Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

LisectAVT_2403002A_52.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.915152449015222
Filename:	LisectAVT_2403002A_52.exe
Filesize:	749070
MD5:	52cb8bfa6bc3ffa539d9aba0ada28842
SHA1:	12421664688e01c7500cb7c82fc67672558c6ff3
SHA256:	dadafd098dc94e3706b0e84b36042b4dced32a372c4b086d85df4a23943b88ac
SHA512:	d7dd72353f4bdea1fd944a15bbb545405b1753d9442b0c59ca0446a52b07433b258c38a80d65ee23305c54d2b70c0e9d017c307326c8c404a6112f72605887d3
SSDEEP:	12288:0g4CMwp1SZUfek6vcaB5PXpPdJFyGn7xlfmE4RA36XbiiVWAmk:LSkeklaB/1/jdlfmQQF
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\|..f..............0.............".... ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
.NET source code contains potential unpacker	Data Obfuscation
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)	Anti Debugging
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing
Machine Learning detection for sample	AV Detection
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation Virtualization/Sandbox Evasion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information	Credentials in Registry
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to harvest and steal ftp login credentials	Stealing of Sensitive Information
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Checks if the current process is being debugged	Anti Debugging
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Creates a window with clipboard capturing capabilities	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample might require command line arguments	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LisectAVT_2403002A_52.exe.log

ASCII text, with CRLF line terminators

modified

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LisectAVT_2403002A_52.exe.log
Category:	modified
Dump:	LisectAVT_2403002A_52.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\LisectAVT_2403002A_52.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\LisectAVT_2403002A_52.exe

"C:\Users\user\Desktop\LisectAVT_2403002A_52.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2748
Target ID:	0
Parent PID:	1028
Name:	LisectAVT_2403002A_52.exe
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_52.exe
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_52.exe"
Size:	749070
MD5:	52CB8BFA6BC3FFA539D9ABA0ADA28842
Time:	13:17:42
Date:	25/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xc0000
Modulesize:	753664
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\LisectAVT_2403002A_52.exe

"C:\Users\user\Desktop\LisectAVT_2403002A_52.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6380
Target ID:	3
Parent PID:	2748
Name:	LisectAVT_2403002A_52.exe
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_52.exe
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_52.exe"
Size:	749070
MD5:	52CB8BFA6BC3FFA539D9ABA0ADA28842
Time:	13:17:44
Date:	25/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x710000
Modulesize:	753664
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

http://smtp.thanhancompony.com

unknown

Details

Name:	http://smtp.thanhancompony.com
TargetID:	3
From Memory:	true
Current Path:	C:\Users\user\Desktop\LisectAVT_2403002A_52.exe
Source:	LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.00000000029B4000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.00000000029D6000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.0000000002D0E000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.0000000002DAB000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.00000000029C4000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.0000000002D81000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://account.dyn.com/

unknown

Details

Name:	https://account.dyn.com/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\LisectAVT_2403002A_52.exe
Source:	LisectAVT_2403002A_52.exe, 00000000.00000002.2020608917.000000000369E000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_52.exe, 00000003.00000002.4471130246.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://us2.smtp.mailhostbox.com

unknown

Details

Name:	http://us2.smtp.mailhostbox.com
TargetID:	3
From Memory:	true
Current Path:	C:\Users\user\Desktop\LisectAVT_2403002A_52.exe
Source:	LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.00000000029B4000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.00000000029D6000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.0000000002D0E000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.0000000002DAB000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.00000000029C4000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.0000000002D81000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://www.chiark.greenend.org.uk/~sgtatham/putty/0

unknown

http://tempuri.org/Locations.xsdkServer=ARCHIT;Database=Sample;Trusted_Connection=TrueUPlease

unknown

http://ip-api.com/line/?fields=hosting

208.95.112.1

Details

Name:	http://ip-api.com/line/?fields=hosting
IP:	208.95.112.1
TargetID:	3
From Memory:	false
Current Path:	C:\Users\user\Desktop\LisectAVT_2403002A_52.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking

http://ip-api.com

unknown

Domains

Name

Malicious

ip-api.com

208.95.112.1

Details

Name:	ip-api.com
IP:	208.95.112.1
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Check if machine is in data center or colocation facility	Malware Analysis System Evasion	Security Software Discovery
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

smtp.thanhancompony.com

unknown

Details

Name:	smtp.thanhancompony.com
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

us2.smtp.mailhostbox.com

208.91.198.143

Details

Name:	us2.smtp.mailhostbox.com
IP:	208.91.198.143
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

208.95.112.1

ip-api.com

United States

208.91.198.143

us2.smtp.mailhostbox.com

United States

Details

IP:	208.91.198.143
TargetID:	3
Current Path:	C:\Users\user\Desktop\LisectAVT_2403002A_52.exe
Country:	United States
Countrycode:	USA
ASN number:	394695
ASN name:	PUBLIC-DOMAIN-REGISTRYUS
Private:	false
Domain:	us2.smtp.mailhostbox.com

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_52_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_52_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_52_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_52_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_52_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_52_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_52_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_52_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_52_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_52_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_52_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_52_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_52_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_52_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

29AE000

trusted library allocation

page read and write

2981000

trusted library allocation

page read and write

369E000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

6620000

heap

page read and write

4904000

trusted library allocation

page read and write

983E000

stack

page read and write

BA13000

trusted library allocation

page read and write

4C30000

heap

page execute and read and write

A86E000

heap

page read and write

24BE000

stack

page read and write

852000

trusted library allocation

page read and write

BA27000

trusted library allocation

page read and write

D80000

heap

page read and write

5600000

trusted library allocation

page read and write

856000

trusted library allocation

page execute and read and write

610E000

stack

page read and write

6C10000

trusted library allocation

page read and write

4A10000

heap

page read and write

29B4000

trusted library allocation

page read and write

3AD8000

trusted library allocation

page read and write

83D000

trusted library allocation

page execute and read and write

28E0000

trusted library allocation

page read and write

3B98000

trusted library allocation

page read and write

713E000

stack

page read and write

29D6000

trusted library allocation

page read and write

4960000

trusted library allocation

page read and write

696F000

stack

page read and write

4926000

trusted library allocation

page read and write

D5D000

trusted library allocation

page execute and read and write

5060000

heap

page execute and read and write

BA4A000

trusted library allocation

page read and write

723E000

stack

page read and write

AB0000

trusted library allocation

page read and write

BA2C000

trusted library allocation

page read and write

3B38000

trusted library allocation

page read and write

5520000

heap

page read and write

2737000

trusted library allocation

page execute and read and write

4958000

trusted library allocation

page read and write

4AEE000

stack

page read and write

D76000

trusted library allocation

page execute and read and write

69AC000

stack

page read and write

662E000

heap

page read and write

DC5000

heap

page read and write

4EFC000

stack

page read and write

2D0E000

trusted library allocation

page read and write

4E6B000

stack

page read and write

935000

heap

page read and write

676E000

stack

page read and write

6BEC000

stack

page read and write

289E000

stack

page read and write

279E000

stack

page read and write

4930000

trusted library allocation

page read and write

3A58000

trusted library allocation

page read and write

4ED0000

trusted library allocation

page read and write

2345000

trusted library allocation

page read and write

39F8000

trusted library allocation

page read and write

2750000

trusted library allocation

page read and write

54B9000

heap

page read and write

4950000

trusted library allocation

page read and write

D40000

trusted library allocation

page read and write

D54000

trusted library allocation

page read and write

993E000

stack

page read and write

B59000

stack

page read and write

A5E000

stack

page read and write

663D000

stack

page read and write

54AC000

stack

page read and write

D87000

heap

page read and write

81E000

stack

page read and write

4F74000

heap

page read and write

6C20000

trusted library allocation

page execute and read and write

2549000

trusted library allocation

page read and write

7000000

heap

page read and write

E2A000

heap

page read and write

233E000

stack

page read and write

6770000

trusted library allocation

page read and write

4F80000

trusted library allocation

page read and write

2735000

trusted library allocation

page execute and read and write

4980000

trusted library allocation

page read and write

CA7000

heap

page read and write

D90000

heap

page read and write

8257000

trusted library allocation

page read and write

D50000

trusted library allocation

page read and write

3A78000

trusted library allocation

page read and write

3AB8000

trusted library allocation

page read and write

CE0000

heap

page read and write

6720000

trusted library allocation

page execute and read and write

BA36000

trusted library allocation

page read and write

4F9E000

trusted library allocation

page read and write

A8DF000

heap

page read and write

BA09000

trusted library allocation

page read and write

3B58000

trusted library allocation

page read and write

85A000

trusted library allocation

page execute and read and write

4F20000

heap

page read and write

24C1000

trusted library allocation

page read and write

C210000

trusted library allocation

page read and write

4F50000

trusted library allocation

page read and write

34C9000

trusted library allocation

page read and write

4F8B000

trusted library allocation

page read and write

868000

heap

page read and write

537000

stack

page read and write

CB0000

heap

page read and write

4A50000

trusted library section

page readonly

116E6000

trusted library allocation

page read and write

D7A000

trusted library allocation

page execute and read and write

45BC000

stack

page read and write

8F9000

heap

page read and write

BA61000

trusted library allocation

page read and write

3BB8000

trusted library allocation

page read and write

4F10000

heap

page read and write

BA00000

trusted library allocation

page read and write

2532000

trusted library allocation

page read and write

678B000

trusted library allocation

page read and write

4F60000

trusted library allocation

page read and write

E19000

heap

page read and write

4FAD000

trusted library allocation

page read and write

4EE0000

trusted library section

page read and write

6D22000

trusted library allocation

page read and write

49D0000

heap

page read and write

4FA1000

trusted library allocation

page read and write

896000

heap

page read and write

6690000

trusted library allocation

page execute and read and write

614E000

stack

page read and write

62A0000

heap

page read and write

23A0000

trusted library allocation

page read and write

BA18000

trusted library allocation

page read and write

49B3000

heap

page read and write

4A29000

trusted library allocation

page read and write

6A70000

trusted library section

page read and write

4CC0000

heap

page read and write

4EC0000

trusted library allocation

page read and write

D6D000

trusted library allocation

page execute and read and write

65D7000

trusted library allocation

page read and write

5070000

heap

page read and write

3B18000

trusted library allocation

page read and write

4F70000

heap

page read and write

6AAC000

stack

page read and write

84D000

trusted library allocation

page execute and read and write

29C0000

trusted library allocation

page read and write

A67000

trusted library allocation

page execute and read and write

BA45000

trusted library allocation

page read and write

833000

trusted library allocation

page execute and read and write

4F54000

trusted library allocation

page read and write

D70000

trusted library allocation

page read and write

624E000

stack

page read and write

DC7000

heap

page read and write

4EF0000

heap

page read and write

55F0000

heap

page read and write

39D8000

trusted library allocation

page read and write

49F0000

trusted library allocation

page execute and read and write

B4C000

stack

page read and write

BA54000

trusted library allocation

page read and write

7DF000

stack

page read and write

65CE000

stack

page read and write

D2C000

stack

page read and write

4940000

trusted library allocation

page read and write

4E90000

trusted library allocation

page execute and read and write

2503000

trusted library allocation

page read and write

65E6000

trusted library allocation

page read and write

4F8E000

trusted library allocation

page read and write

4A30000

trusted library allocation

page read and write

65F0000

trusted library allocation

page read and write

E2E000

heap

page read and write

55ED000

stack

page read and write

840000

trusted library allocation

page read and write

6C30000

heap

page read and write

4EF5000

heap

page read and write

A90000

trusted library allocation

page execute and read and write

C0000

unkown

page readonly

5608000

trusted library allocation

page read and write

92EE000

trusted library allocation

page read and write

F8D000

stack

page read and write

526C000

stack

page read and write

BA4F000

trusted library allocation

page read and write

A710000

heap

page read and write

53AC000

stack

page read and write

54B0000

heap

page read and write

2DAB000

trusted library allocation

page read and write

490B000

trusted library allocation

page read and write

650000

heap

page read and write

29D0000

trusted library allocation

page read and write

4CD0000

heap

page read and write

23B0000

heap

page execute and read and write

A5A000

stack

page read and write

3A98000

trusted library allocation

page read and write

AC0000

heap

page read and write

A62000

trusted library allocation

page read and write

A891000

heap

page read and write

6640000

trusted library allocation

page execute and read and write

A8BC000

heap

page read and write

7010000

trusted library allocation

page read and write

B0E000

stack

page read and write

4F30000

trusted library allocation

page read and write

64CE000

stack

page read and write

65E0000

trusted library allocation

page read and write

2732000

trusted library allocation

page read and write

A8C5000

heap

page read and write

D98000

heap

page read and write

3BF8000

trusted library allocation

page read and write

39B8000

trusted library allocation

page read and write

4A20000

trusted library allocation

page read and write

6276000

heap

page read and write

3565000

trusted library allocation

page read and write

6250000

heap

page read and write

E06000

heap

page read and write

3517000

trusted library allocation

page read and write

4955000

trusted library allocation

page read and write

D72000

trusted library allocation

page read and write

BC0000

heap

page read and write

AA0000

heap

page read and write

28DC000

stack

page read and write

4C2C000

stack

page read and write

2930000

heap

page execute and read and write

29C4000

trusted library allocation

page read and write

5DD0000

heap

page read and write

92E9000

trusted library allocation

page read and write

4F27000

heap

page read and write

5530000

heap

page read and write

AC7000

heap

page read and write

5550000

heap

page read and write

86E000

heap

page read and write

D53000

trusted library allocation

page execute and read and write

570000

heap

page read and write

2730000

trusted library allocation

page read and write

116EE000

trusted library allocation

page read and write

4FB2000

trusted library allocation

page read and write

3A18000

trusted library allocation

page read and write

D60000

trusted library allocation

page read and write

8A3000

heap

page read and write

5CCC000

stack

page read and write

2920000

trusted library allocation

page execute and read and write

4EA0000

trusted library section

page read and write

500C000

stack

page read and write

16C000

unkown

page readonly

2522000

trusted library allocation

page read and write

65FD000

trusted library allocation

page read and write

7F1C0000

trusted library allocation

page execute and read and write

A81D000

heap

page read and write

B50000

heap

page read and write

2940000

heap

page read and write

691E000

stack

page read and write

6BEE000

stack

page read and write

492D000

trusted library allocation

page read and write

4EB0000

trusted library allocation

page execute and read and write

A8B5000

heap

page read and write

C2000

unkown

page readonly

860000

heap

page read and write

400000

remote allocation

page execute and read and write

4EAC000

stack

page read and write

5610000

heap

page read and write

3BD8000

trusted library allocation

page read and write

6D0000

heap

page read and write

668F000

stack

page read and write

2350000

trusted library allocation

page execute and read and write

2951000

trusted library allocation

page read and write

29D4000

trusted library allocation

page read and write

35B3000

trusted library allocation

page read and write

BA40000

trusted library allocation

page read and write

4FA6000

trusted library allocation

page read and write

BA31000

trusted library allocation

page read and write

3951000

trusted library allocation

page read and write

6730000

trusted library allocation

page read and write

68DE000

stack

page read and write

3A38000

trusted library allocation

page read and write

67DE000

stack

page read and write

65D0000

trusted library allocation

page read and write

DBB000

heap

page read and write

A7FD000

heap

page read and write

69E000

stack

page read and write

4932000

trusted library allocation

page read and write

239D000

stack

page read and write

491E000

trusted library allocation

page read and write

A6B000

trusted library allocation

page execute and read and write

4F92000

trusted library allocation

page read and write

29AC000

trusted library allocation

page read and write

43A000

stack

page read and write

CA0000

heap

page read and write

820000

trusted library allocation

page read and write

273B000

trusted library allocation

page execute and read and write

3AF8000

trusted library allocation

page read and write

6AEC000

stack

page read and write

4F40000

trusted library allocation

page read and write

BA22000

trusted library allocation

page read and write

49E0000

trusted library allocation

page read and write

A80000

trusted library allocation

page read and write

2340000

trusted library allocation

page read and write

4921000

trusted library allocation

page read and write

49B0000

heap

page read and write

830000

trusted library allocation

page read and write

5DCE000

stack

page read and write

52AE000

stack

page read and write

BA1D000

trusted library allocation

page read and write

BA3B000

trusted library allocation

page read and write

6A5E000

stack

page read and write

6A1E000

stack

page read and write

BA0E000

trusted library allocation

page read and write

4E7E000

stack

page read and write

252B000

trusted library allocation

page read and write

2900000

trusted library allocation

page read and write

6780000

trusted library allocation

page read and write

5DE0000

heap

page read and write

3979000

trusted library allocation

page read and write

8A1000

heap

page read and write

92E6000

trusted library allocation

page read and write

34C1000

trusted library allocation

page read and write

6790000

trusted library allocation

page read and write

BA04000

trusted library allocation

page read and write

834000

trusted library allocation

page read and write

4900000

trusted library allocation

page read and write

2910000

trusted library allocation

page read and write

116E9000

trusted library allocation

page read and write

850000

trusted library allocation

page read and write

3B78000

trusted library allocation

page read and write

2D81000

trusted library allocation

page read and write

7A10000

trusted library allocation

page read and write

There are 305 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
LisectAVT_2403002A_52.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportLisectAVT_2403002A_52.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
LisectAVT_2403002A_52.exe