute and read and write

141B000

trusted library allocation

page read and write

C23000

unkown

page execute and read and write

1410000

trusted library allocation

page read and write

7D70000

trusted library allocation

page read and write

30C0000

heap

page read and write

3334000

trusted library allocation

page read and write

13F0000

heap

page read and write

32D7000

trusted library allocation

page read and write

2FA0000

trusted library allocation

page read and write

6E7E000

stack

page read and write

3040000

trusted library allocation

page read and write

342C000

trusted library allocation

page read and write

7710000

trusted library allocation

page read and write

9910000

heap

page read and write

2F82000

trusted library allocation

page read and write

33DE000

trusted library allocation

page read and write

DC3E000

stack

page read and write

7C2D000

stack

page read and write

3296000

trusted library allocation

page read and write

549E000

stack

page read and write

56CE000

trusted library allocation

page read and write

1440000

heap

page read and write

5750000

heap

page read and write

8810000

heap

page read and write

DBFE000

stack

page read and write

55A0000

trusted library allocation

page execute and read and write

7BB4000

trusted library allocation

page read and write

3430000

trusted library allocation

page read and write

1489000

heap

page read and write

7BD1000

trusted library allocation

page read and write

423B000

trusted library allocation

page read and write

559F000

stack

page read and write

3330000

trusted library allocation

page read and write

326F000

trusted library allocation

page read and write

7D30000

trusted library allocation

page read and write

302E000

stack

page read and write

2FF0000

trusted library allocation

page read and write

4886000

trusted library allocation

page read and write

3262000

trusted library allocation

page read and write

1468000

heap

page read and write

DAFE000

stack

page read and write

6B7F000

stack

page read and write

166D000

trusted library allocation

page execute and read and write

3400000

trusted library allocation

page read and write

55B3000

heap

page read and write

14F4000

heap

page read and write

9D10000

trusted library allocation

page execute and read and write

12CF000

stack

page read and write

1450000

trusted library allocation

page read and write

2F8B000

trusted library allocation

page execute and read and write

7EEC000

stack

page read and write

2E20000

trusted library allocation

page read and write

1407000

trusted library allocation

page read and write

DABE000

stack

page read and write

5B20000

heap

page execute and read and write

80C5000

heap

page read and write

1496000

heap

page read and write

6B3D000

stack

page read and write

1470000

heap

page read and write

6D7E000

stack

page read and write

1582000

trusted library allocation

page read and write

3373000

trusted library allocation

page read and write

2F70000

trusted library allocation

page read and write

3050000

trusted library allocation

page read and write

355E000

trusted library allocation

page read and write

32B3000

trusted library allocation

page read and write

33D9000

trusted library allocation

page read and write

FF0000

heap

page read and write

D8EE000

stack

page read and write

6A00000

heap

page read and write

9B10000

heap

page read and write

1590000

trusted library allocation

page read and write

B82000

unkown

page readonly

1460000

trusted library allocation

page read and write

7BB0000

trusted library allocation

page read and write

9B47000

heap

page read and write

D90000

heap

page read and write

167D000

trusted library allocation

page execute and read and write

2F80000

trusted library allocation

page read and write

6ECE000

trusted library allocation

page read and write

6CBE000

stack

page read and write

32C7000

trusted library allocation

page read and write

9B3E000

heap

page read and write

1586000

trusted library allocation

page execute and read and write

55B0000

heap

page read and write

7F00000

trusted library allocation

page read and write

6A4E000

heap

page read and write

1592000

trusted library allocation

page read and write

5753000

heap

page read and write

B82000

unkown

page execute and read and write

4256000

trusted library allocation

page read and write

D885000

trusted library allocation

page read and write

152A000

heap

page read and write

326B000

trusted library allocation

page read and write

1670000

trusted library allocation

page read and write

327B000

trusted library allocation

page read and write

146D000

trusted library allocation

page execute and read and write

7F30000

heap

page read and write

3283000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

3298000

trusted library allocation

page read and write

8844000

heap

page read and write

178E000

stack

page read and write

1464000

trusted library allocation

page read and write

342A000

trusted library allocation

page read and write

15B0000

trusted library allocation

page read and write

3054000

trusted library allocation

page read and write

1548000

heap

page read and write

6CF0000

trusted library allocation

page execute and read and write

32DB000

trusted library allocation

page read and write

572D000

stack

page read and write

1663000

trusted library allocation

page execute and read and write

6A5B000

heap

page read and write

7D80000

trusted library allocation

page execute and read and write

2F4F000

stack

page read and write

2DF0000

trusted library allocation

page execute and read and write

426B000

trusted library allocation

page read and write

1409000

trusted library allocation

page read and write

797D000

stack

page read and write

1660000

trusted library allocation

page read and write

7BDD000

trusted library allocation

page read and write

F69000

stack

page read and write

9B12000

heap

page read and write

33E4000

trusted library allocation

page read and write

34E1000

trusted library allocation

page read and write

2FEE000

stack

page read and write

2E40000

heap

page read and write

1580000

trusted library allocation

page read and write

150A000

heap

page read and write

56BB000

trusted library allocation

page read and write

2FD0000

trusted library section

page read and write

7E70000

trusted library section

page readonly

425F000

trusted library allocation

page read and write

6CD0000

heap

page read and write

511C000

stack

page read and write

7BAD000

stack

page read and write

C49000

unkown

page execute and read and write

2FF5000

trusted library allocation

page read and write

12F0000

heap

page read and write

1650000

trusted library allocation

page read and write

1640000

trusted library allocation

page read and write

5D00000

trusted library allocation

page execute and read and write

D2A000

stack

page read and write

3436000

trusted library allocation

page read and write

8140000

trusted library allocation

page execute and read and write

140C000

trusted library allocation

page read and write

3328000

trusted library allocation

page read and write

1664000

trusted library allocation

page read and write

69FE000

stack

page read and write

3424000

trusted library allocation

page read and write

7F10000

trusted library allocation

page execute and read and write

15FE000

stack

page read and write

2F7A000

trusted library allocation

page execute and read and write

3352000

trusted library allocation

page read and write

158A000

trusted library allocation

page execute and read and write

2F87000

trusted library allocation

page execute and read and write

1600000

heap

page read and write

7D72000

trusted library allocation

page read and write

57E0000

trusted library allocation

page read and write

15A0000

trusted library allocation

page read and write

159B000

trusted library allocation

page execute and read and write

2FA0000

trusted library section

page read and write

3010000

heap

page execute and read and write

9D00000

trusted library allocation

page read and write

1420000

trusted library allocation

page execute and read and write

7EF0000

heap

page read and write

41D1000

trusted library allocation

page read and write

B80000

unkown

page execute and read and write

FE0000

heap

page read and write

7BD6000

trusted library allocation

page read and write

56E2000

trusted library allocation

page read and write

1510000

heap

page read and write

8820000

heap

page read and write

1546000

heap

page read and write

7D60000

heap

page read and write

58A0000

heap

page read and write

7DA0000

trusted library allocation

page read and write

7BCE000

trusted library allocation

page read and write

C4E000

unkown

page readonly

991E000

heap

page read and write

163E000

stack

page read and write

12F7000

stack

page read and write

147A000

heap

page read and write

56CA000

trusted library allocation

page read and write

1430000

trusted library allocation

page execute and read and write

33F7000

trusted library allocation

page read and write

6BBE000

stack

page read and write

80C0000

heap

page read and write

56D6000

trusted library allocation

page read and write

56DD000

trusted library allocation

page read and write

14F8000

heap

page read and write

9B1E000

heap

page read and write

14B2000

heap

page read and write

2E30000

trusted library allocation

page read and write

73E0000

heap

page read and write

10F8000

stack

page read and write

80B0000

trusted library allocation

page read and write

7E80000

heap

page read and write

56D1000

trusted library allocation

page read and write

A012000

trusted library allocation

page read and write

9EA0000

trusted library section

page read and write

79B0000

heap

page read and write

2E00000

trusted library allocation

page read and write

1607000

heap

page read and write

56BE000

trusted library allocation

page read and write

159E000

stack

page read and write

536E000

stack

page read and write

DA0000

heap

page read and write

2E10000

trusted library allocation

page read and write

3289000

trusted library allocation

page read and write

D880000

trusted library allocation

page read and write

3060000

trusted library allocation

page read and write

56B0000

trusted library allocation

page read and write

7BBB000

trusted library allocation

page read and write

3030000

trusted library allocation

page execute and read and write

DD3E000

stack

page read and write

4974000

trusted library allocation

page read and write

1400000

trusted library allocation

page read and write

33EE000

trusted library allocation

page read and write

9B0E000

stack

page read and write

DEE000

stack

page read and write

32CF000

trusted library allocation

page read and write

133E000

stack

page read and write

3467000

trusted library allocation

page read and write

5CF0000

trusted library allocation

page execute and read and write

FD0000

heap

page read and write

147E000

heap

page read and write

56B6000

trusted library allocation

page read and write

14A5000

heap

page read and write

8150000

trusted library allocation

page read and write

3342000

trusted library allocation

page read and write

2F85000

trusted library allocation

page execute and read and write

4845000

trusted library allocation

page read and write

157D000

trusted library allocation

page execute and read and write

68FE000

stack

page read and write

5C2E000

stack

page read and write

33FC000

trusted library allocation

page read and write

880D000

stack

page read and write

3090000

trusted library allocation

page read and write

2F72000

trusted library allocation

page read and write

1498000

heap

page read and write

79A0000

heap

page execute and read and write

17CE000

stack

page read and write

D8A0000

trusted library allocation

page execute and read and write

1597000

trusted library allocation

page execute and read and write

164B000

trusted library allocation

page read and write

1450000

trusted library allocation

page read and write

41F9000

trusted library allocation

page read and write

D88F000

trusted library allocation

page read and write

332C000

trusted library allocation

page read and write

3324000

trusted library allocation

page read and write

2F76000

trusted library allocation

page execute and read and write

1680000

heap

page read and write

2F9E000

stack

page read and write

1463000

trusted library allocation

page execute and read and write

1460000

heap

page read and write

147E000

heap

page read and write

14B0000

heap

page read and write

1570000

trusted library allocation

page read and write

7F20000

trusted library allocation

page read and write

32D3000

trusted library allocation

page read and write

2DEB000

stack

page read and write

4021000

trusted library allocation

page read and write

32C4000

trusted library allocation

page read and write

31CE000

stack

page read and write

143F000

stack

page read and write

B80000

unkown

page readonly

There are 267 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
PO 32187 #290424.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportPO 32187 #290424.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
PO 32187 #290424.exe