Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

PM114079-990528.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.3447002305252
Filename:	PM114079-990528.exe
Filesize:	493056
MD5:	9f259b3c899293bc12c9397e010f9e40
SHA1:	af9c1736e4b3fdb69e3e22a70953872257335c89
SHA256:	683b3c223e311088d28b4d7ee52e207d8593836887a359a9cdb3b5535f305aa3
SHA512:	e12e2ccf1a57b492409c4ce3af237972b11b1b8c126f2b6ad7d56a0b3ef601a226259c5d8706819c95319614a38fa2d2890a62e7f9ce816acf2c445c8529b495
SSDEEP:	6144:ZXuAPKbl6eAs+AYJAmp1sWososBPBY0SQBhhASbOF7HAAPq/XtLMfFUYK8tvFCkt:ZXuBxOKkAVzAAylLMfCYK8tv
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o................0..\|..........~.... ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code references suspicious native API functions	HIPS / PFW / Operating System Protection Evasion	Native API
Machine Learning detection for sample	AV Detection
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	File Deletion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Software Packing
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
.NET source code contains long base64-encoded strings	System Summary	Disable or Modify Tools Obfuscated Files or Information
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PM114079-990528.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PM114079-990528.exe.log
Category:	dropped
Dump:	PM114079-990528.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\PM114079-990528.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\PM114079-990528.exe

"C:\Users\user\Desktop\PM114079-990528.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4292
Target ID:	0
Parent PID:	1028
Name:	PM114079-990528.exe
Path:	C:\Users\user\Desktop\PM114079-990528.exe
Commandline:	"C:\Users\user\Desktop\PM114079-990528.exe"
Size:	493056
MD5:	9F259B3C899293BC12C9397E010F9E40
Time:	21:27:48
Date:	01/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xe50000
Modulesize:	516096
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	File Deletion
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\PM114079-990528.exe

"C:\Users\user\Desktop\PM114079-990528.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6604
Target ID:	2
Parent PID:	4292
Name:	PM114079-990528.exe
Path:	C:\Users\user\Desktop\PM114079-990528.exe
Commandline:	"C:\Users\user\Desktop\PM114079-990528.exe"
Size:	493056
MD5:	9F259B3C899293BC12C9397E010F9E40
Time:	21:27:48
Date:	01/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x5a0000
Modulesize:	516096
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	File Deletion
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\PM114079-990528.exe"

Details

Is windows:	true
Is dropped:	false
PID:	3180
Target ID:	4
Parent PID:	6604
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\PM114079-990528.exe"
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	21:28:00
Date:	01/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x790000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	File Deletion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	4432
Target ID:	5
Parent PID:	3180
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	21:28:00
Date:	01/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

Details

Is windows:	true
Is dropped:	false
PID:	5528
Target ID:	6
Parent PID:	3180
Name:	choice.exe
Path:	C:\Windows\SysWOW64\choice.exe
Commandline:	choice /C Y /N /D Y /T 3
Size:	28160
MD5:	FCE0E41C87DC4ABBE976998AD26C27E4
Time:	21:28:00
Date:	01/07/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xe20000
Modulesize:	40960
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://checkip.dyndns.org/

193.122.6.168

https://aka.ms/dotnet-warnings/

unknown

https://reallyfreegeoip.org/xml/8.46.123.33$

unknown

http://checkip.dyndns.org/q

unknown

https://aka.ms/serializationformat-binary-obsolete

unknown

http://reallyfreegeoip.org

unknown

https://reallyfreegeoip.org

unknown

https://aka.ms/binaryformatter

unknown

http://checkip.dyndns.org

unknown

http://checkip.dyndns.com

unknown

https://reallyfreegeoip.org/xml/8.46.123.33

188.114.96.3

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://reallyfreegeoip.org/xml/

unknown

There are 3 hidden URLs, click here to show them.

Domains

Name

Malicious

reallyfreegeoip.org

188.114.96.3

Details

Name:	reallyfreegeoip.org
IP:	188.114.96.3
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Tries to detect the country of the analysis system (by using the IP)	Location Tracking
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.com

193.122.6.168

IPs

Domain

Country

Malicious

188.114.96.3

reallyfreegeoip.org

European Union

Details

IP:	188.114.96.3
TargetID:	2
Current Path:	C:\Users\user\Desktop\PM114079-990528.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	reallyfreegeoip.org

Signature Hits	Behavior Group	Mitre Attack
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

193.122.6.168

checkip.dyndns.com

United States

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PM114079-990528_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PM114079-990528_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PM114079-990528_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PM114079-990528_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PM114079-990528_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PM114079-990528_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PM114079-990528_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PM114079-990528_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PM114079-990528_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PM114079-990528_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PM114079-990528_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PM114079-990528_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PM114079-990528_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PM114079-990528_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

4179000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

2991000

trusted library allocation

page read and write

6AB000

stack

page read and write

A7A000

heap

page read and write

64BD000

stack

page read and write

5CFC000

stack

page read and write

5FEE000

stack

page read and write

56AE000

trusted library allocation

page read and write

D9E000

stack

page read and write

2ACB000

trusted library allocation

page read and write

3171000

trusted library allocation

page read and write

154E000

stack

page read and write

5B50000

heap

page read and write

1391000

heap

page read and write

5AF0000

heap

page read and write

26B3000

trusted library allocation

page execute and read and write

5C5E000

trusted library allocation

page read and write

2AF5000

trusted library allocation

page read and write

2FB0000

heap

page read and write

6590000

heap

page read and write

134A000

heap

page read and write

4A8C000

stack

page read and write

26A0000

trusted library allocation

page read and write

2B59000

trusted library allocation

page read and write

5D60000

trusted library allocation

page execute and read and write

2840000

heap

page read and write

827E000

stack

page read and write

2A3A000

trusted library allocation

page read and write

5970000

heap

page execute and read and write

53BE000

stack

page read and write

6188000

heap

page read and write

1584000

heap

page read and write

5BC7000

heap

page read and write

34A0000

heap

page read and write

274E000

stack

page read and write

615F000

heap

page read and write

32FD000

stack

page read and write

59DE000

stack

page read and write

26D2000

trusted library allocation

page read and write

5C50000

trusted library allocation

page read and write

5C76000

trusted library allocation

page read and write

537E000

stack

page read and write

6870000

heap

page read and write

150E000

stack

page read and write

2950000

trusted library allocation

page read and write

63EF000

stack

page read and write

5B60000

heap

page read and write

64AE000

stack

page read and write

A10000

heap

page read and write

5950000

trusted library allocation

page read and write

6170000

heap

page read and write

6595000

heap

page read and write

294F000

stack

page read and write

26C0000

trusted library allocation

page read and write

15B2000

trusted library allocation

page read and write

3050000

trusted library allocation

page read and write

2700000

trusted library allocation

page read and write

2A8F000

trusted library allocation

page read and write

FE5000

heap

page read and write

15A0000

trusted library allocation

page read and write

26B4000

trusted library allocation

page read and write

39E0000

heap

page read and write

5DAD000

stack

page read and write

3663000

heap

page read and write

83DE000

stack

page read and write

676B000

stack

page read and write

5C56000

trusted library allocation

page read and write

A5F000

stack

page read and write

ECF000

stack

page read and write

865F000

stack

page read and write

A20000

heap

page read and write

2B4B000

trusted library allocation

page read and write

56E0000

trusted library allocation

page read and write

65D6000

heap

page read and write

4DE0000

trusted library allocation

page read and write

170E000

stack

page read and write

2A3F000

trusted library allocation

page read and write

56B1000

trusted library allocation

page read and write

51B0000

heap

page execute and read and write

B0D000

heap

page read and write

15BA000

trusted library allocation

page execute and read and write

1300000

heap

page read and write

76AE000

heap

page read and write

A1E000

stack

page read and write

A45000

heap

page read and write

FE0000

heap

page read and write

2B02000

trusted library allocation

page read and write

E00000

heap

page read and write

68BE000

stack

page read and write

1343000

heap

page read and write

5C5A000

trusted library allocation

page read and write

3040000

trusted library allocation

page read and write

595C000

trusted library allocation

page read and write

2B60000

trusted library allocation

page read and write

5C6E000

stack

page read and write

130E000

heap

page read and write

5AE0000

trusted library allocation

page read and write

5D30000

trusted library allocation

page execute and read and write

2ADB000

trusted library allocation

page read and write

2ADF000

trusted library allocation

page read and write

26E0000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

841E000

stack

page read and write

6540000

trusted library allocation

page read and write

4F90000

heap

page read and write

2AE7000

trusted library allocation

page read and write

5D00000

heap

page read and write

15CB000

trusted library allocation

page execute and read and write

2A93000

trusted library allocation

page read and write

2A37000

trusted library allocation

page read and write

305F000

trusted library allocation

page read and write

602E000

stack

page read and write

626D000

stack

page read and write

2F4D000

stack

page read and write

1570000

trusted library allocation

page read and write

AD3000

heap

page read and write

57B0000

heap

page read and write

5B00000

trusted library section

page read and write

130A000

heap

page read and write

2970000

trusted library allocation

page read and write

69BE000

stack

page read and write

4EAE000

stack

page read and write

5EEE000

stack

page read and write

5C60000

trusted library allocation

page read and write

2980000

heap

page execute and read and write

FC0000

heap

page read and write

6165000

heap

page read and write

595A000

trusted library allocation

page read and write

D5F000

stack

page read and write

524C000

stack

page read and write

15B6000

trusted library allocation

page execute and read and write

3280000

trusted library allocation

page read and write

A64000

heap

page read and write

595F000

trusted library allocation

page read and write

180F000

stack

page read and write

4E39000

trusted library allocation

page read and write

5C71000

trusted library allocation

page read and write

646F000

stack

page read and write

569B000

trusted library allocation

page read and write

13C7000

heap

page read and write

5D10000

trusted library section

page readonly

5B6E000

stack

page read and write

C5E000

stack

page read and write

85C000

stack

page read and write

1594000

trusted library allocation

page read and write

15A3000

trusted library allocation

page read and write

26DA000

trusted library allocation

page execute and read and write

A40000

heap

page read and write

855E000

stack

page read and write

DC7000

heap

page read and write

3665000

heap

page read and write

2B39000

trusted library allocation

page read and write

E52000

unkown

page readonly

612E000

stack

page read and write

2ACF000

trusted library allocation

page read and write

15C7000

trusted library allocation

page execute and read and write

2A8B000

trusted library allocation

page read and write

2A82000

trusted library allocation

page read and write

13B5000

heap

page read and write

65B0000

heap

page read and write

A6E000

heap

page read and write

2A52000

trusted library allocation

page read and write

2966000

trusted library allocation

page read and write

1590000

trusted library allocation

page read and write

BC0000

heap

page read and write

2AD3000

trusted library allocation

page read and write

533D000

stack

page read and write

7A7000

stack

page read and write

5C5C000

trusted library allocation

page read and write

5C73000

trusted library allocation

page read and write

2AD7000

trusted library allocation

page read and write

E50000

unkown

page readonly

15F0000

trusted library allocation

page execute and read and write

F5A000

stack

page read and write

5A6F000

stack

page read and write

62EE000

stack

page read and write

4171000

trusted library allocation

page read and write

3020000

heap

page execute and read and write

534C000

stack

page read and write

2830000

trusted library allocation

page execute and read and write

AE0000

heap

page read and write

2A54000

trusted library allocation

page read and write

6169000

heap

page read and write

56D5000

trusted library allocation

page read and write

26EB000

trusted library allocation

page execute and read and write

76A0000

heap

page read and write

3640000

heap

page read and write

15C2000

trusted library allocation

page read and write

2964000

trusted library allocation

page read and write

4E36000

trusted library allocation

page read and write

26E2000

trusted library allocation

page read and write

5960000

trusted library allocation

page execute and read and write

1580000

heap

page read and write

56C2000

trusted library allocation

page read and write

3662000

heap

page read and write

26B0000

trusted library allocation

page read and write

2A42000

trusted library allocation

page read and write

DC0000

heap

page read and write

2B3D000

trusted library allocation

page read and write

4E1E000

trusted library allocation

page read and write

62AF000

stack

page read and write

39B9000

trusted library allocation

page read and write

A30000

heap

page read and write

FD0000

heap

page read and write

26BD000

trusted library allocation

page execute and read and write

5C90000

trusted library allocation

page read and write

4E24000

trusted library allocation

page read and write

364C000

heap

page read and write

5EAE000

stack

page read and write

2AE3000

trusted library allocation

page read and write

5D6F000

stack

page read and write

686C000

stack

page read and write

15AD000

trusted library allocation

page execute and read and write

5690000

trusted library allocation

page read and write

642E000

stack

page read and write

4E31000

trusted library allocation

page read and write

B3F000

heap

page read and write

2A97000

trusted library allocation

page read and write

A9E000

stack

page read and write

3010000

trusted library allocation

page read and write

56D0000

trusted library allocation

page read and write

8290000

trusted library allocation

page read and write

2670000

heap

page read and write

3410000

heap

page read and write

26E7000

trusted library allocation

page execute and read and write

4EEE000

stack

page read and write

518E000

stack

page read and write

383E000

stack

page read and write

2FEE000

stack

page read and write

A58000

heap

page read and write

BC8000

heap

page read and write

5ADE000

stack

page read and write

3997000

trusted library allocation

page read and write

56B6000

trusted library allocation

page read and write

4E00000

heap

page read and write

8F0000

heap

page read and write

57A0000

heap

page read and write

5770000

trusted library allocation

page read and write

2FF0000

heap

page read and write

5CA0000

trusted library allocation

page read and write

A87000

heap

page read and write

3991000

trusted library allocation

page read and write

851E000

stack

page read and write

51A0000

trusted library allocation

page read and write

159D000

trusted library allocation

page execute and read and write

6130000

heap

page read and write

A50000

heap

page read and write

4E14000

trusted library allocation

page read and write

56BD000

trusted library allocation

page read and write

3030000

trusted library allocation

page read and write

658E000

stack

page read and write

340E000

stack

page read and write

57B3000

heap

page read and write

26D6000

trusted library allocation

page execute and read and write

282C000

stack

page read and write

26D0000

trusted library allocation

page read and write

65AE000

stack

page read and write

3060000

heap

page read and write

316F000

stack

page read and write

35AF000

unkown

page read and write

ADE000

stack

page read and write

9D0000

heap

page read and write

82DE000

stack

page read and write

5C80000

trusted library section

page read and write

2960000

trusted library allocation

page read and write

1384000

heap

page read and write

1593000

trusted library allocation

page execute and read and write

7DA2000

trusted library allocation

page read and write

4E45000

trusted library allocation

page read and write

1600000

heap

page read and write

65A0000

heap

page read and write

1336000

heap

page read and write

2A6D000

trusted library allocation

page read and write

2FFE000

unkown

page read and write

89D000

stack

page read and write

12F7000

stack

page read and write

15B0000

trusted library allocation

page read and write

15C0000

trusted library allocation

page read and write

15E0000

trusted library allocation

page read and write

5D20000

heap

page read and write

2B1D000

trusted library allocation

page read and write

There are 272 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
PM114079-990528.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportPM114079-990528.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
PM114079-990528.exe