Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

PI-236031.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.93519305571913
Filename:	PI-236031.exe
Filesize:	1037312
MD5:	05d95a552838cb5c6d45a79473c9f430
SHA1:	535c4d854628081163b1da1afdea892204a88eef
SHA256:	9f8325d8345d383ed22e18f47303b03947c1e652ad304b7ca88a270355eb8f4d
SHA512:	4bab7d8da8541f46b7b048838f02c6d7a3408fe4615970375024fc7986bf2dbd790358a4aa2d68deb3a7ebdb4ab55b0bba85b54b390c695da7c645918f3d414c
SSDEEP:	24576:OAHnh+eWsN3skA4RV1Hom2KXMmHauvhieQkXRGQ5:5h+ZkldoPK8YauikX/
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection	Exploitation for Privilege Escalation
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection	Disable or Modify Tools
Binary is likely a compiled AutoIt script file	System Summary
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging	Disable or Modify Tools
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Application Window Discovery
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Contains functionality to launch a process as a different user	System Summary	Valid Accounts Access Token Manipulation
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	Disable or Modify Tools
Contains functionality to read the PEB	Anti Debugging
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Disable or Modify Tools
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to shutdown / reboot the system	System Summary	System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Detected potential crypto function	System Summary	System Time Discovery Archive Collected Data Encrypted Channel
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found evasive API chain (date check)	Malware Analysis System Evasion	Native API
Found large amount of non-executed APIs	Malware Analysis System Evasion	System Time Discovery
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information	Disable or Modify Tools System Shutdown/Reboot
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Disable or Modify Tools
Sample file is different than original file name gathered from version info	System Summary	System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary	Disable or Modify Tools
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary	Disable or Modify Tools
.NET source code contains calls to encryption/decryption functions	System Summary
Contains functionality for error logging	System Summary	Disable or Modify Tools
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary
Contains functionality to check free disk space	System Summary
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to download additional files from the internet	Networking
Contains functionality to enum processes or threads	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Contains functionality to instantiate COM classes	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Disable or Modify Tools
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion	Disable or Modify Tools
Reads software policies	System Summary
Sample is known by Antivirus	System Summary	Disable or Modify Tools
Tries to load missing DLLs	System Summary	DLL Side-Loading Disable or Modify Tools
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\Users\user\AppData\Local\Temp\autE024.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\autE024.tmp
Category:	dropped
Dump:	autE024.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\PI-236031.exe
Type:	data
Entropy:	7.9359429885564605
Encrypted:	false
Ssdeep:	3072:1eg4R+7CZo9meyKdiwTOYPFD5QGdKdLUivOWEKc0ccdwQKVUFjK/BbsE:gzyAo9BOYPFYXvScSwKCE
Size:	153578
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\autE083.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\autE083.tmp
Category:	dropped
Dump:	autE083.tmp.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\PI-236031.exe
Type:	data
Entropy:	7.597195603822302
Encrypted:	false
Ssdeep:	192:yyaFcTokxCW/EeiNo/GONuVROF9cfsSEyUsmnZNufPCR6QayB1JupI0Q0+v:cFxkUWceiNo3NiWeUXZsPCIwBrkIMy
Size:	9908
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\leucoryx

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\leucoryx
Category:	dropped
Dump:	leucoryx.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\PI-236031.exe
Type:	data
Entropy:	6.64975718476219
Encrypted:	false
Ssdeep:	6144:MmtFJT+tD4CcNShwh6BvjC+LDqBHm89brvJ30P:Mm/JTe4Csj4vjC+YHmUBEP
Size:	244224
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\seskin

ASCII text, with very long lines (28724), with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\seskin
Category:	dropped
Dump:	seskin.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\PI-236031.exe
Type:	ASCII text, with very long lines (28724), with no line terminators
Entropy:	3.597914128032766
Encrypted:	false
Ssdeep:	768:ViTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNboE+I026c024vfF3if68:ViTZ+2QoioGRk6ZklputwjpjBkCiw2Rv
Size:	28724
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\PI-236031.exe

"C:\Users\user\Desktop\PI-236031.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6324
Target ID:	0
Parent PID:	3504
Name:	PI-236031.exe
Path:	C:\Users\user\Desktop\PI-236031.exe
Commandline:	"C:\Users\user\Desktop\PI-236031.exe"
Size:	1037312
MD5:	05D95A552838CB5C6D45A79473C9F430
Time:	06:19:31
Date:	27/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xd60000
Modulesize:	1060864
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Binary is likely a compiled AutoIt script file	System Summary
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\PI-236031.exe"

Details

Is windows:	true
Is dropped:	false
PID:	420
Target ID:	2
Parent PID:	6324
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\PI-236031.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	06:19:32
Date:	27/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x530000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://account.dyn.com/

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000002.00000002.2778973187.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2778973187.00000000029BA000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://ip-api.com/line/?fields=hosting

208.95.112.1

Details

Name:	http://ip-api.com/line/?fields=hosting
IP:	208.95.112.1
TargetID:	2
From Memory:	false
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking

http://ip-api.com

unknown

Details

Name:	http://ip-api.com
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000002.00000002.2778973187.00000000029D4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2778973187.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2778973187.00000000029CC000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

ip-api.com

208.95.112.1

Details

Name:	ip-api.com
IP:	208.95.112.1
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Check if machine is in data center or colocation facility	Malware Analysis System Evasion	Security Software Discovery
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

208.95.112.1

ip-api.com

United States

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

402000

system

page execute and read and write

2F80000

direct allocation

page read and write

4E80000

heap

page read and write

28EE000

stack

page read and write

29D4000

trusted library allocation

page read and write

395B000

trusted library allocation

page read and write

373D000

direct allocation

page read and write

2760000

trusted library allocation

page read and write

29F6000

trusted library allocation

page read and write

D50000

heap

page read and write

942000

heap

page read and write

C00000

trusted library allocation

page read and write

29E4000

trusted library allocation

page read and write

91C000

heap

page read and write

513F000

stack

page read and write

860000

heap

page read and write

A5A000

heap

page read and write

4D4E000

trusted library allocation

page read and write

3593000

direct allocation

page read and write

3593000

direct allocation

page read and write

4D42000

trusted library allocation

page read and write

3610000

direct allocation

page read and write

903000

heap

page read and write

A4E000

heap

page read and write

9C0000

trusted library allocation

page read and write

2966000

trusted library allocation

page read and write

9D0000

trusted library allocation

page read and write

373D000

direct allocation

page read and write

902000

heap

page read and write

C27000

trusted library allocation

page execute and read and write

4D30000

trusted library allocation

page read and write

3034000

heap

page read and write

4D3B000

trusted library allocation

page read and write

A30000

heap

page read and write

2A0A000

trusted library allocation

page read and write

3593000

direct allocation

page read and write

CFE000

stack

page read and write

987000

heap

page read and write

9E5000

heap

page read and write

4D56000

trusted library allocation

page read and write

B0E000

heap

page read and write

60E7000

trusted library allocation

page read and write

38F9000

trusted library allocation

page read and write

2F70000

direct allocation

page execute and read and write

517D000

stack

page read and write

63F0000

heap

page read and write

3610000

direct allocation

page read and write

7BF000

stack

page read and write

4EF0000

heap

page read and write

173E000

stack

page read and write

AEF000

heap

page read and write

6110000

trusted library allocation

page execute and read and write

37AE000

direct allocation

page read and write

C22000

trusted library allocation

page read and write

28F1000

trusted library allocation

page read and write

C40000

trusted library allocation

page read and write

91C000

heap

page read and write

3470000

direct allocation

page read and write

7FBE0000

trusted library allocation

page execute and read and write

2780000

trusted library allocation

page read and write

942000

heap

page read and write

3610000

direct allocation

page read and write

29DE000

trusted library allocation

page read and write

503E000

stack

page read and write

29CC000

trusted library allocation

page read and write

977000

heap

page read and write

2A04000

trusted library allocation

page read and write

60F0000

trusted library allocation

page read and write

C12000

trusted library allocation

page read and write

AFF000

heap

page read and write

A38000

heap

page read and write

E28000

unkown

page readonly

955000

heap

page read and write

43E000

system

page execute and read and write

E1F000

unkown

page write copy

91C000

heap

page read and write

5CA000

stack

page read and write

8F8000

stack

page read and write

AA8000

heap

page read and write

990000

heap

page read and write

29BA000

trusted library allocation

page read and write

91C000

heap

page read and write

E15000

unkown

page readonly

2770000

trusted library allocation

page read and write

7DB000

stack

page read and write

C10000

trusted library allocation

page read and write

903000

heap

page read and write

F00000

trusted library allocation

page execute and read and write

E15000

unkown

page readonly

942000

heap

page read and write

904000

heap

page read and write

91C000

heap

page read and write

8C8000

heap

page read and write

3470000

direct allocation

page read and write

9DD000

trusted library allocation

page execute and read and write

38F1000

trusted library allocation

page read and write

60E0000

trusted library allocation

page read and write

E1F000

unkown

page read and write

6160000

trusted library allocation

page read and write

997000

heap

page read and write

4D4A000

trusted library allocation

page read and write

958000

heap

page read and write

4EF3000

heap

page read and write

3739000

direct allocation

page read and write

D60000

unkown

page readonly

B2C000

heap

page read and write

5B94000

heap

page read and write

E28000

unkown

page readonly

3919000

trusted library allocation

page read and write

962000

heap

page read and write

27A0000

heap

page execute and read and write

EE0000

heap

page read and write

980000

heap

page read and write

8F3000

heap

page read and write

3739000

direct allocation

page read and write

29F1000

trusted library allocation

page read and write

930000

heap

page read and write

549D000

stack

page read and write

8F3000

heap

page read and write

942000

heap

page read and write

8E3000

heap

page read and write

3739000

direct allocation

page read and write

373D000

direct allocation

page read and write

49EE000

stack

page read and write

37AE000

direct allocation

page read and write

8F2000

heap

page read and write

3739000

direct allocation

page read and write

400000

system

page execute and read and write

840000

heap

page read and write

4D70000

heap

page read and write

3593000

direct allocation

page read and write

C2B000

trusted library allocation

page execute and read and write

F16000

heap

page read and write

8E8000

heap

page read and write

990000

heap

page read and write

373D000

direct allocation

page read and write

C8E000

stack

page read and write

29B4000

trusted library allocation

page read and write

8E8000

heap

page read and write

A64000

heap

page read and write

6120000

trusted library allocation

page execute and read and write

942000

heap

page read and write

942000

heap

page read and write

C0D000

trusted library allocation

page execute and read and write

8F3000

heap

page read and write

3739000

direct allocation

page read and write

942000

heap

page read and write

DEF000

unkown

page readonly

9D3000

trusted library allocation

page execute and read and write

D61000

unkown

page execute read

3739000

direct allocation

page read and write

133E000

stack

page read and write

373D000

direct allocation

page read and write

942000

heap

page read and write

D61000

unkown

page execute read

37AE000

direct allocation

page read and write

60DE000

stack

page read and write

CD0000

heap

page read and write

C1A000

trusted library allocation

page execute and read and write

F10000

heap

page read and write

CCC000

stack

page read and write

3470000

direct allocation

page read and write

27E0000

heap

page read and write

91C000

heap

page read and write

942000

heap

page read and write

3470000

direct allocation

page read and write

E23000

unkown

page write copy

4D51000

trusted library allocation

page read and write

911000

heap

page read and write

91C000

heap

page read and write

8C0000

heap

page read and write

2925000

trusted library allocation

page read and write

3030000

heap

page read and write

4D62000

trusted library allocation

page read and write

3470000

direct allocation

page read and write

3610000

direct allocation

page read and write

91C000

heap

page read and write

4EDC000

stack

page read and write

8AE000

stack

page read and write

4E90000

heap

page execute and read and write

903000

heap

page read and write

903000

heap

page read and write

54A0000

trusted library allocation

page read and write

3470000

direct allocation

page read and write

947000

heap

page read and write

91C000

heap

page read and write

91D000

heap

page read and write

5B60000

heap

page read and write

527E000

stack

page read and write

A66000

heap

page read and write

942000

heap

page read and write

4D3E000

trusted library allocation

page read and write

830000

heap

page read and write

2790000

trusted library allocation

page read and write

B01000

heap

page read and write

6100000

trusted library allocation

page read and write

947000

heap

page read and write

29E2000

trusted library allocation

page read and write

C16000

trusted library allocation

page execute and read and write

7CF000

stack

page read and write

37AE000

direct allocation

page read and write

4D5D000

trusted library allocation

page read and write

3593000

direct allocation

page read and write

7FC000

stack

page read and write

37AE000

direct allocation

page read and write

4EE0000

trusted library allocation

page read and write

D60000

unkown

page readonly

91C000

heap

page read and write

971000

heap

page read and write

942000

heap

page read and write

3610000

direct allocation

page read and write

4D36000

trusted library allocation

page read and write

B1A000

heap

page read and write

5F9E000

stack

page read and write

1CA000

stack

page read and write

5FDE000

stack

page read and write

DEF000

unkown

page readonly

373D000

direct allocation

page read and write

3610000

direct allocation

page read and write

947000

heap

page read and write

4FFC000

stack

page read and write

6150000

heap

page read and write

D40000

heap

page read and write

9D4000

trusted library allocation

page read and write

9E0000

heap

page read and write

26C8000

trusted library allocation

page read and write

3593000

direct allocation

page read and write

AC9000

heap

page read and write

54A7000

trusted library allocation

page read and write

37AE000

direct allocation

page read and write

There are 220 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
PI-236031.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportPI-236031.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
PI-236031.exe