Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

LisectAVT_2403002A_127.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.906401671315325
Filename:	LisectAVT_2403002A_127.exe
Filesize:	697350
MD5:	67cf14e98914a0ae61cda009d3ed1df7
SHA1:	4bf4a1f9365eb649a2fdf1a30b2e4c149fad03dc
SHA256:	79d0926744b84fc30f2a528b4aa64b2aa015001616f7062f15695fa00de45081
SHA512:	b1edfdb6f9b03c2a9f1a0498bf28b40c1d3a2e4de80c7a8ff29397a9eaa1f787ccc2dbf2f9a69da1c601c963589187f43c2820b683435b8cfcbcfc703046360d
SSDEEP:	12288:BJggC74CMw3iOdiDSZnRtnt9iXSSfI5qIFngvpZsG9WxzQaU3y:BJgFoOdjtnOSKPhh6GEQn3
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;...............0.................. ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
.NET source code contains potential unpacker	Data Obfuscation
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing
Machine Learning detection for sample	AV Detection
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation Security Software Discovery
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information	Credentials in Registry
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to harvest and steal ftp login credentials	Stealing of Sensitive Information
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Creates a window with clipboard capturing capabilities	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary	System Information Discovery
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LisectAVT_2403002A_127.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LisectAVT_2403002A_127.exe.log
Category:	dropped
Dump:	LisectAVT_2403002A_127.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\LisectAVT_2403002A_127.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

"C:\Users\user\Desktop\LisectAVT_2403002A_127.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5396
Target ID:	0
Parent PID:	4004
Name:	LisectAVT_2403002A_127.exe
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_127.exe
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_127.exe"
Size:	697350
MD5:	67CF14E98914A0AE61CDA009D3ED1DF7
Time:	17:59:07
Date:	25/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xb80000
Modulesize:	720896
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\LisectAVT_2403002A_127.exe

"C:\Users\user\Desktop\LisectAVT_2403002A_127.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5020
Target ID:	3
Parent PID:	5396
Name:	LisectAVT_2403002A_127.exe
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_127.exe
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_127.exe"
Size:	697350
MD5:	67CF14E98914A0AE61CDA009D3ED1DF7
Time:	17:59:13
Date:	25/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xc50000
Modulesize:	720896
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

https://api.telegram.org

unknown

https://api.telegram.org/bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/

unknown

https://api.ipify.org/

104.26.13.205

https://api.ipify.org

unknown

https://account.dyn.com/

unknown

https://www.gnu.org/licenses/

unknown

https://fsf.org/

unknown

https://www.gnu.org/licenses/why-not-lgpl.html

unknown

https://api.ipify.org/t

unknown

http://api.telegram.org

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://download.alegsoftware.ga/ws_switches/contatore/ltromatic.ttf

unknown

https://api.telegram.org/bot6240128422:AAGfewUxVcQqKio_MV181yAuk31JpsBcgy8/sendDocument

149.154.167.220

There are 3 hidden URLs, click here to show them.

Domains

Name

Malicious

api.telegram.org

149.154.167.220

Details

Name:	api.telegram.org
IP:	149.154.167.220
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Uses the Telegram API (likely for C&C communication)	Networking	Web Service
HTTP GET or POST without a user agent	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

api.ipify.org

104.26.13.205

Details

Name:	api.ipify.org
IP:	104.26.13.205
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

149.154.167.220

api.telegram.org

United Kingdom

Details

IP:	149.154.167.220
TargetID:	3
Current Path:	C:\Users\user\Desktop\LisectAVT_2403002A_127.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	62041
ASN name:	TELEGRAMRU
Private:	false
Domain:	api.telegram.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

104.26.13.205

api.ipify.org

United States

Details

IP:	104.26.13.205
TargetID:	3
Current Path:	C:\Users\user\Desktop\LisectAVT_2403002A_127.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_127_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_127_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_127_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_127_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_127_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_127_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_127_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_127_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_127_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_127_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_127_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_127_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_127_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_127_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

428D000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

4BB0000

trusted library allocation

page read and write

3131000

trusted library allocation

page read and write

11F4000

trusted library allocation

page read and write

1220000

trusted library allocation

page read and write

30E1000

trusted library allocation

page read and write

2E4F000

stack

page read and write

1790000

trusted library allocation

page read and write

3305000

trusted library allocation

page read and write

6050000

heap

page read and write

80BC000

stack

page read and write

53FD000

trusted library allocation

page read and write

13D6000

trusted library allocation

page execute and read and write

325A000

trusted library allocation

page read and write

1290000

heap

page read and write

6A00000

heap

page read and write

A77D000

stack

page read and write

31DE000

trusted library allocation

page read and write

2F10000

trusted library allocation

page execute and read and write

53DB000

trusted library allocation

page read and write

113C000

stack

page read and write

6D5E000

stack

page read and write

129E000

heap

page read and write

4250000

trusted library allocation

page read and write

30D0000

trusted library allocation

page read and write

CD96000

trusted library allocation

page read and write

34B3000

trusted library allocation

page read and write

36B6000

trusted library allocation

page read and write

5640000

trusted library allocation

page read and write

2F30000

trusted library allocation

page read and write

144E000

stack

page read and write

5480000

trusted library allocation

page read and write

5402000

trusted library allocation

page read and write

12A0000

trusted library allocation

page read and write

40E1000

trusted library allocation

page read and write

1185000

heap

page read and write

1130000

heap

page read and write

1190000

trusted library allocation

page read and write

55E4000

heap

page read and write

54A0000

trusted library allocation

page execute and read and write

D89000

stack

page read and write

562C000

stack

page read and write

3070000

trusted library allocation

page read and write

2F92000

trusted library allocation

page read and write

D64E000

trusted library allocation

page read and write

A63E000

stack

page read and write

1450000

heap

page read and write

6C3F000

stack

page read and write

412E000

trusted library allocation

page read and write

1210000

trusted library allocation

page read and write

6F9E000

stack

page read and write

2F40000

heap

page read and write

D649000

trusted library allocation

page read and write

2EC0000

trusted library allocation

page read and write

12C0000

trusted library allocation

page read and write

13D0000

trusted library allocation

page read and write

55B0000

heap

page read and write

13E2000

trusted library allocation

page read and write

6CA0000

heap

page read and write

68FE000

stack

page read and write

9F4C000

heap

page read and write

1780000

trusted library allocation

page read and write

CBA000

stack

page read and write

3349000

trusted library allocation

page read and write

55E0000

heap

page read and write

D671000

trusted library allocation

page read and write

12FB000

heap

page read and write

74CE000

stack

page read and write

31D6000

trusted library allocation

page read and write

117C000

stack

page read and write

3668000

trusted library allocation

page read and write

3056000

trusted library allocation

page read and write

13DA000

trusted library allocation

page execute and read and write

5470000

heap

page read and write

12B4000

trusted library allocation

page read and write

6B3E000

stack

page read and write

D635000

trusted library allocation

page read and write

6C9E000

stack

page read and write

12D0000

heap

page read and write

31E2000

trusted library allocation

page read and write

56D0000

heap

page execute and read and write

1200000

trusted library allocation

page read and write

D67B000

trusted library allocation

page read and write

2E70000

heap

page execute and read and write

D63A000

trusted library allocation

page read and write

643D000

stack

page read and write

D630000

trusted library allocation

page read and write

4043000

trusted library allocation

page read and write

1351000

heap

page read and write

32ED000

trusted library allocation

page read and write

598E000

stack

page read and write

7420000

trusted library section

page read and write

1298000

heap

page read and write

D676000

trusted library allocation

page read and write

508C000

stack

page read and write

7120000

trusted library allocation

page read and write

6CC0000

trusted library allocation

page execute and read and write

711C000

stack

page read and write

D662000

trusted library allocation

page read and write

148E000

stack

page read and write

57E0000

trusted library section

page read and write

A3FE000

stack

page read and write

12D4000

heap

page read and write

663E000

stack

page read and write

10F8000

stack

page read and write

31EE000

trusted library allocation

page read and write

559E000

stack

page read and write

712B000

trusted library allocation

page read and write

D653000

trusted library allocation

page read and write

334B000

trusted library allocation

page read and write

A8BE000

stack

page read and write

5B20000

heap

page read and write

305D000

trusted library allocation

page read and write

3FA7000

trusted library allocation

page read and write

12B8000

heap

page read and write

2F35000

trusted library allocation

page read and write

3F59000

trusted library allocation

page read and write

3186000

trusted library allocation

page read and write

6C50000

trusted library allocation

page read and write

B82000

unkown

page readonly

30D2000

trusted library allocation

page read and write

1216000

trusted library allocation

page execute and read and write

D66C000

trusted library allocation

page read and write

A53E000

stack

page read and write

1760000

trusted library allocation

page execute and read and write

D626000

trusted library allocation

page read and write

A780000

heap

page read and write

6AA5000

heap

page read and write

1180000

heap

page read and write

647B000

unkown

page read and write

7470000

heap

page read and write

566C000

stack

page read and write

117E000

stack

page read and write

1400000

trusted library allocation

page read and write

12B0000

trusted library allocation

page read and write

13D2000

trusted library allocation

page read and write

5410000

trusted library allocation

page read and write

1327000

heap

page read and write

9EC0000

heap

page read and write

7822000

trusted library allocation

page read and write

9F59000

heap

page read and write

7150000

trusted library allocation

page read and write

DF0000

heap

page read and write

75BA000

heap

page read and write

53D4000

trusted library allocation

page read and write

2E60000

trusted library allocation

page read and write

17A7000

heap

page read and write

2EC5000

trusted library allocation

page read and write

1720000

trusted library allocation

page execute and read and write

1227000

trusted library allocation

page execute and read and write

69FE000

stack

page read and write

2EBE000

stack

page read and write

7430000

trusted library allocation

page execute and read and write

341E000

trusted library allocation

page read and write

701C000

stack

page read and write

3129000

trusted library allocation

page read and write

54B3000

heap

page read and write

CD99000

trusted library allocation

page read and write

121A000

trusted library allocation

page execute and read and write

31DA000

trusted library allocation

page read and write

13EB000

trusted library allocation

page execute and read and write

304E000

trusted library allocation

page read and write

732F000

heap

page read and write

6C4D000

trusted library allocation

page read and write

7320000

heap

page read and write

3074000

trusted library allocation

page read and write

6A83000

heap

page read and write

12B3000

trusted library allocation

page execute and read and write

3051000

trusted library allocation

page read and write

5690000

trusted library allocation

page read and write

1100000

heap

page read and write

13E5000

trusted library allocation

page execute and read and write

A67D000

stack

page read and write

2F58000

trusted library allocation

page read and write

3F51000

trusted library allocation

page read and write

633E000

stack

page read and write

DB7000

stack

page read and write

5430000

trusted library allocation

page read and write

1240000

trusted library allocation

page read and write

5490000

trusted library allocation

page execute and read and write

12C7000

heap

page read and write

D658000

trusted library allocation

page read and write

13E7000

trusted library allocation

page execute and read and write

75B0000

heap

page read and write

5670000

trusted library allocation

page read and write

5C60000

heap

page read and write

155C000

stack

page read and write

11F3000

trusted library allocation

page execute and read and write

2F20000

trusted library allocation

page read and write

D644000

trusted library allocation

page read and write

6030000

heap

page read and write

1737000

heap

page read and write

311E000

trusted library allocation

page read and write

312D000

trusted library allocation

page read and write

B80000

unkown

page readonly

11A0000

heap

page read and write

6C57000

trusted library allocation

page read and write

5A15000

heap

page read and write

5C5D000

stack

page read and write

56A0000

trusted library allocation

page read and write

4F8B000

stack

page read and write

3309000

trusted library allocation

page read and write

6CB0000

trusted library allocation

page execute and read and write

1770000

heap

page read and write

3030000

trusted library allocation

page read and write

3FF5000

trusted library allocation

page read and write

165C000

stack

page read and write

17A0000

heap

page read and write

53EE000

trusted library allocation

page read and write

54B0000

heap

page read and write

CD9E000

trusted library allocation

page read and write

128E000

stack

page read and write

11FD000

trusted library allocation

page execute and read and write

A9FD000

stack

page read and write

7480000

heap

page read and write

5482000

trusted library allocation

page read and write

6A04000

heap

page read and write

6FDF000

stack

page read and write

D62B000

trusted library allocation

page read and write

8D17000

trusted library allocation

page read and write

8FAE000

stack

page read and write

1307000

heap

page read and write

55C0000

trusted library allocation

page read and write

2F51000

trusted library allocation

page read and write

158E000

stack

page read and write

1457000

heap

page read and write

D667000

trusted library allocation

page read and write

31D2000

trusted library allocation

page read and write

555C000

stack

page read and write

55DE000

stack

page read and write

6AD1000

heap

page read and write

5650000

heap

page execute and read and write

6DB0000

trusted library allocation

page read and write

5590000

trusted library section

page readonly

A4FE000

stack

page read and write

3125000

trusted library allocation

page read and write

D61F000

trusted library allocation

page read and write

12BD000

trusted library allocation

page execute and read and write

1203000

trusted library allocation

page read and write

75C0000

trusted library allocation

page read and write

1260000

heap

page read and write

712E000

heap

page read and write

1222000

trusted library allocation

page read and write

31CE000

trusted library allocation

page read and write

7440000

trusted library allocation

page read and write

53F6000

trusted library allocation

page read and write

6020000

heap

page read and write

64BC000

unkown

page read and write

5C88000

trusted library allocation

page read and write

7F1E0000

trusted library allocation

page execute and read and write

D65D000

trusted library allocation

page read and write

4109000

trusted library allocation

page read and write

A9BE000

stack

page read and write

31EA000

trusted library allocation

page read and write

7480000

trusted library allocation

page read and write

5A5E000

stack

page read and write

30D0000

heap

page execute and read and write

5A60000

trusted library allocation

page read and write

13E0000

trusted library allocation

page read and write

744D000

stack

page read and write

6AE8000

heap

page read and write

4145000

trusted library allocation

page read and write

3351000

trusted library allocation

page read and write

122B000

trusted library allocation

page execute and read and write

302C000

stack

page read and write

120D000

trusted library allocation

page execute and read and write

303B000

trusted library allocation

page read and write

12CD000

trusted library allocation

page execute and read and write

3080000

trusted library allocation

page read and write

308A000

trusted library allocation

page read and write

11F0000

trusted library allocation

page read and write

2E50000

trusted library allocation

page read and write

D63F000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

5A10000

heap

page read and write

303E000

trusted library allocation

page read and write

55A0000

heap

page read and write

2FB1000

trusted library allocation

page read and write

6A92000

heap

page read and write

53F1000

trusted library allocation

page read and write

175E000

stack

page read and write

1304000

heap

page read and write

AAFE000

stack

page read and write

56E0000

heap

page read and write

6A78000

heap

page read and write

11EE000

stack

page read and write

6DA6000

trusted library allocation

page read and write

5B1E000

stack

page read and write

55E0000

heap

page read and write

51DD000

stack

page read and write

548B000

trusted library allocation

page read and write

6AA7000

heap

page read and write

731E000

stack

page read and write

1342000

heap

page read and write

5A00000

trusted library allocation

page execute and read and write

6DA0000

trusted library allocation

page read and write

D621000

trusted library allocation

page read and write

7120000

heap

page read and write

31E6000

trusted library allocation

page read and write

7170000

heap

page read and write

53D0000

trusted library allocation

page read and write

1020000

heap

page read and write

12D2000

heap

page read and write

1730000

heap

page read and write

8AC0000

trusted library allocation

page read and write

6C40000

trusted library allocation

page read and write

5C80000

trusted library allocation

page read and write

7C80000

trusted library section

page read and write

7460000

heap

page read and write

5A1C000

stack

page read and write

2F0E000

stack

page read and write

7160000

trusted library allocation

page execute and read and write

6A42000

heap

page read and write

5570000

trusted library allocation

page read and write

3042000

trusted library allocation

page read and write

There are 306 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
LisectAVT_2403002A_127.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportLisectAVT_2403002A_127.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
LisectAVT_2403002A_127.exe