Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

LETTER OF AUTHORIZATION.exe

PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy:	4.17071387961605
Filename:	LETTER OF AUTHORIZATION.exe
Filesize:	3097248
MD5:	57cb0d1fbbe7e57e906d9bec624ff50f
SHA1:	d8eeb1c8e4530d619c7a5927fec5fcc892e0b24f
SHA256:	235feecbf39c506144e406ee52d764d830e5124d113280a5e339bf3bdee978a5
SHA512:	7d0be14e10f4174648cb597b9f8b32883088b9fed59cd4812339cdb379746e49b58dfb357d733fcb9b73c725451b64f6588e328518091b6311ef38c1dc41d886
SSDEEP:	12288:RaoerDVWSJRvp61xGNoQOgR4FeGQ5fzF2M9PbxyWnnMRGIliKj:RinVl1Yeo0R4FeHX2qwRFj
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...0..3............... ....@...... ....................................`................................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
One or more processes crash	System Summary
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging	Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary
Uses Microsoft Silverlight	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_LETTER OF AUTHOR_329154322c784dbb2b1b7cad391c25af57eb70_fa2d1c6a_5a9197ca-ebb7-4c17-b016-25b978ac7f2a\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_LETTER OF AUTHOR_329154322c784dbb2b1b7cad391c25af57eb70_fa2d1c6a_5a9197ca-ebb7-4c17-b016-25b978ac7f2a\Report.wer
Category:	dropped
Dump:	Report.wer.6.dr
ID:	dr_4
Target ID:	6
Process:	C:\Windows\System32\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	1.010831241850549
Encrypted:	false
Ssdeep:	96:b8Fk//RKBVsm+SboNy/qXQXIDcQqc6jcEOcw3WTiY+BHUHZ0ownOgFkEwH3d2FY9:Yq0Vz0UnU9aWB9fOzuiFhZ24lO8ELb
Size:	65536
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F83.tmp.dmp

Mini DuMP crash report, 16 streams, Sun Jun 30 14:23:53 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F83.tmp.dmp
Category:	dropped
Dump:	WER2F83.tmp.dmp.6.dr
ID:	dr_1
Target ID:	6
Process:	C:\Windows\System32\WerFault.exe
Type:	Mini DuMP crash report, 16 streams, Sun Jun 30 14:23:53 2024, 0x1205a4 type
Entropy:	3.2845824508548898
Encrypted:	false
Ssdeep:	3072:36IrvJew/42G/d1mQrFY1CCq6m3+vldBB744jQGMcSpcKz:36IjJew/cZ8q6m3QP7Sf1
Size:	385355
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3188.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER3188.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER3188.tmp.WERInternalMetadata.xml.6.dr
ID:	dr_2
Target ID:	6
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.719240005697245
Encrypted:	false
Ssdeep:	192:R6l7wVeJ24k6Y2DZKZgmfdLKprB89bhMffMrm:R6lXJRk6YkKZgmfdLhhMfN
Size:	8652
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER31B8.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER31B8.tmp.xml
Category:	dropped
Dump:	WER31B8.tmp.xml.6.dr
ID:	dr_3
Target ID:	6
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.582662103240114
Encrypted:	false
Ssdeep:	48:cvIwWl8zshJg771I9KVWpW8VYOYm8M4JxDFejmyq85IwkBWfoEd:uIjfzI75k7V2JSCxkfoEd
Size:	4825
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.6.dr
ID:	dr_0
Target ID:	6
Process:	C:\Windows\System32\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.46900801247698
Encrypted:	false
Ssdeep:	6144:FzZfpi6ceLPx9skLmb0f2ZWSP3aJG8nAgeiJRMMhA2zX4WABluuNTjDH5S:9ZHt2ZWOKnMM6bFpxj4
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exe

"C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5776
Target ID:	0
Parent PID:	4004
Name:	LETTER OF AUTHORIZATION.exe
Path:	C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exe
Commandline:	"C:\Users\user\Desktop\LETTER OF AUTHORIZATION.exe"
Size:	3097248
MD5:	57CB0D1FBBE7E57E906D9BEC624FF50F
Time:	10:23:52
Date:	30/06/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x118fea80000
Modulesize:	32768
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

Details

Is windows:	true
Is dropped:	false
PID:	2432
Target ID:	2
Parent PID:	5776
Name:	InstallUtil.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Size:	42064
MD5:	5D4073B2EB6D217C19F2B22F21BF8D57
Time:	10:23:52
Date:	30/06/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x700000
Modulesize:	49152
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

Details

Is windows:	true
Is dropped:	false
PID:	3580
Target ID:	3
Parent PID:	5776
Name:	InstallUtil.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Size:	42064
MD5:	5D4073B2EB6D217C19F2B22F21BF8D57
Time:	10:23:52
Date:	30/06/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 5776 -s 1008

Details

Is windows:	true
Is dropped:	false
PID:	2348
Target ID:	6
Parent PID:	5776
Name:	WerFault.exe
Path:	C:\Windows\System32\WerFault.exe
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5776 -s 1008
Size:	570736
MD5:	FD27D9F6D02763BDE32511B5DF7FF7A0
Time:	10:23:53
Date:	30/06/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff71ecf0000
Modulesize:	581632
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://reallyfreegeoip.org

unknown

http://upx.sf.net

unknown

http://checkip.dyndns.org

unknown

http://checkip.dyndns.org/

132.226.8.169

http://checkip.dyndns.com

unknown

https://reallyfreegeoip.org/xml/8.46.123.33

188.114.96.3

https://reallyfreegeoip.org/xml/8.46.123.33$

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://checkip.dyndns.org/q

unknown

http://reallyfreegeoip.org

unknown

https://reallyfreegeoip.org/xml/

unknown

There are 1 hidden URLs, click here to show them.

Domains

Name

Malicious

reallyfreegeoip.org

188.114.96.3

Details

Name:	reallyfreegeoip.org
IP:	188.114.96.3
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Tries to detect the country of the analysis system (by using the IP)	Location Tracking
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.com

132.226.8.169

IPs

Domain

Country

Malicious

188.114.96.3

reallyfreegeoip.org

European Union

Details

IP:	188.114.96.3
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	reallyfreegeoip.org

Signature Hits	Behavior Group	Mitre Attack
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

132.226.8.169

checkip.dyndns.com

United States

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\installutil_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\installutil_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\installutil_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\installutil_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\installutil_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\installutil_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\installutil_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\installutil_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\installutil_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\installutil_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\installutil_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\installutil_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\installutil_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\installutil_RASMANCS

FileDirectory

\REGISTRY\A\{93f1a7f6-179e-ef65-0238-fcfbd88be99c}\Root\InventoryApplicationFile\letter of author|23927bf48ec27a40

ProgramId

\REGISTRY\A\{93f1a7f6-179e-ef65-0238-fcfbd88be99c}\Root\InventoryApplicationFile\letter of author|23927bf48ec27a40

FileId

\REGISTRY\A\{93f1a7f6-179e-ef65-0238-fcfbd88be99c}\Root\InventoryApplicationFile\letter of author|23927bf48ec27a40

LowerCaseLongPath

\REGISTRY\A\{93f1a7f6-179e-ef65-0238-fcfbd88be99c}\Root\InventoryApplicationFile\letter of author|23927bf48ec27a40

LongPathHash

\REGISTRY\A\{93f1a7f6-179e-ef65-0238-fcfbd88be99c}\Root\InventoryApplicationFile\letter of author|23927bf48ec27a40

Name

\REGISTRY\A\{93f1a7f6-179e-ef65-0238-fcfbd88be99c}\Root\InventoryApplicationFile\letter of author|23927bf48ec27a40

OriginalFileName

\REGISTRY\A\{93f1a7f6-179e-ef65-0238-fcfbd88be99c}\Root\InventoryApplicationFile\letter of author|23927bf48ec27a40

Publisher

\REGISTRY\A\{93f1a7f6-179e-ef65-0238-fcfbd88be99c}\Root\InventoryApplicationFile\letter of author|23927bf48ec27a40

Version

\REGISTRY\A\{93f1a7f6-179e-ef65-0238-fcfbd88be99c}\Root\InventoryApplicationFile\letter of author|23927bf48ec27a40

BinFileVersion

\REGISTRY\A\{93f1a7f6-179e-ef65-0238-fcfbd88be99c}\Root\InventoryApplicationFile\letter of author|23927bf48ec27a40

BinaryType

\REGISTRY\A\{93f1a7f6-179e-ef65-0238-fcfbd88be99c}\Root\InventoryApplicationFile\letter of author|23927bf48ec27a40

ProductName

\REGISTRY\A\{93f1a7f6-179e-ef65-0238-fcfbd88be99c}\Root\InventoryApplicationFile\letter of author|23927bf48ec27a40

ProductVersion

\REGISTRY\A\{93f1a7f6-179e-ef65-0238-fcfbd88be99c}\Root\InventoryApplicationFile\letter of author|23927bf48ec27a40

LinkDate

\REGISTRY\A\{93f1a7f6-179e-ef65-0238-fcfbd88be99c}\Root\InventoryApplicationFile\letter of author|23927bf48ec27a40

BinProductVersion

\REGISTRY\A\{93f1a7f6-179e-ef65-0238-fcfbd88be99c}\Root\InventoryApplicationFile\letter of author|23927bf48ec27a40

AppxPackageFullName

\REGISTRY\A\{93f1a7f6-179e-ef65-0238-fcfbd88be99c}\Root\InventoryApplicationFile\letter of author|23927bf48ec27a40

AppxPackageRelativeId

\REGISTRY\A\{93f1a7f6-179e-ef65-0238-fcfbd88be99c}\Root\InventoryApplicationFile\letter of author|23927bf48ec27a40

Size

\REGISTRY\A\{93f1a7f6-179e-ef65-0238-fcfbd88be99c}\Root\InventoryApplicationFile\letter of author|23927bf48ec27a40

Language

\REGISTRY\A\{93f1a7f6-179e-ef65-0238-fcfbd88be99c}\Root\InventoryApplicationFile\letter of author|23927bf48ec27a40

Usn

There are 23 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

402000

remote allocation

page execute and read and write

29B1000

trusted library allocation

page read and write

11881763000

trusted library allocation

page read and write

2B7B000

trusted library allocation

page read and write

1189170D000

trusted library allocation

page read and write

2AA3000

trusted library allocation

page read and write

27A3000

trusted library allocation

page execute and read and write

11881411000

trusted library allocation

page read and write

3A18000

trusted library allocation

page read and write

7FFD34929000

trusted library allocation

page read and write

6670000

heap

page read and write

65C0000

trusted library allocation

page execute and read and write

118FEED3000

trusted library allocation

page read and write

6586000

trusted library allocation

page read and write

118FEC15000

heap

page read and write

538E000

stack

page read and write

7FFD34780000

trusted library allocation

page read and write

2A8E000

trusted library allocation

page read and write

65D0000

trusted library allocation

page read and write

4ED2000

trusted library allocation

page read and write

2B01000

trusted library allocation

page read and write

EFE000

stack

page read and write

2A58000

trusted library allocation

page read and write

7FFD34950000

trusted library allocation

page read and write

118FECC2000

heap

page read and write

2A60000

trusted library allocation

page read and write

2BE8000

trusted library allocation

page read and write

27DB000

trusted library allocation

page execute and read and write

118FED6A000

heap

page read and write

4EC6000

trusted library allocation

page read and write

7FFD347CC000

trusted library allocation

page execute and read and write

118FEF00000

heap

page read and write

7FFD34820000

trusted library allocation

page read and write

27F0000

trusted library allocation

page read and write

55E0000

trusted library allocation

page read and write

6AF0000

heap

page read and write

65AF000

trusted library allocation

page read and write

7FFD34856000

trusted library allocation

page execute and read and write

29A0000

heap

page execute and read and write

2C71000

trusted library allocation

page read and write

2F0353000

stack

page read and write

118FF2A0000

trusted library section

page read and write

D9E000

stack

page read and write

7FFD34774000

trusted library allocation

page read and write

287D000

stack

page read and write

27A0000

trusted library allocation

page read and write

2F06FF000

stack

page read and write

4F9D000

stack

page read and write

6590000

trusted library allocation

page execute and read and write

DE0000

heap

page read and write

4EB2000

trusted library allocation

page read and write

C8A000

heap

page read and write

2B31000

trusted library allocation

page read and write

2AF1000

trusted library allocation

page read and write

4EBA000

trusted library allocation

page read and write

27D2000

trusted library allocation

page read and write

2C0A000

trusted library allocation

page read and write

2F0DFE000

stack

page read and write

118FECED000

heap

page read and write

27C6000

trusted library allocation

page execute and read and write

62AE000

stack

page read and write

4EE0000

trusted library allocation

page read and write

656F000

stack

page read and write

2C06000

trusted library allocation

page read and write

5050000

heap

page read and write

55F0000

trusted library allocation

page execute and read and write

3A48000

trusted library allocation

page read and write

27D7000

trusted library allocation

page execute and read and write

658B000

trusted library allocation

page read and write

4EA6000

trusted library allocation

page read and write

118FEB10000

heap

page read and write

2A5B000

trusted library allocation

page read and write

6580000

trusted library allocation

page read and write

D21000

heap

page read and write

2AB4000

trusted library allocation

page read and write

118FEEE0000

heap

page execute and read and write

2F0EFD000

stack

page read and write

65A3000

trusted library allocation

page read and write

27B0000

trusted library allocation

page read and write

39B1000

trusted library allocation

page read and write

2B5F000

trusted library allocation

page read and write

657E000

trusted library allocation

page read and write

2B3F000

trusted library allocation

page read and write

2C01000

trusted library allocation

page read and write

FFF000

stack

page read and write

11891417000

trusted library allocation

page read and write

4F10000

trusted library allocation

page read and write

6148000

heap

page read and write

4ECD000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

2F0AFD000

stack

page read and write

2B6D000

trusted library allocation

page read and write

2F07FE000

stack

page read and write

2F08FF000

stack

page read and write

27C0000

trusted library allocation

page read and write

65A0000

trusted library allocation

page read and write

65B0000

trusted library allocation

page execute and read and write

6153000

heap

page read and write

7FFD34830000

trusted library allocation

page execute and read and write

4B4E000

stack

page read and write

DD0000

trusted library allocation

page read and write

4EA0000

trusted library allocation

page read and write

27C2000

trusted library allocation

page read and write

3A3C000

trusted library allocation

page read and write

27A4000

trusted library allocation

page read and write

27AD000

trusted library allocation

page execute and read and write

6179000

heap

page read and write

6570000

trusted library allocation

page read and write

2F0CFF000

stack

page read and write

118FEDB0000

trusted library allocation

page read and write

7FFD3479D000

trusted library allocation

page execute and read and write

118918E1000

trusted library allocation

page read and write

2F0BFE000

stack

page read and write

2B09000

trusted library allocation

page read and write

AF7000

stack

page read and write

7FFD3479B000

trusted library allocation

page execute and read and write

2B16000

trusted library allocation

page read and write

2A76000

trusted library allocation

page read and write

B50000

heap

page read and write

298F000

stack

page read and write

2F09FE000

stack

page read and write

646E000

stack

page read and write

27D0000

trusted library allocation

page read and write

118FED90000

trusted library allocation

page read and write

622E000

stack

page read and write

7FFD34940000

trusted library allocation

page read and write

7FFD34770000

trusted library allocation

page read and write

2880000

heap

page read and write

4F30000

heap

page execute and read and write

642E000

stack

page read and write

2B24000

trusted library allocation

page read and write

7FF405610000

trusted library allocation

page execute and read and write

4EAB000

trusted library allocation

page read and write

2BF7000

trusted library allocation

page read and write

4E90000

trusted library allocation

page read and write

7FFD3495D000

trusted library allocation

page read and write

B75000

heap

page read and write

2AAC000

trusted library allocation

page read and write

7FFD34772000

trusted library allocation

page read and write

DA0000

heap

page read and write

2B05000

trusted library allocation

page read and write

DF0000

heap

page read and write

2AED000

trusted library allocation

page read and write

7FFD34790000

trusted library allocation

page read and write

C96000

heap

page read and write

C68000

heap

page read and write

626E000

stack

page read and write

7FFD34970000

trusted library allocation

page read and write

7FFD34910000

trusted library allocation

page read and write

B70000

heap

page read and write

7FFD34826000

trusted library allocation

page read and write

65AA000

trusted library allocation

page read and write

3A33000

trusted library allocation

page read and write

4EBE000

trusted library allocation

page read and write

63AE000

stack

page read and write

27CA000

trusted library allocation

page execute and read and write

7FFD3482C000

trusted library allocation

page execute and read and write

7FFD34930000

trusted library allocation

page read and write

118FEA80000

unkown

page readonly

118FECF4000

heap

page read and write

B00000

heap

page read and write

11881440000

trusted library allocation

page read and write

27D5000

trusted library allocation

page execute and read and write

2B5B000

trusted library allocation

page read and write

27BD000

trusted library allocation

page execute and read and write

D4F000

heap

page read and write

118FECAB000

heap

page read and write

11891411000

trusted library allocation

page read and write

4EAE000

trusted library allocation

page read and write

118FEC40000

heap

page read and write

2990000

trusted library allocation

page execute and read and write

616C000

heap

page read and write

5043000

heap

page read and write

2C34000

trusted library allocation

page read and write

2AF5000

trusted library allocation

page read and write

6690000

trusted library allocation

page execute and read and write

118FEA82000

unkown

page readonly

2BE3000

trusted library allocation

page read and write

7FFD34924000

trusted library allocation

page read and write

118FEF05000

heap

page read and write

118FEC80000

heap

page read and write

2C2E000

trusted library allocation

page read and write

2A63000

trusted library allocation

page read and write

6640000

trusted library allocation

page read and write

799000

stack

page read and write

615C000

heap

page read and write

283E000

stack

page read and write

2AB0000

trusted library allocation

page read and write

6588000

trusted library allocation

page read and write

118FEC8C000

heap

page read and write

65E0000

trusted library allocation

page read and write

2C40000

trusted library allocation

page read and write

2AF9000

trusted library allocation

page read and write

C60000

heap

page read and write

CC5000

heap

page read and write

4EF0000

trusted library allocation

page read and write

118FECC0000

heap

page read and write

7FFD3478D000

trusted library allocation

page execute and read and write

7FFD34794000

trusted library allocation

page read and write

7FFD34773000

trusted library allocation

page execute and read and write

60F0000

heap

page read and write

60EE000

stack

page read and write

118FF480000

trusted library allocation

page read and write

118FEC20000

heap

page read and write

2AFD000

trusted library allocation

page read and write

2C3A000

trusted library allocation

page read and write

118FF440000

heap

page read and write

7FFD34920000

trusted library allocation

page read and write

39D9000

trusted library allocation

page read and write

5040000

heap

page read and write

118FF3E0000

heap

page execute and read and write

7FFD34960000

trusted library allocation

page execute and read and write

2BEE000

trusted library allocation

page read and write

4EC1000

trusted library allocation

page read and write

7FFD34782000

trusted library allocation

page read and write

63EE000

stack

page read and write

118FEED0000

trusted library allocation

page read and write

7FFD34890000

trusted library allocation

page execute and read and write

118FEBF0000

heap

page read and write

5FEE000

stack

page read and write

B4E000

stack

page read and write

118FECEB000

heap

page read and write

118FEC10000

heap

page read and write

118FFB10000

heap

page read and write

7FFD3477D000

trusted library allocation

page execute and read and write

There are 215 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
LETTER OF AUTHORIZATION.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportLETTER OF AUTHORIZATION.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
LETTER OF AUTHORIZATION.exe