Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

PO_23052024.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.002050746639198
Filename:	PO_23052024.exe
Filesize:	924168
MD5:	23626a822afb45c288acf9fabbef5ad1
SHA1:	4e0db9f021191084331d9ed7164f066fe1003f06
SHA256:	581ebd71502e26428ff03f5d743fbea09b17d22779e739c41022ac41cfac0242
SHA512:	6d098502008b94d46abd74bbc5a9c53f7101da6538f44e634fb2556e970950474193c43de03dd37f56442fb4a5e47a6449f462e3a598a10602f20851f178b2b6
SSDEEP:	12288:C8zWaRWoy6JBmtWTDNO9UEJEgR4ADxRuAoZzqCqw+FWzu7rxK4qLEDkR:C8zWMMcBXTPg7CqwQrFo1
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. .......................@............@................................

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation
.NET source code contains very large strings	System Summary	System Network Configuration Discovery
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)	Anti Debugging
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to register a low level keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Disable or Modify Tools
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing
Machine Learning detection for sample	AV Detection
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a window with clipboard capturing capabilities	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE / OLE file has an invalid certificate	System Summary
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
.NET source code contains methods with suspicious names	System Summary	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary	System Information Discovery
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO_23052024.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO_23052024.exe.log
Category:	dropped
Dump:	PO_23052024.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\PO_23052024.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
PE / OLE file has an invalid certificate	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\PO_23052024.exe

"C:\Users\user\Desktop\PO_23052024.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6824
Target ID:	0
Parent PID:	2580
Name:	PO_23052024.exe
Path:	C:\Users\user\Desktop\PO_23052024.exe
Commandline:	"C:\Users\user\Desktop\PO_23052024.exe"
Size:	924168
MD5:	23626A822AFB45C288ACF9FABBEF5AD1
Time:	09:14:53
Date:	23/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xfc0000
Modulesize:	933888
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Initial sample is a PE file and has a suspicious name	System Summary
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE / OLE file has an invalid certificate	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\PO_23052024.exe

"C:\Users\user\Desktop\PO_23052024.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6972
Target ID:	1
Parent PID:	6824
Name:	PO_23052024.exe
Path:	C:\Users\user\Desktop\PO_23052024.exe
Commandline:	"C:\Users\user\Desktop\PO_23052024.exe"
Size:	924168
MD5:	23626A822AFB45C288ACF9FABBEF5AD1
Time:	09:14:55
Date:	23/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xcb0000
Modulesize:	933888
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Initial sample is a PE file and has a suspicious name	System Summary
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE / OLE file has an invalid certificate	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

https://api.ipify.org/

104.26.12.205

https://api.ipify.org

unknown

http://tempuri.org/registerationDataSet.xsdOAsnanyDentalClinic.Properties.Resources

unknown

https://account.dyn.com/

unknown

http://x1.c.lencr.org/0

unknown

http://x1.i.lencr.org/0

unknown

http://mail.alitextile.com

unknown

http://tempuri.org/DataSet1.xsd

unknown

http://r3.o.lencr.org0

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://www.chiark.greenend.org.uk/~sgtatham/putty/0

unknown

http://x1.c.

unknown

http://ip-api.com/line/?fields=hosting

208.95.112.1

http://r3.i.lencr.org/0

unknown

There are 4 hidden URLs, click here to show them.

Domains

Name

Malicious

ip-api.com

208.95.112.1

Details

Name:	ip-api.com
IP:	208.95.112.1
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Check if machine is in data center or colocation facility	Malware Analysis System Evasion	Security Software Discovery
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

mail.alitextile.com

192.185.143.105

Details

Name:	mail.alitextile.com
IP:	192.185.143.105
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

api.ipify.org

104.26.12.205

Details

Name:	api.ipify.org
IP:	104.26.12.205
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

208.95.112.1

ip-api.com

United States

192.185.143.105

mail.alitextile.com

United States

Details

IP:	192.185.143.105
TargetID:	1
Current Path:	C:\Users\user\Desktop\PO_23052024.exe
Country:	United States
Countrycode:	USA
ASN number:	46606
ASN name:	UNIFIEDLAYER-AS-1US
Private:	false
Domain:	mail.alitextile.com

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Suspicious Outbound SMTP Connections	System Summary

104.26.12.205

api.ipify.org

United States

Details

IP:	104.26.12.205
TargetID:	1
Current Path:	C:\Users\user\Desktop\PO_23052024.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO_23052024_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO_23052024_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO_23052024_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO_23052024_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO_23052024_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO_23052024_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO_23052024_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO_23052024_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO_23052024_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO_23052024_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO_23052024_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO_23052024_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO_23052024_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO_23052024_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

46D6000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

4469000

trusted library allocation

page read and write

14EC000

stack

page read and write

5BF0000

trusted library allocation

page execute and read and write

2E13000

trusted library allocation

page execute and read and write

154E000

stack

page read and write

5E90000

heap

page read and write

1297000

heap

page read and write

182E000

stack

page read and write

133E000

heap

page read and write

13D0000

trusted library allocation

page read and write

1290000

heap

page read and write

2E47000

trusted library allocation

page execute and read and write

31F2000

trusted library allocation

page read and write

15AA000

trusted library allocation

page execute and read and write

3440000

trusted library allocation

page read and write

12CE000

heap

page read and write

910E000

stack

page read and write

1139000

stack

page read and write

58D0000

heap

page read and write

1590000

trusted library allocation

page read and write

5A5E000

stack

page read and write

5A83000

heap

page read and write

5A80000

heap

page read and write

4461000

trusted library allocation

page read and write

42FA000

trusted library allocation

page read and write

3643000

trusted library allocation

page read and write

3235000

trusted library allocation

page read and write

7490000

heap

page read and write

14AE000

stack

page read and write

44BB000

trusted library allocation

page read and write

6F30000

heap

page read and write

1584000

trusted library allocation

page read and write

1A00000

trusted library allocation

page read and write

5E80000

trusted library allocation

page read and write

FC2000

unkown

page readonly

67AC000

heap

page read and write

5E70000

trusted library allocation

page read and write

1A0F000

trusted library allocation

page read and write

67A3000

heap

page read and write

6F20000

trusted library allocation

page read and write

3406000

trusted library allocation

page read and write

3362000

trusted library allocation

page read and write

6E10000

trusted library allocation

page read and write

3307000

trusted library allocation

page read and write

601E000

stack

page read and write

13E7000

heap

page read and write

43FB000

trusted library allocation

page read and write

6020000

trusted library allocation

page read and write

3450000

heap

page read and write

433B000

trusted library allocation

page read and write

5D20000

heap

page read and write

158D000

trusted library allocation

page execute and read and write

769D000

stack

page read and write

5AEE000

stack

page read and write

445B000

trusted library allocation

page read and write

42DA000

trusted library allocation

page read and write

76A0000

trusted library allocation

page read and write

319C000

stack

page read and write

152C000

stack

page read and write

6F50000

trusted library allocation

page execute and read and write

676B000

heap

page read and write

447B000

trusted library allocation

page read and write

439B000

trusted library allocation

page read and write

3116000

trusted library allocation

page read and write

6792000

heap

page read and write

8E1E000

stack

page read and write

34A5000

trusted library allocation

page read and write

3725000

trusted library allocation

page read and write

64AC000

stack

page read and write

320D000

trusted library allocation

page read and write

41B1000

trusted library allocation

page read and write

1C00000

heap

page read and write

12B8000

heap

page read and write

437B000

trusted library allocation

page read and write

58AB000

trusted library allocation

page read and write

33FE000

trusted library allocation

page read and write

174E000

heap

page read and write

5930000

trusted library allocation

page execute and read and write

2E4B000

trusted library allocation

page execute and read and write

6E0A000

trusted library allocation

page read and write

67B6000

heap

page read and write

A4EE000

heap

page read and write

368B000

trusted library allocation

page read and write

938E000

stack

page read and write

67B0000

heap

page read and write

11FE000

stack

page read and write

35C4000

trusted library allocation

page read and write

15B0000

trusted library allocation

page read and write

35CC000

trusted library allocation

page read and write

31FA000

trusted library allocation

page read and write

1139000

stack

page read and write

6F40000

heap

page read and write

1720000

trusted library allocation

page execute and read and write

449B000

trusted library allocation

page read and write

1948000

trusted library allocation

page read and write

5B2C000

stack

page read and write

A506000

heap

page read and write

5960000

trusted library section

page read and write

58CE000

stack

page read and write

186B000

stack

page read and write

44DB000

trusted library allocation

page read and write

928E000

stack

page read and write

5CA0000

trusted library allocation

page read and write

5CF0000

trusted library allocation

page read and write

30FE000

trusted library allocation

page read and write

3358000

trusted library allocation

page read and write

5CEE000

stack

page read and write

3404000

trusted library allocation

page read and write

741C000

stack

page read and write

1781000

heap

page read and write

5E6B000

stack

page read and write

3618000

trusted library allocation

page read and write

1580000

trusted library allocation

page read and write

6736000

heap

page read and write

1327000

heap

page read and write

15A6000

trusted library allocation

page execute and read and write

30AC000

stack

page read and write

35A0000

trusted library allocation

page read and write

3276000

trusted library allocation

page read and write

142E000

stack

page read and write

555C000

stack

page read and write

34F0000

trusted library allocation

page read and write

31B1000

trusted library allocation

page read and write

58A4000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

3669000

trusted library allocation

page read and write

5FD0000

trusted library allocation

page read and write

30B0000

trusted library allocation

page read and write

6E00000

trusted library allocation

page read and write

678E000

heap

page read and write

17FC000

heap

page read and write

5929000

trusted library allocation

page read and write

80A0000

trusted library allocation

page read and write

914E000

stack

page read and write

193E000

stack

page read and write

11B0000

heap

page read and write

2E1D000

trusted library allocation

page execute and read and write

3102000

trusted library allocation

page read and write

36FA000

trusted library allocation

page read and write

6BAE000

stack

page read and write

15B2000

trusted library allocation

page read and write

67C6000

heap

page read and write

3540000

trusted library allocation

page read and write

3479000

trusted library allocation

page read and write

103A000

stack

page read and write

A529000

heap

page read and write

2E42000

trusted library allocation

page read and write

349E000

trusted library allocation

page read and write

30C0000

heap

page read and write

1700000

heap

page read and write

1336000

heap

page read and write

3461000

trusted library allocation

page read and write

A4B6000

heap

page read and write

12E4000

heap

page read and write

6E60000

trusted library allocation

page read and write

6E66000

trusted library allocation

page read and write

FC0000

unkown

page readonly

6AAE000

stack

page read and write

33AC000

trusted library allocation

page read and write

58BE000

trusted library allocation

page read and write

5922000

trusted library allocation

page read and write

45EC000

trusted library allocation

page read and write

5F9E000

stack

page read and write

6029000

trusted library allocation

page read and write

58C6000

trusted library allocation

page read and write

32BF000

trusted library allocation

page read and write

43BB000

trusted library allocation

page read and write

2EAE000

stack

page read and write

431B000

trusted library allocation

page read and write

435B000

trusted library allocation

page read and write

423A000

trusted library allocation

page read and write

34A7000

trusted library allocation

page read and write

6EF0000

trusted library allocation

page read and write

1570000

trusted library allocation

page read and write

A4E1000

heap

page read and write

2E45000

trusted library allocation

page execute and read and write

1593000

trusted library allocation

page read and write

62EC000

stack

page read and write

2FC0000

heap

page read and write

1776000

heap

page read and write

12B0000

heap

page read and write

3111000

trusted library allocation

page read and write

678A000

heap

page read and write

1769000

heap

page read and write

A538000

heap

page read and write

65AE000

stack

page read and write

35EF000

trusted library allocation

page read and write

34AF000

trusted library allocation

page read and write

3239000

trusted library allocation

page read and write

67D9000

heap

page read and write

17E6000

heap

page read and write

31E1000

trusted library allocation

page read and write

6BFD000

stack

page read and write

429A000

trusted library allocation

page read and write

66F0000

heap

page read and write

6DBC000

stack

page read and write

2E20000

trusted library allocation

page read and write

3134000

trusted library allocation

page read and write

2E32000

trusted library allocation

page read and write

443B000

trusted library allocation

page read and write

1BEC000

stack

page read and write

6890000

trusted library section

page read and write

12DA000

heap

page read and write

6E70000

trusted library allocation

page read and write

351A000

trusted library allocation

page read and write

11A0000

heap

page read and write

351C000

trusted library allocation

page read and write

1320000

heap

page read and write

1787000

heap

page read and write

311D000

trusted library allocation

page read and write

344E000

trusted library allocation

page read and write

2E30000

trusted library allocation

page read and write

924E000

stack

page read and write

58A0000

trusted library allocation

page read and write

11A0000

heap

page read and write

2E3A000

trusted library allocation

page execute and read and write

2FB0000

trusted library allocation

page execute and read and write

85A0000

heap

page read and write

174A000

heap

page read and write

632E000

stack

page read and write

1185000

heap

page read and write

31A0000

heap

page execute and read and write

52AD000

stack

page read and write

41D9000

trusted library allocation

page read and write

15C5000

heap

page read and write

16B0000

trusted library allocation

page read and write

349D000

trusted library allocation

page read and write

19E0000

trusted library allocation

page read and write

2E14000

trusted library allocation

page read and write

A501000

heap

page read and write

68EE000

unkown

page read and write

310E000

trusted library allocation

page read and write

85B0000

heap

page read and write

30E0000

trusted library allocation

page read and write

33FC000

trusted library allocation

page read and write

1A10000

heap

page read and write

15A0000

trusted library allocation

page read and write

5910000

heap

page read and write

15B7000

trusted library allocation

page execute and read and write

58C1000

trusted library allocation

page read and write

2E2D000

trusted library allocation

page execute and read and write

A4D6000

heap

page read and write

2E60000

trusted library allocation

page read and write

12E6000

heap

page read and write

43E000

remote allocation

page execute and read and write

1180000

heap

page read and write

67A8000

heap

page read and write

137A000

heap

page read and write

341F000

stack

page read and write

A4A0000

heap

page read and write

3420000

trusted library allocation

page read and write

31E6000

trusted library allocation

page read and write

42BA000

trusted library allocation

page read and write

1730000

heap

page execute and read and write

1339000

heap

page read and write

32BB000

trusted library allocation

page read and write

2FAE000

stack

page read and write

441B000

trusted library allocation

page read and write

3667000

trusted library allocation

page read and write

5C2C000

stack

page read and write

3130000

trusted library allocation

page read and write

30F0000

trusted library allocation

page read and write

5970000

heap

page read and write

16FE000

stack

page read and write

425A000

trusted library allocation

page read and write

55F0000

heap

page read and write

8E5E000

stack

page read and write

900E000

stack

page read and write

759D000

stack

page read and write

3272000

trusted library allocation

page read and write

36B0000

trusted library allocation

page read and write

5C9A000

heap

page read and write

6DC0000

trusted library allocation

page read and write

696E000

stack

page read and write

6A0E000

stack

page read and write

326A000

trusted library allocation

page read and write

1280000

heap

page read and write

1583000

trusted library allocation

page execute and read and write

31EE000

trusted library allocation

page read and write

6C3E000

stack

page read and write

15C0000

heap

page read and write

1BF5000

trusted library allocation

page read and write

2E40000

trusted library allocation

page read and write

327A000

trusted library allocation

page read and write

67A0000

heap

page read and write

66AC000

stack

page read and write

66F9000

heap

page read and write

58E0000

heap

page execute and read and write

146E000

stack

page read and write

5920000

trusted library allocation

page read and write

5A60000

trusted library section

page read and write

A51F000

heap

page read and write

2E36000

trusted library allocation

page execute and read and write

30FB000

trusted library allocation

page read and write

1783000

heap

page read and write

67EE000

heap

page read and write

5D1E000

stack

page read and write

8DD0000

trusted library allocation

page execute and read and write

59EC000

stack

page read and write

58CD000

trusted library allocation

page read and write

43DB000

trusted library allocation

page read and write

5744000

heap

page read and write

331E000

stack

page read and write

159D000

trusted library allocation

page execute and read and write

326E000

trusted library allocation

page read and write

6E80000

trusted library allocation

page execute and read and write

3140000

trusted library allocation

page read and write

2FD8000

trusted library allocation

page read and write

5C90000

heap

page read and write

349F000

trusted library allocation

page read and write

19F0000

trusted library allocation

page read and write

2E10000

trusted library allocation

page read and write

35C6000

trusted library allocation

page read and write

14F7000

stack

page read and write

44FB000

trusted library allocation

page read and write

5C10000

heap

page execute and read and write

13E0000

heap

page read and write

6EFB000

trusted library allocation

page read and write

366F000

trusted library allocation

page read and write

6A6D000

stack

page read and write

5C70000

trusted library allocation

page read and write

427A000

trusted library allocation

page read and write

6E14000

trusted library allocation

page read and write

1740000

heap

page read and write

421A000

trusted library allocation

page read and write

15BB000

trusted library allocation

page execute and read and write

31F6000

trusted library allocation

page read and write

5C00000

trusted library allocation

page read and write

679A000

heap

page read and write

6EE0000

trusted library allocation

page execute and read and write

5740000

heap

page read and write

1BF0000

trusted library allocation

page read and write

67E3000

heap

page read and write

36AD000

trusted library allocation

page read and write

7F630000

trusted library allocation

page execute and read and write

There are 327 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
PO_23052024.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportPO_23052024.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
PO_23052024.exe