Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

poMkNYHDU3.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.9427646252650135
Filename:	poMkNYHDU3.exe
Filesize:	1835944
MD5:	f0669646dcc88adb7268293dcb13dc9e
SHA1:	8bb62b7ea90e01634e71b2824ca32de8f052d404
SHA256:	1e4b1ea0fe7c16253169b76c22265b085df9bcca509eb39b8597b54bf53a4920
SHA512:	0b47c1de2e36a7a57bc84d643f966648ae6d4fa9860802c31c5b9243e772bf2c07461b0c76140bdd6ae4f3ba2e379c9113a368bea34e1ca17fc4bc0a3beb7753
SSDEEP:	49152:xzjyrrmVmx/meYk+gMZQwRHrFQupgNJtAoFW+Ay9FgAF:xzWTZ+jQSeNJtAowy9FgQ
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........kY...7...7...7..\|....7..\|....7..\|....7..r....7...6...7..\|....7..\|....7.......7..\|....7.Rich..7.........PE..L...@:.c...........

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Drops large PE files	System Summary	Access Token Manipulation
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	Access Token Manipulation File Deletion
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job Access Token Manipulation
Checks if the current process is being debugged	Anti Debugging	Virtualization/Sandbox Evasion Security Software Discovery
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging	Access Token Manipulation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Access Token Manipulation Process Discovery
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation
Found large amount of non-executed APIs	Malware Analysis System Evasion	Access Token Manipulation
PE / OLE file has an invalid certificate	System Summary	File and Directory Discovery
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Binary may include packed or encrypted code	Data Obfuscation
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery System Information Discovery
Contains functionality to register its own exception handler	Anti Debugging
Creates files inside the user directory	System Summary	Masquerading
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Queries a list of all running processes	Malware Analysis System Evasion
Reads ini files	System Summary
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Sample reads its own file content	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\mayo quaborod geriyak tarojob yeq vaj\Wep saqua quox vovaquo pofiyoha hotejemi nikaga gedel logim mobevem.exe

PE32 executable (GUI) Intel 80386, for MS Windows

modified

Details

File:	C:\Users\user\mayo quaborod geriyak tarojob yeq vaj\Wep saqua quox vovaquo pofiyoha hotejemi nikaga gedel logim mobevem.exe
Category:	modified
Dump:	Wep saqua quox vovaquo pofiyoha hotejemi nikaga gedel logim mobevem.exe.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\poMkNYHDU3.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	0.03885502830240671
Encrypted:	false
Size:	838599592
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates processes with suspicious names	Persistence and Installation Behavior
Drops PE files	Persistence and Installation Behavior
Found large amount of non-executed APIs	Malware Analysis System Evasion
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking

C:\Users\user\mayo quaborod geriyak tarojob yeq vaj\Wep saqua quox vovaquo pofiyoha hotejemi nikaga gedel logim mobevem.exe:Zone.Identifier

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\mayo quaborod geriyak tarojob yeq vaj\Wep saqua quox vovaquo pofiyoha hotejemi nikaga gedel logim mobevem.exe:Zone.Identifier
Category:	dropped
Dump:	Wep saqua quox vovaquo pofiyoha hotejemi nikaga gedel logim mobevem.exe_Zone.Identifier.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\poMkNYHDU3.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates processes with suspicious names	Persistence and Installation Behavior
Found large amount of non-executed APIs	Malware Analysis System Evasion
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking

C:\Users\user\AppData\Local\Temp\advapi32.dll

Non-ISO extended-ASCII text, with very long lines (7835), with NEL line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\advapi32.dll
Category:	dropped
Dump:	advapi32.dll.6.dr
ID:	dr_2
Target ID:	6
Process:	C:\Users\user\mayo quaborod geriyak tarojob yeq vaj\Wep saqua quox vovaquo pofiyoha hotejemi nikaga gedel logim mobevem.exe
Type:	Non-ISO extended-ASCII text, with very long lines (7835), with NEL line terminators
Entropy:	5.2354755742618355
Encrypted:	false
Ssdeep:	384:w/nGwRTK7GauSGR/QQl4t7MhpD/RfauEnkXSEA4hdOe:QSGauSGNGt7MhpD/RfDSEA4hdOe
Size:	14847
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\cudraouera\logs.dat

data

dropped

Details

File:	C:\cudraouera\logs.dat
Category:	dropped
Dump:	logs.dat.13.dr
ID:	dr_3
Target ID:	13
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
Type:	data
Entropy:	7.788292948399109
Encrypted:	false
Ssdeep:	24:peerVOleMHbNIb4djtDgqqyxwhQxU87Akz4j+Avjuxk:TPMBIAcqXwKxUwro4k
Size:	982
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\poMkNYHDU3.exe

"C:\Users\user\Desktop\poMkNYHDU3.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\user\mayo quaborod geriyak tarojob yeq vaj\Wep saqua quox vovaquo pofiyoha hotejemi nikaga gedel logim mobevem.exe"

C:\Users\user\mayo quaborod geriyak tarojob yeq vaj\Wep saqua quox vovaquo pofiyoha hotejemi nikaga gedel logim mobevem.exe

"C:\Users\user\mayo quaborod geriyak tarojob yeq vaj\Wep saqua quox vovaquo pofiyoha hotejemi nikaga gedel logim mobevem.exe"

C:\Users\user\mayo quaborod geriyak tarojob yeq vaj\Wep saqua quox vovaquo pofiyoha hotejemi nikaga gedel logim mobevem.exe

"C:\Users\user\mayo quaborod geriyak tarojob yeq vaj\Wep saqua quox vovaquo pofiyoha hotejemi nikaga gedel logim mobevem.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\user\Desktop\poMkNYHDU3.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\chcp.com

chcp 65001

There are 1 hidden processes, click here to show them.

URLs

Name

Malicious

servicio.mensajeriafrex.info

https://bitbucket.org/alfolod79597/advancedapi32/downloads/library.bine

unknown

https://bitbucket.org/alfolod79597/advancedapi32/downloads/library.bin_

unknown

https://bitbucket.org/alfolod79597/advancedapi32/downloads/library.binql

unknown

https://bitbucket.org/alfolod79597/advancedapi32/downloads/library.binj

unknown

https://d301sr5gafysq2.cloudfront.net/c26cc8291d0a/jsi18n/en/djangojs.js

unknown

https://bitbucket.org/alfolod79597/advancedapi32/downloads/library.binHgINRxeNZtTt5kfm2ALc9vI9ixAk5Q

unknown

https://d301sr5gafysq2.cloudfront.net/c26cc8291d0a/img/default_avatar/user_blue.svg

unknown

https://admin.atlassian.com

unknown

https://id.atlassian.com/login?prompt=login&continue=https%3A%2F%2Fbitbucket.org%2Falfolod79597%

unknown

https://d301sr5gafysq2.cloudfront.net/c26cc8291d0a/dist/webpack/app.js

unknown

https://bitbucket.org/alfolod79597/advancedapi32/downloads/library.bins

unknown

https://d301sr5gafysq2.cloudfront.net/c26cc8291d0a/dist/webpack/early.js

unknown

https://d301sr5gafysq2.cloudfront.net/c26cc8291d0a/css/entry/adg3.css

unknown

http://q1hz23sgcgrjxgo3okrkbbknn.wvkgid5wjj6hnhww93cqraz0uwbqgpq/p

unknown

https://bitbucket.org/blog/announcing-our-new-ci-cd-runtime-with-up-to-8x-faster-builds

unknown

https://api.bitbucket.org

unknown

https://preferences.atlassian.com

unknown

http://q1hZ23sgCgRjxGo3okrkbBKNN.WvkGid5wJJ6hnHwW93cQrAz0UwbqGpQ

unknown

https://bitbucket.org/alfolod79597/advancedapi32/downloads/library.bin

104.192.141.1

https://www.atlassian.com/try/cloud/signup?bundle=bitbucket

unknown

https://d301sr5gafysq2.cloudfront.net/c26cc8291d0a/img/logos/bitbucket/mstile-150x150.png

unknown

http://geoplugin.net/json.gp/C

unknown

https://remote-app-switcher.prod-east.frontend.public.atl-paas.net

unknown

http://q1hz23sgcgrjxgo3okrkbbknn.wvkgid5wjj6hnhww93cqraz0uwbqgpq/

unknown

https://bitbucket.status.atlassian.com/

unknown

https://d301sr5gafysq2.cloudfront.net/c26cc8291d0a/img/logos/bitbucket/android-chrome-192x192.png

unknown

https://d301sr5gafysq2.cloudfront.net/c26cc8291d0a/dist/webpack/sentry.js

unknown

https://id.atlassian.com/profile/rest/profile"

unknown

https://aui-cdn.atlassian.com/

unknown

https://bitbucket.org/gateway/api/emoji/

unknown

https://bqlf8qjztdtr.statuspage.io

unknown

https://d301sr5gafysq2.cloudfront.net/

unknown

https://d301sr5gafysq2.cloudfront.net/c26cc8291d0a/css/entry/vendor-aui-8.css

unknown

https://bitbucket.org

unknown

https://d301sr5gafysq2.cloudfront.net/c26cc8291d0a/

unknown

https://bitbucket.org/

unknown

https://d301sr5gafysq2.cloudfront.net/c26cc8291d0a/css/entry/app.css

unknown

https://id.atlassian.com/login

unknown

https://d301sr5gafysq2.cloudfront.net/c26cc8291d0a/dist/webpack/vendor.js

unknown

https://d301sr5gafysq2.cloudfront.net/c26cc8291d0a/img/logos/bitbucket/safari-pinned-tab.svg

unknown

https://bitbucket.org/blog/wp-json/wp/v2/posts?categories=196&context=embed&per_page=6&orderby=date&

unknown

https://id.atlassian.com/logout

unknown

https://web-security-reports.services.atlassian.com/csp-report/bb-website

unknown

https://bitbucket.org/alfolod79597/advancedapi32/downloads/library.bin.

unknown

https://d136azpfpnge1l.cloudfront.net/;

unknown

https://bitbucket.org/alfolod79597/advancedapi32/downloads/library.bin1

unknown

https://bitbucket.org/alfolod79597/advancedapi32/downloads/library.bin;

unknown

https://d301sr5gafysq2.cloudfront.net/c26cc8291d0a/dist/webpack/locales/en.js

unknown

https://id.atlassian.com/manage-profile/

unknown

http://geoplugin.net/json.gp

unknown

https://d301sr5gafysq2.cloudfront.net/c26cc8291d0a/img/logos/bitbucket/apple-touch-icon.png

unknown

https://d301sr5gafysq2.cloudfront.net/c26cc8291d0a/css/entry/adg3-skeleton-nav.css

unknown

https://bitbucket.org/alfolod79597/advancedapi32/downloads/library.binM

unknown

https://web-security-reports.services.atlassian.com/csp-report/bb-websiteZ

unknown

https://cdn.cookielaw.org/

unknown

http://q1hz23sgcgrjxgo3okrkbbknn.wvkgid5wjj6hnhww93cqraz0uwbqgpq/&

unknown

https://d301sr5gafysq2.cloudfront.net/c26cc8291d0a/dist/webpack/aui-8.js

unknown

https://remote-app-switcher.stg-east.frontend.public.atl-paas.net

unknown

https://bitbucket.org//oP

unknown

https://d136azpfpnge1l.cloudfront.net/

unknown

https://bitbucket.org/alfolod79597/advancedapi32/downloads/library.binP

unknown

http://q1hZ23sgCgRjxGo3okrkbBKNN.WvkGid5wJJ6hnHwW93cQrAz0UwbqGpQEBQg6vK9dvWwYrhPfY4r4fQbRGAsC1BPwTlv

unknown

There are 53 hidden URLs, click here to show them.

Domains

Name

Malicious

servicio.mensajeriafrex.info

181.49.85.74

Details

Name:	servicio.mensajeriafrex.info
IP:	181.49.85.74
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

q1hz23sgcgrjxgo3okrkbbknn.wvkgid5wjj6hnhww93cqraz0uwbqgpq

unknown

56.126.166.20.in-addr.arpa

unknown

bitbucket.org

104.192.141.1

Details

Name:	bitbucket.org
IP:	104.192.141.1
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden)	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

181.49.85.74

servicio.mensajeriafrex.info

Colombia

Details

IP:	181.49.85.74
TargetID:	13
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
Country:	Colombia
Countrycode:	COL
ASN number:	14080
ASN name:	TelmexColombiaSACO
Private:	false
Domain:	servicio.mensajeriafrex.info

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

127.0.0.1

unknown

Details

IP:	127.0.0.1
TargetID:	12
Current Path:	C:\Windows\SysWOW64\PING.EXE
Private:	true

Signature Hits	Behavior Group	Mitre Attack
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	File Deletion
Uses ping.exe to check the status of other devices and networks	Networking	System Network Configuration Discovery Remote System Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

104.192.141.1

bitbucket.org

United States

Details

IP:	104.192.141.1
TargetID:	6
Current Path:	C:\Users\user\mayo quaborod geriyak tarojob yeq vaj\Wep saqua quox vovaquo pofiyoha hotejemi nikaga gedel logim mobevem.exe
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false
Domain:	bitbucket.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\exporteyuia-WNPSFO

exepath

HKEY_CURRENT_USER\SOFTWARE\exporteyuia-WNPSFO

licence

Memdumps

Base Address

Regiontype

Protect

Malicious

12BA000

heap

page read and write

DD7000

heap

page read and write

10030000

direct allocation

page read and write

400000

remote allocation

page execute and read and write

1238000

heap

page read and write

C520000

direct allocation

page execute and read and write

C520000

direct allocation

page read and write

10130000

heap

page read and write

10030000

direct allocation

page execute and read and write

2EAA000

stack

page read and write

1230000

heap

page read and write

2A4F000

stack

page read and write

26C6000

heap

page read and write

1144000

heap

page read and write

1259000

heap

page read and write

2CB1000

heap

page read and write

C5B0000

direct allocation

page execute and read and write

1259000

heap

page read and write

C550000

direct allocation

page read and write

128E000

heap

page read and write

1259000

heap

page read and write

2CB1000

heap

page read and write

FD0000

heap

page read and write

1259000

heap

page read and write

FA9000

stack

page read and write

3390000

heap

page read and write

124F000

heap

page read and write

26A2000

heap

page read and write

121E000

heap

page read and write

2EE5000

heap

page read and write

1259000

heap

page read and write

1009E000

stack

page read and write

D8F000

heap

page read and write

1259000

heap

page read and write

1296000

heap

page read and write

630000

unkown

page readonly

1259000

heap

page read and write

2F7D000

stack

page read and write

2CB0000

heap

page read and write

140E000

heap

page read and write

A95F000

stack

page read and write

C591000

direct allocation

page execute and read and write

1259000

heap

page read and write

1259000

heap

page read and write

129D000

stack

page read and write

1259000

heap

page read and write

100C0000

direct allocation

page execute and read and write

22B0000

heap

page read and write

1259000

heap

page read and write

7BA000

unkown

page write copy

F59000

stack

page read and write

1259000

heap

page read and write

C56E000

stack

page read and write

1180000

heap

page read and write

371000

unkown

page execute read

C20000

heap

page read and write

7B7000

unkown

page readonly

1170000

trusted library allocation

page read and write

26A3000

heap

page read and write

2820000

heap

page read and write

10B0000

heap

page read and write

121A000

heap

page read and write

2CB1000

heap

page read and write

2CB1000

heap

page read and write

D90000

heap

page read and write

370000

unkown

page readonly

1144000

heap

page read and write

146A000

heap

page read and write

13BB000

heap

page read and write

1259000

heap

page read and write

C40000

heap

page read and write

2340000

heap

page read and write

152F000

stack

page read and write

1259000

heap

page read and write

1091B000

stack

page read and write

2EE0000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

338E000

stack

page read and write

1259000

heap

page read and write

128E000

heap

page read and write

2CB1000

heap

page read and write

2CB1000

heap

page read and write

378E000

stack

page read and write

4F7000

unkown

page readonly

C4C0000

direct allocation

page read and write

13D4000

heap

page read and write

26A5000

heap

page read and write

1210000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

2DF0000

heap

page read and write

1144000

heap

page read and write

2E10000

heap

page read and write

1144000

heap

page read and write

7A0000

unkown

page readonly

AADE000

stack

page read and write

1259000

heap

page read and write

1259000

heap

page read and write

1259000

heap

page read and write

2A10000

heap

page read and write

F11E000

stack

page read and write

26C7000

heap

page read and write

C4C0000

direct allocation

page read and write

FEBD000

stack

page read and write

ACAD000

stack

page read and write

1259000

heap

page read and write

1259000

heap

page read and write

1259000

heap

page read and write

2CB1000

heap

page read and write

2CB1000

heap

page read and write

1259000

heap

page read and write

22FE000

unkown

page read and write

1144000

heap

page read and write

2CB1000

heap

page read and write

F25F000

stack

page read and write

2CB1000

heap

page read and write

26B7000

heap

page read and write

EFDF000

stack

page read and write

1259000

heap

page read and write

1259000

heap

page read and write

1431000

heap

page read and write

2CB1000

heap

page read and write

1259000

heap

page read and write

E9EF000

stack

page read and write

2CB1000

heap

page read and write

D87000

heap

page read and write

2F3D000

stack

page read and write

46C000

remote allocation

page execute and read and write

1259000

heap

page read and write

1259000

heap

page read and write

3054000

heap

page read and write

2FBE000

heap

page execute and read and write

1259000

heap

page read and write

139E000

heap

page read and write

1144000

heap

page read and write

2CC0000

heap

page read and write

C3AD000

stack

page read and write

318F000

stack

page read and write

10060000

direct allocation

page read and write

1259000

heap

page read and write

11A0000

heap

page read and write

2CB1000

heap

page read and write

F15E000

stack

page read and write

2F20000

heap

page read and write

1259000

heap

page read and write

1020000

heap

page read and write

2E90000

trusted library allocation

page read and write

15EE000

stack

page read and write

A6A000

stack

page read and write

1259000

heap

page read and write

371000

unkown

page execute read

C69A000

heap

page read and write

2E90000

trusted library allocation

page read and write

2DF5000

heap

page read and write

F66000

stack

page read and write

C26E000

stack

page read and write

370000

unkown

page readonly

146D000

heap

page read and write

1259000

heap

page read and write

142E000

stack

page read and write

4F7000

unkown

page readonly

1258000

heap

page read and write

1144000

heap

page read and write

E0F1000

heap

page read and write

1259000

heap

page read and write

2F40000

heap

page read and write

2CB1000

heap

page read and write

1259000

heap

page read and write

2B10000

trusted library allocation

page read and write

2CB1000

heap

page read and write

DA2000

heap

page read and write

1259000

heap

page read and write

301E000

stack

page read and write

12C9000

heap

page read and write

C4AC000

stack

page read and write

1259000

heap

page read and write

2E70000

heap

page read and write

1144000

heap

page read and write

10FE000

stack

page read and write

2FE0000

heap

page read and write

2F10000

heap

page read and write

2CB1000

heap

page read and write

304F000

stack

page read and write

1144000

heap

page read and write

2B10000

trusted library allocation

page read and write

2CB1000

heap

page read and write

2CB1000

heap

page read and write

4F7000

unkown

page readonly

2FD0000

heap

page execute and read and write

146B000

heap

page read and write

2CB1000

heap

page read and write

1259000

heap

page read and write

2F1C000

stack

page read and write

1259000

heap

page read and write

307E000

unkown

page read and write

26B6000

heap

page read and write

1256000

heap

page read and write

11CE000

stack

page read and write

12A0000

heap

page read and write

DBC000

stack

page read and write

1ED000

stack

page read and write

1259000

heap

page read and write

4FA000

unkown

page read and write

1259000

heap

page read and write

1144000

heap

page read and write

140E000

stack

page read and write

1431000

heap

page read and write

2CB1000

heap

page read and write

2CB1000

heap

page read and write

D93000

heap

page read and write

E8AF000

stack

page read and write

124E000

heap

page read and write

7BA000

unkown

page read and write

C6A6000

heap

page read and write

1259000

heap

page read and write

124B000

heap

page read and write

E62F000

stack

page read and write

1144000

heap

page read and write

C48000

heap

page read and write

2CB1000

heap

page read and write

2E90000

trusted library allocation

page read and write

1259000

heap

page read and write

C16F000

stack

page read and write

1259000

heap

page read and write

1144000

heap

page read and write

2E90000

trusted library allocation

page read and write

233E000

stack

page read and write

D5E000

stack

page read and write

D80000

heap

page read and write

1259000

heap

page read and write

27FE000

stack

page read and write

EEDF000

stack

page read and write

2CB1000

heap

page read and write

1259000

heap

page read and write

1259000

heap

page read and write

2FA4000

heap

page read and write

1144000

heap

page read and write

1259000

heap

page read and write

C7A0000

remote allocation

page read and write

C6A1000

heap

page read and write

1230000

heap

page read and write

1424000

heap

page read and write

2CB1000

heap

page read and write

1259000

heap

page read and write

471000

remote allocation

page execute and read and write

2CB1000

heap

page read and write

2BD0000

heap

page execute and read and write

2CB1000

heap

page read and write

123B000

heap

page read and write

2F4B000

heap

page read and write

1144000

heap

page read and write

FFD0000

direct allocation

page read and write

370000

unkown

page readonly

1170000

trusted library allocation

page read and write

BD0000

heap

page read and write

1170000

trusted library allocation

page read and write

1259000

heap

page read and write

1220000

heap

page read and write

1259000

heap

page read and write

A99E000

stack

page read and write

124E000

heap

page read and write

370000

unkown

page readonly

4F7000

unkown

page readonly

A60000

unkown

page readonly

1259000

heap

page read and write

2CB1000

heap

page read and write

CBC000

stack

page read and write

7B7000

unkown

page readonly

1032F000

stack

page read and write

ED000

stack

page read and write

10060000

remote allocation

page read and write

1259000

heap

page read and write

103C000

stack

page read and write

1063E000

stack

page read and write

2CB1000

heap

page read and write

330E000

stack

page read and write

2CB1000

heap

page read and write

39CF000

stack

page read and write

2BF0000

heap

page read and write

2CB1000

heap

page read and write

C56E000

stack

page read and write

2A05000

heap

page read and write

388F000

stack

page read and write

630000

unkown

page readonly

317D000

stack

page read and write

1259000

heap

page read and write

F29D000

stack

page read and write

142E000

heap

page read and write

139A000

heap

page read and write

2E90000

trusted library allocation

page read and write

146D000

heap

page read and write

1259000

heap

page read and write

2680000

heap

page read and write

1170000

heap

page read and write

2CB1000

heap

page read and write

10060000

remote allocation

page read and write

2CB1000

heap

page read and write

2CB1000

heap

page read and write

1250000

heap

page read and write

1259000

heap

page read and write

1390000

heap

page read and write

DAF000

heap

page read and write

1144000

heap

page read and write

31DE000

stack

page read and write

AC5E000

stack

page read and write

FFBC000

stack

page read and write

C6AD000

heap

page read and write

1144000

heap

page read and write

1255000

heap

page read and write

2CB1000

heap

page read and write

3597000

heap

page read and write

2DDE000

stack

page read and write

1259000

heap

page read and write

1259000

heap

page read and write

1259000

heap

page read and write

2CB1000

heap

page read and write

1259000

heap

page read and write

1144000

heap

page read and write

4FA000

unkown

page read and write

E7AE000

stack

page read and write

2CB1000

heap

page read and write

D60000

heap

page read and write

4FA000

unkown

page write copy

2EDF000

stack

page read and write

2CB1000

heap

page read and write

2A11000

heap

page read and write

2CB1000

heap

page read and write

1259000

heap

page read and write

2CB1000

heap

page read and write

2CB1000

heap

page read and write

D93000

heap

page read and write

2FA0000

heap

page read and write

1259000

heap

page read and write

359A000

heap

page read and write

1144000

heap

page read and write

3080000

heap

page read and write

2CB1000

heap

page read and write

1259000

heap

page read and write

F01E000

stack

page read and write

13CE000

heap

page read and write

319F000

unkown

page read and write

E0F0000

heap

page read and write

D99000

heap

page read and write

1259000

heap

page read and write

371000

unkown

page execute read

1259000

heap

page read and write

106E000

stack

page read and write

26C6000

heap

page read and write

1256000

heap

page read and write

10B0000

heap

page read and write

124E000

heap

page read and write

2CB1000

heap

page read and write

123B000

heap

page read and write

E76F000

stack

page read and write

3870000

heap

page read and write

1259000

heap

page read and write

1259000

heap

page read and write

2EC0000

heap

page read and write

2A11000

heap

page read and write

1144000

heap

page read and write

2B10000

trusted library allocation

page read and write

1259000

heap

page read and write

1259000

heap

page read and write

7A0000

unkown

page readonly

149E000

stack

page read and write

268C000

heap

page read and write

38CE000

stack

page read and write

1259000

heap

page read and write

113E000

stack

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

14A0000

heap

page read and write

3360000

heap

page read and write

142B000

heap

page read and write

1259000

heap

page read and write

2CB1000

heap

page read and write

2B20000

heap

page read and write

1259000

heap

page read and write

DB7000

heap

page read and write

1259000

heap

page read and write

C66F000

stack

page read and write

A60000

unkown

page readonly

13D5000

heap

page read and write

C6A1000

heap

page read and write

2CB1000

heap

page read and write

330E000

stack

page read and write

1259000

heap

page read and write

2CB1000

heap

page read and write

141B000

heap

page read and write

2CB1000

heap

page read and write

1259000

heap

page read and write

7A0000

unkown

page readonly

113C000

stack

page read and write

F2DE000

stack

page read and write

631000

unkown

page execute read

2CB1000

heap

page read and write

2CB1000

heap

page read and write

2CB1000

heap

page read and write

321F000

stack

page read and write

2F00000

heap

page read and write

2FF0000

heap

page read and write

1175000

heap

page read and write

1170000

trusted library allocation

page read and write

1259000

heap

page read and write

2839000

heap

page execute and read and write

1259000

heap

page read and write

1144000

heap

page read and write

A85E000

stack

page read and write

1073B000

stack

page read and write

126B000

heap

page read and write

2F5C000

heap

page read and write

1259000

heap

page read and write

13F2000

heap

page read and write

1259000

heap

page read and write

2CB1000

heap

page read and write

2F40000

heap

page read and write

29C0000

heap

page read and write

7A0000

unkown

page readonly

14EE000

stack

page read and write

1259000

heap

page read and write

2EB0000

heap

page read and write

1259000

heap

page read and write

2CB1000

heap

page read and write

ABDF000

stack

page read and write

1140000

heap

page read and write

1144000

heap

page read and write

EA2D000

stack

page read and write

1259000

heap

page read and write

E0F1000

heap

page read and write

12A7000

heap

page read and write

1259000

heap

page read and write

2CB1000

heap

page read and write

FB9000

stack

page read and write

2CB1000

heap

page read and write

2CB1000

heap

page read and write

C36B000

stack

page read and write

C7A0000

remote allocation

page read and write

1144000

heap

page read and write

2CB1000

heap

page read and write

12D2000

heap

page read and write

32CF000

stack

page read and write

3050000

heap

page read and write

1144000

heap

page read and write

3190000

heap

page execute and read and write

11D0000

heap

page read and write

10060000

remote allocation

page read and write

1272000

heap

page read and write

294F000

unkown

page read and write

1144000

heap

page read and write

1070000

heap

page read and write

31CD000

stack

page read and write

4FA000

unkown

page write copy

2CB1000

heap

page read and write

1144000

heap

page read and write

AA9E000

stack

page read and write

371000

unkown

page execute read

1259000

heap

page read and write

C1E000

stack

page read and write

1259000

heap

page read and write

29C4000

heap

page read and write

E6A000

stack

page read and write

1296000

heap

page read and write

11B0000

heap

page read and write

1259000

heap

page read and write

1431000

heap

page read and write

2E6D000

stack

page read and write

1259000

heap

page read and write

150E000

stack

page read and write

1259000

heap

page read and write

FFD0000

direct allocation

page read and write

F5E000

stack

page read and write

1170000

trusted library allocation

page read and write

1259000

heap

page read and write

FE7B000

stack

page read and write

E66E000

stack

page read and write

1259000

heap

page read and write

C670000

heap

page read and write

306D000

heap

page execute and read and write

340F000

stack

page read and write

D99000

heap

page read and write

631000

unkown

page execute read

1259000

heap

page read and write

1259000

heap

page read and write

2DEE000

stack

page read and write

2CB1000

heap

page read and write

B59000

stack

page read and write

1259000

heap

page read and write

2CB1000

heap

page read and write

2CB1000

heap

page read and write

1259000

heap

page read and write

1259000

heap

page read and write

13EA000

heap

page read and write

29D0000

heap

page read and write

2A00000

heap

page read and write

C7A0000

remote allocation

page read and write

2CB1000

heap

page read and write

2CB1000

heap

page read and write

2F20000

heap

page read and write

1259000

heap

page read and write

ACED000

stack

page read and write

13DE000

heap

page read and write

3590000

heap

page read and write

2B10000

trusted library allocation

page read and write

10A1C000

stack

page read and write

2B10000

trusted library allocation

page read and write

D67000

heap

page read and write

1259000

heap

page read and write

D9A000

heap

page read and write

2BB0000

heap

page read and write

2CB1000

heap

page read and write

C6A6000

heap

page read and write

EB9000

stack

page read and write

334F000

stack

page read and write

C6A6000

heap

page read and write

100A1000

direct allocation

page execute and read and write

308C000

stack

page read and write

1259000

heap

page read and write

1259000

heap

page read and write

1294000

heap

page read and write

2CB1000

heap

page read and write

1272000

heap

page read and write

1259000

heap

page read and write

2370000

heap

page read and write

E8EE000

stack

page read and write

2E90000

heap

page read and write

33DF000

stack

page read and write

1259000

heap

page read and write

1144000

heap

page read and write

2CB1000

heap

page read and write

142C000

heap

page read and write

1259000

heap

page read and write

B69000

stack

page read and write

2CB1000

heap

page read and write

There are 524 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
poMkNYHDU3.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportpoMkNYHDU3.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
poMkNYHDU3.exe