Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

PO_27052024.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.9615234029225865
Filename:	PO_27052024.exe
Filesize:	676360
MD5:	4199d8995c4b86f6053c43cb70a87aa9
SHA1:	ae7d740bc01ae87d643f98264efa3b995365a66f
SHA256:	74a7dd343c4fac52d9d695d8d189a1bf3d5e5578622099bdf731544df385b75d
SHA512:	e78a6a99ae8157f295a8c0cac9a0d72da5de4f4aa9e2fbaa131996e76eeb2906593d0e2bb6e82b8b733fd080cad5af1da5cea9b60be372942ac13122d6f5bbce
SSDEEP:	12288:iuxrYCFd6xhOIHq2tGUoa/Vyljum2dQbimFl8+IjkpqyhscnFQXkR:181xh7HqmGUosV2qQbim34EhRFQC
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Sf..............0.................. ... ....@.. .......................`............@................................

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation	Software Packing
.NET source code contains very large array initializations	System Summary	Disable or Modify Tools
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)	Anti Debugging
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)	Malware Analysis System Evasion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Checks if the current process is being debugged	Anti Debugging
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Creates a window with clipboard capturing capabilities	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Detected potential crypto function	System Summary
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities	Obfuscated Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE / OLE file has an invalid certificate	System Summary
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary	Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO_27052024.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO_27052024.exe.log
Category:	dropped
Dump:	PO_27052024.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\PO_27052024.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE / OLE file has an invalid certificate	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\PO_27052024.exe

"C:\Users\user\Desktop\PO_27052024.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2724
Target ID:	0
Parent PID:	4056
Name:	PO_27052024.exe
Path:	C:\Users\user\Desktop\PO_27052024.exe
Commandline:	"C:\Users\user\Desktop\PO_27052024.exe"
Size:	676360
MD5:	4199D8995C4B86F6053C43CB70A87AA9
Time:	03:01:00
Date:	27/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x350000
Modulesize:	679936
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Initial sample is a PE file and has a suspicious name	System Summary
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE / OLE file has an invalid certificate	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\PO_27052024.exe

"C:\Users\user\Desktop\PO_27052024.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2352
Target ID:	3
Parent PID:	2724
Name:	PO_27052024.exe
Path:	C:\Users\user\Desktop\PO_27052024.exe
Commandline:	"C:\Users\user\Desktop\PO_27052024.exe"
Size:	676360
MD5:	4199D8995C4B86F6053C43CB70A87AA9
Time:	03:01:01
Date:	27/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x40000
Modulesize:	679936
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Initial sample is a PE file and has a suspicious name	System Summary
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE / OLE file has an invalid certificate	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\PO_27052024.exe

"C:\Users\user\Desktop\PO_27052024.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5956
Target ID:	4
Parent PID:	2724
Name:	PO_27052024.exe
Path:	C:\Users\user\Desktop\PO_27052024.exe
Commandline:	"C:\Users\user\Desktop\PO_27052024.exe"
Size:	676360
MD5:	4199D8995C4B86F6053C43CB70A87AA9
Time:	03:01:02
Date:	27/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xc60000
Modulesize:	679936
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Initial sample is a PE file and has a suspicious name	System Summary
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE / OLE file has an invalid certificate	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\System32\SgrmBroker.exe

C:\Windows\system32\SgrmBroker.exe

Details

Is windows:	true
Is dropped:	false
PID:	2352
Target ID:	6
Parent PID:	624
Name:	SgrmBroker.exe
Path:	C:\Windows\System32\SgrmBroker.exe
Commandline:	C:\Windows\system32\SgrmBroker.exe
Size:	329504
MD5:	3BA1A18A0DC30A0545E7765CB97D8E63
Time:	03:01:05
Date:	27/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6f54a0000
Modulesize:	335872
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://api.ipify.org/

104.26.13.205

https://api.ipify.org

unknown

https://account.dyn.com/

unknown

http://x1.c.lencr.org/0

unknown

http://x1.i.lencr.org/0

unknown

http://mail.alitextile.com

unknown

http://r3.o.lencr.org0

unknown

http://feeds.soundcloud.com/users/soundcloud:users:38128127/sounds.rss

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://www.chiark.greenend.org.uk/~sgtatham/putty/0

unknown

http://x1.c.lencr.o?

unknown

http://ip-api.com/line/?fields=hosting

208.95.112.1

http://r3.i.lencr.org/0

unknown

There are 3 hidden URLs, click here to show them.

Domains

Name

Malicious

ip-api.com

208.95.112.1

Details

Name:	ip-api.com
IP:	208.95.112.1
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Check if machine is in data center or colocation facility	Malware Analysis System Evasion	Security Software Discovery
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

mail.alitextile.com

192.185.143.105

Details

Name:	mail.alitextile.com
IP:	192.185.143.105
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

api.ipify.org

104.26.13.205

Details

Name:	api.ipify.org
IP:	104.26.13.205
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

208.95.112.1

ip-api.com

United States

192.185.143.105

mail.alitextile.com

United States

Details

IP:	192.185.143.105
TargetID:	4
Current Path:	C:\Users\user\Desktop\PO_27052024.exe
Country:	United States
Countrycode:	USA
ASN number:	46606
ASN name:	UNIFIEDLAYER-AS-1US
Private:	false
Domain:	mail.alitextile.com

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Suspicious Outbound SMTP Connections	System Summary

104.26.13.205

api.ipify.org

United States

Details

IP:	104.26.13.205
TargetID:	4
Current Path:	C:\Users\user\Desktop\PO_27052024.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO_27052024_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO_27052024_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO_27052024_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO_27052024_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO_27052024_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO_27052024_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO_27052024_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO_27052024_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO_27052024_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO_27052024_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO_27052024_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO_27052024_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO_27052024_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO_27052024_RASMANCS

FileDirectory

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\Security

c688cf83-9945-5ff6-0e1e-1ff1f8a2ec9a

There are 6 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

390E000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

1200000

trusted library allocation

page read and write

90D000

trusted library allocation

page execute and read and write

8F0000

trusted library allocation

page read and write

D99000

stack

page read and write

1150000

heap

page read and write

8F4000

trusted library allocation

page read and write

11F0000

trusted library allocation

page read and write

742C000

stack

page read and write

145E000

stack

page read and write

9D71000

heap

page read and write

9E16000

heap

page read and write

3171000

trusted library allocation

page read and write

82CF000

stack

page read and write

34D3000

trusted library allocation

page read and write

5170000

heap

page read and write

12C5000

heap

page read and write

CE2000

trusted library allocation

page read and write

6F20000

trusted library allocation

page read and write

64A0000

trusted library allocation

page read and write

4B9B000

trusted library allocation

page read and write

2620000

heap

page read and write

1246000

heap

page read and write

5770000

heap

page read and write

2580000

trusted library allocation

page read and write

6440000

trusted library allocation

page read and write

6EDDD000

unkown

page read and write

41C8000

trusted library allocation

page read and write

951000

heap

page read and write

1210000

heap

page read and write

5590000

heap

page read and write

120D000

trusted library allocation

page execute and read and write

34D7000

trusted library allocation

page read and write

6FE0000

trusted library allocation

page read and write

8CE000

stack

page read and write

5D20000

trusted library allocation

page read and write

4BD3000

heap

page read and write

7430000

heap

page read and write

900000

trusted library allocation

page read and write

4169000

trusted library allocation

page read and write

6AF1000

heap

page read and write

13FB000

trusted library allocation

page execute and read and write

73EC000

stack

page read and write

482C000

stack

page read and write

9DF0000

heap

page read and write

350000

unkown

page readonly

CE0000

trusted library allocation

page read and write

6AB1000

heap

page read and write

319D000

trusted library allocation

page read and write

9D55000

heap

page read and write

AABE000

stack

page read and write

41A8000

trusted library allocation

page read and write

317E000

trusted library allocation

page read and write

4288000

trusted library allocation

page read and write

6C9F000

stack

page read and write

9D40000

heap

page read and write

9D48000

heap

page read and write

149C000

stack

page read and write

5580000

heap

page read and write

2F86000

trusted library allocation

page read and write

CE6000

trusted library allocation

page execute and read and write

A9BE000

stack

page read and write

64EC000

stack

page read and write

6920000

trusted library section

page read and write

14C0000

heap

page read and write

9D6A000

heap

page read and write

6450000

heap

page read and write

6E5C000

stack

page read and write

9D8F000

heap

page read and write

2590000

trusted library allocation

page read and write

6910000

trusted library section

page read and write

13E6000

trusted library allocation

page execute and read and write

6850000

trusted library allocation

page read and write

6B2C000

heap

page read and write

82E0000

trusted library allocation

page read and write

4C05000

trusted library allocation

page read and write

5CBE000

stack

page read and write

34DB000

trusted library allocation

page read and write

2588000

trusted library allocation

page read and write

753E000

stack

page read and write

689000

stack

page read and write

6B1D000

heap

page read and write

9E10000

heap

page read and write

71DC000

stack

page read and write

16D0000

trusted library allocation

page read and write

13F2000

trusted library allocation

page read and write

13E2000

trusted library allocation

page read and write

8060000

trusted library allocation

page read and write

59BC000

stack

page read and write

8440000

heap

page read and write

4BE0000

trusted library allocation

page read and write

659D000

stack

page read and write

649B000

unkown

page read and write

6EDD6000

unkown

page readonly

6A60000

heap

page read and write

8B3C000

stack

page read and write

3787000

trusted library allocation

page read and write

1780000

trusted library allocation

page read and write

14A0000

trusted library allocation

page execute and read and write

2A1B000

trusted library allocation

page read and write

669E000

stack

page read and write

5774000

heap

page read and write

4268000

trusted library allocation

page read and write

3182000

trusted library allocation

page read and write

4BC2000

trusted library allocation

page read and write

6D1E000

stack

page read and write

5070000

heap

page read and write

5740000

heap

page read and write

257E000

stack

page read and write

6B4B000

heap

page read and write

4B70000

trusted library allocation

page execute and read and write

6F40000

trusted library allocation

page execute and read and write

4D70000

trusted library allocation

page execute and read and write

2F72000

trusted library allocation

page read and write

35AB000

trusted library allocation

page read and write

5750000

trusted library allocation

page read and write

6B5C000

heap

page read and write

2FA4000

trusted library allocation

page read and write

69E0000

trusted library allocation

page read and write

8E0000

trusted library allocation

page read and write

6A67000

heap

page read and write

9D93000

heap

page read and write

3739000

trusted library allocation

page read and write

321C000

trusted library allocation

page read and write

D70000

heap

page read and write

4BF0000

trusted library allocation

page read and write

4368000

trusted library allocation

page read and write

352000

unkown

page readonly

272E000

stack

page read and write

69F0000

trusted library allocation

page execute and read and write

4D50000

trusted library allocation

page read and write

34DF000

trusted library allocation

page read and write

13F5000

trusted library allocation

page execute and read and write

9DDC000

heap

page read and write

6AA5000

heap

page read and write

4308000

trusted library allocation

page read and write

4348000

trusted library allocation

page read and write

4F60000

heap

page read and write

150E000

stack

page read and write

1770000

trusted library allocation

page read and write

4D40000

trusted library allocation

page execute and read and write

8F3000

trusted library allocation

page execute and read and write

43C8000

trusted library allocation

page read and write

2F7E000

trusted library allocation

page read and write

33C1000

trusted library allocation

page read and write

1790000

heap

page read and write

9D5A000

heap

page read and write

6AE8000

heap

page read and write

4C00000

trusted library allocation

page read and write

5180000

heap

page read and write

1218000

heap

page read and write

154C000

stack

page read and write

6FA0000

trusted library allocation

page execute and read and write

4DE0000

heap

page read and write

2785000

trusted library allocation

page read and write

43E000

remote allocation

page execute and read and write

8080000

trusted library allocation

page execute and read and write

931A000

trusted library allocation

page read and write

6F1C000

stack

page read and write

91E000

heap

page read and write

9D63000

heap

page read and write

5730000

heap

page execute and read and write

2FA0000

trusted library allocation

page read and write

2F6E000

trusted library allocation

page read and write

35D5000

trusted library allocation

page read and write

1165000

heap

page read and write

4B90000

trusted library allocation

page read and write

3823000

trusted library allocation

page read and write

4F65000

heap

page read and write

7000000

trusted library allocation

page execute and read and write

261B000

stack

page read and write

845000

heap

page read and write

81CE000

stack

page read and write

8C3C000

stack

page read and write

BDF000

stack

page read and write

2F60000

trusted library allocation

page read and write

32E6000

trusted library allocation

page read and write

4208000

trusted library allocation

page read and write

4BBD000

trusted library allocation

page read and write

41E8000

trusted library allocation

page read and write

4DD0000

trusted library section

page readonly

6B8E000

stack

page read and write

158E000

stack

page read and write

313F000

stack

page read and write

6B43000

heap

page read and write

68F0000

trusted library allocation

page execute and read and write

43E8000

trusted library allocation

page read and write

6B32000

heap

page read and write

5BBC000

stack

page read and write

2F81000

trusted library allocation

page read and write

5D1A000

trusted library allocation

page read and write

3731000

trusted library allocation

page read and write

2731000

trusted library allocation

page read and write

1238000

heap

page read and write

6C40000

heap

page read and write

2F40000

heap

page read and write

903000

trusted library allocation

page read and write

43A8000

trusted library allocation

page read and write

645A000

heap

page read and write

37D5000

trusted library allocation

page read and write

82F0000

trusted library allocation

page read and write

6A5E000

stack

page read and write

11FD000

trusted library allocation

page execute and read and write

13E0000

trusted library allocation

page read and write

8450000

heap

page read and write

80B0000

heap

page read and write

9D89000

heap

page read and write

523D000

stack

page read and write

1100000

heap

page read and write

9840000

trusted library allocation

page read and write

CFB000

trusted library allocation

page execute and read and write

CEA000

trusted library allocation

page execute and read and write

9DC8000

heap

page read and write

840000

heap

page read and write

6420000

trusted library allocation

page read and write

D90000

heap

page read and write

1410000

trusted library allocation

page read and write

4328000

trusted library allocation

page read and write

506E000

stack

page read and write

94F000

heap

page read and write

13F0000

trusted library allocation

page read and write

9E38000

heap

page read and write

277E000

trusted library allocation

page read and write

11F3000

trusted library allocation

page execute and read and write

4C70000

heap

page read and write

6FB0000

trusted library allocation

page read and write

3218000

trusted library allocation

page read and write

D10000

trusted library allocation

page read and write

4408000

trusted library allocation

page read and write

5D24000

trusted library allocation

page read and write

6840000

trusted library allocation

page read and write

9D52000

heap

page read and write

9D86000

heap

page read and write

787000

stack

page read and write

4BAE000

trusted library allocation

page read and write

8FD000

trusted library allocation

page execute and read and write

6CDD000

stack

page read and write

5D00000

heap

page read and write

3141000

trusted library allocation

page read and write

6FF0000

heap

page read and write

400000

remote allocation

page execute and read and write

14C7000

heap

page read and write

9C8000

heap

page read and write

5ABE000

stack

page read and write

4C80000

heap

page execute and read and write

13EA000

trusted library allocation

page execute and read and write

6B9E000

stack

page read and write

4428000

trusted library allocation

page read and write

9B0000

heap

page read and write

9D5F000

heap

page read and write

4C92000

trusted library allocation

page read and write

42E8000

trusted library allocation

page read and write

9B8000

heap

page read and write

56BE000

stack

page read and write

631C000

stack

page read and write

ABBE000

stack

page read and write

31D9000

trusted library allocation

page read and write

32E8000

trusted library allocation

page read and write

9DA1000

heap

page read and write

4BB6000

trusted library allocation

page read and write

9EC000

heap

page read and write

6AFE000

stack

page read and write

4488000

trusted library allocation

page read and write

13F7000

trusted library allocation

page execute and read and write

300C000

stack

page read and write

4BD0000

heap

page read and write

4248000

trusted library allocation

page read and write

6FBB000

trusted library allocation

page read and write

2F8D000

trusted library allocation

page read and write

CF7000

trusted library allocation

page execute and read and write

6D5C000

stack

page read and write

9DD7000

heap

page read and write

7F0000

heap

page read and write

32CF000

trusted library allocation

page read and write

322F000

trusted library allocation

page read and write

3176000

trusted library allocation

page read and write

4388000

trusted library allocation

page read and write

3631000

trusted library allocation

page read and write

2F6B000

trusted library allocation

page read and write

6B15000

heap

page read and write

3214000

trusted library allocation

page read and write

1797000

heap

page read and write

4C10000

trusted library allocation

page read and write

3210000

trusted library allocation

page read and write

4468000

trusted library allocation

page read and write

1160000

heap

page read and write

11F4000

trusted library allocation

page read and write

3520000

trusted library allocation

page read and write

114E000

stack

page read and write

4448000

trusted library allocation

page read and write

69EE000

trusted library allocation

page read and write

A53C000

stack

page read and write

4317000

trusted library allocation

page read and write

32D5000

trusted library allocation

page read and write

4DCB000

stack

page read and write

7EE20000

trusted library allocation

page execute and read and write

88E000

stack

page read and write

42A8000

trusted library allocation

page read and write

6F26000

trusted library allocation

page read and write

800000

heap

page read and write

14B0000

heap

page read and write

11E0000

trusted library allocation

page read and write

944000

heap

page read and write

6B4E000

stack

page read and write

3186000

trusted library allocation

page read and write

42C8000

trusted library allocation

page read and write

4C30000

trusted library allocation

page read and write

10F9000

stack

page read and write

6F30000

trusted library allocation

page read and write

6740000

heap

page read and write

33F2000

trusted library allocation

page read and write

641D000

stack

page read and write

D6E000

stack

page read and write

31DC000

trusted library allocation

page read and write

933C000

stack

page read and write

16D8000

trusted library allocation

page read and write

695E000

stack

page read and write

82D0000

trusted library section

page read and write

5D10000

trusted library allocation

page read and write

314B000

trusted library allocation

page read and write

349B000

trusted library allocation

page read and write

11AC000

stack

page read and write

6EDC0000

unkown

page readonly

7F5C0000

trusted library allocation

page execute and read and write

D97000

heap

page read and write

3655000

trusted library allocation

page read and write

6EDC1000

unkown

page execute read

652C000

stack

page read and write

810000

heap

page read and write

5080000

heap

page read and write

910000

heap

page read and write

6B57000

heap

page read and write

3606000

trusted library allocation

page read and write

32EA000

trusted library allocation

page read and write

29AD000

trusted library allocation

page read and write

4228000

trusted library allocation

page read and write

4B80000

trusted library allocation

page read and write

1243000

heap

page read and write

6AE4000

heap

page read and write

9EA000

heap

page read and write

2FB0000

trusted library allocation

page read and write

CDF000

stack

page read and write

9C0000

heap

page read and write

4141000

trusted library allocation

page read and write

4BB1000

trusted library allocation

page read and write

4C90000

trusted library allocation

page read and write

349F000

trusted library allocation

page read and write

6960000

trusted library section

page read and write

16CC000

stack

page read and write

6EDDF000

unkown

page readonly

25DD000

stack

page read and write

9DEA000

heap

page read and write

CF2000

trusted library allocation

page read and write

318A000

trusted library allocation

page read and write

9E46000

heap

page read and write

D20000

heap

page execute and read and write

3030000

heap

page execute and read and write

6EDDD000

unkown

page read and write

There are 349 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
PO_27052024.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportPO_27052024.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
PO_27052024.exe