Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

LisectAVT_2403002A_124.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.8887481114185025
Filename:	LisectAVT_2403002A_124.exe
Filesize:	705542
MD5:	1e6fe7e9dd5292ac6ed4c77d742da69b
SHA1:	5f13634797d7d9c4b670d3e11076680340f89b89
SHA256:	bb1b31f63c63a642be94f71d4dbab8c30c498662ee4269722aca9448eb264d94
SHA512:	1795fbf6bf79ee9799c2b97304fa6d11901c0c7401b2f4dcad343f0f6a0b578e1fd2bf6fdf86c74becc2843d86229b5e80bda64c38b9820fc28232f8da615a24
SSDEEP:	12288:UB+GbFNXl2MIBdcqcUwxW8aNGFDp5T3bzNq8GmNLhnWmIBczDc44CMw:cvRNV2VdcqcUXdaDplzNqIhcczw
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....l...............0.................. ........@.. ....................... ............@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
.NET source code contains potential unpacker	Data Obfuscation	Software Packing
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)	Malware Analysis System Evasion
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information	Credentials in Registry
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to harvest and steal ftp login credentials	Stealing of Sensitive Information
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary	Windows Management Instrumentation System Information Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LisectAVT_2403002A_124.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LisectAVT_2403002A_124.exe.log
Category:	dropped
Dump:	LisectAVT_2403002A_124.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\LisectAVT_2403002A_124.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\LisectAVT_2403002A_124.exe

"C:\Users\user\Desktop\LisectAVT_2403002A_124.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7292
Target ID:	0
Parent PID:	2580
Name:	LisectAVT_2403002A_124.exe
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_124.exe
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_124.exe"
Size:	705542
MD5:	1E6FE7E9DD5292AC6ED4C77D742DA69B
Time:	18:05:03
Date:	25/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x2f0000
Modulesize:	729088
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\LisectAVT_2403002A_124.exe

"C:\Users\user\Desktop\LisectAVT_2403002A_124.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7468
Target ID:	2
Parent PID:	7292
Name:	LisectAVT_2403002A_124.exe
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_124.exe
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_124.exe"
Size:	705542
MD5:	1E6FE7E9DD5292AC6ED4C77D742DA69B
Time:	18:05:06
Date:	25/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xee0000
Modulesize:	729088
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

http://www.google.com)Uygun

unknown

http://www.google.com

unknown

https://api.ipify.org/

104.26.12.205

http://smtp.flying-fish-cn.com

unknown

http://www.apache.org/licenses/LICENSE-2.0

unknown

http://www.fontbureau.com

unknown

http://www.fontbureau.com/designersG

unknown

http://www.fontbureau.com/designers/?

unknown

http://www.founder.com.cn/cn/bThe

unknown

https://account.dyn.com/

unknown

http://us2.smtp.mailhostbox.com

unknown

http://www.fontbureau.com/designers?

unknown

http://www.tiro.com

unknown

http://www.fontbureau.com/designers

unknown

http://www.goodfont.co.kr

unknown

https://api.ipify.org/t

unknown

http://www.carterandcone.coml

unknown

http://www.sajatypeworks.com

unknown

http://www.typography.netD

unknown

https://www.google.com

unknown

http://www.fontbureau.com/designers/cabarga.htmlN

unknown

http://www.founder.com.cn/cn/cThe

unknown

http://www.galapagosdesign.com/staff/dennis.htm

unknown

https://api.ipify.org

unknown

http://www.founder.com.cn/cn

unknown

http://www.fontbureau.com/designers/frere-user.html

unknown

http://www.jiyu-kobo.co.jp/

unknown

http://www.galapagosdesign.com/DPlease

unknown

http://www.fontbureau.com/designers8

unknown

http://www.fonts.com

unknown

http://www.sandoll.co.kr

unknown

http://www.urwpp.deDPlease

unknown

http://www.zhongyicts.com.cn

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://www.sakkal.com

unknown

There are 25 hidden URLs, click here to show them.

Domains

Name

Malicious

smtp.flying-fish-cn.com

unknown

Details

Name:	smtp.flying-fish-cn.com
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

us2.smtp.mailhostbox.com

208.91.199.225

Details

Name:	us2.smtp.mailhostbox.com
IP:	208.91.199.225
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
URLs found in memory or binary data	Networking

api.ipify.org

104.26.12.205

Details

Name:	api.ipify.org
IP:	104.26.12.205
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

104.26.12.205

api.ipify.org

United States

Details

IP:	104.26.12.205
TargetID:	2
Current Path:	C:\Users\user\Desktop\LisectAVT_2403002A_124.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

208.91.199.225

us2.smtp.mailhostbox.com

United States

Details

IP:	208.91.199.225
TargetID:	2
Current Path:	C:\Users\user\Desktop\LisectAVT_2403002A_124.exe
Country:	United States
Countrycode:	USA
ASN number:	394695
ASN name:	PUBLIC-DOMAIN-REGISTRYUS
Private:	false
Domain:	us2.smtp.mailhostbox.com

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_124_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_124_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_124_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_124_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_124_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_124_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_124_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_124_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_124_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_124_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_124_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_124_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_124_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\LisectAVT_2403002A_124_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

3341000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

3367000

trusted library allocation

page read and write

44A2000

trusted library allocation

page read and write

3B85000

trusted library allocation

page read and write

152D000

trusted library allocation

page execute and read and write

4319000

trusted library allocation

page read and write

9BD000

trusted library allocation

page execute and read and write

9B3000

trusted library allocation

page read and write

3897000

trusted library allocation

page read and write

DEF000

stack

page read and write

5EA8000

trusted library allocation

page read and write

A85000

heap

page read and write

16BF000

heap

page read and write

6F40000

heap

page read and write

6AAD000

heap

page read and write

1514000

trusted library allocation

page read and write

14F0000

heap

page read and write

31AA000

trusted library allocation

page read and write

5180000

heap

page read and write

5000000

heap

page read and write

31BD000

trusted library allocation

page read and write

5D0E000

stack

page read and write

1682000

trusted library allocation

page read and write

5140000

heap

page read and write

1900000

trusted library allocation

page execute and read and write

A170000

heap

page read and write

2893000

trusted library allocation

page read and write

810000

heap

page read and write

A27000

heap

page read and write

9F8000

heap

page read and write

9C0000

heap

page read and write

7F800000

trusted library allocation

page execute and read and write

4F20000

trusted library allocation

page execute and read and write

A98000

heap

page read and write

A46E000

stack

page read and write

1510000

trusted library allocation

page read and write

6DAE000

stack

page read and write

762E000

stack

page read and write

3326000

trusted library allocation

page read and write

DF7000

heap

page read and write

31AE000

trusted library allocation

page read and write

435D000

trusted library allocation

page read and write

4C84000

trusted library allocation

page read and write

A32000

heap

page read and write

5A8C000

stack

page read and write

3841000

trusted library allocation

page read and write

990000

trusted library allocation

page read and write

7090000

trusted library allocation

page read and write

6912000

trusted library allocation

page read and write

6F5D000

heap

page read and write

333D000

trusted library allocation

page read and write

3190000

trusted library allocation

page read and write

4FB0000

trusted library allocation

page read and write

6F3E000

stack

page read and write

9AD000

trusted library allocation

page execute and read and write

6AB1000

heap

page read and write

816000

heap

page read and write

1338000

stack

page read and write

1520000

trusted library allocation

page read and write

752E000

stack

page read and write

2730000

heap

page read and write

283F000

stack

page read and write

3180000

heap

page execute and read and write

4CA1000

trusted library allocation

page read and write

6F30000

heap

page read and write

2700000

trusted library allocation

page read and write

2640000

trusted library allocation

page read and write

73C0000

trusted library allocation

page read and write

4D60000

trusted library allocation

page read and write

7057000

trusted library allocation

page read and write

1695000

trusted library allocation

page execute and read and write

516E000

heap

page read and write

26DB000

stack

page read and write

9D6000

trusted library allocation

page execute and read and write

6F59000

heap

page read and write

32EE000

stack

page read and write

9FE000

heap

page read and write

2645000

trusted library allocation

page read and write

31B1000

trusted library allocation

page read and write

5010000

trusted library section

page read and write

1690000

trusted library allocation

page read and write

6AAF000

heap

page read and write

6F50000

heap

page read and write

1680000

trusted library allocation

page read and write

7590000

heap

page read and write

7050000

trusted library allocation

page read and write

5EBD000

trusted library allocation

page read and write

3110000

trusted library allocation

page read and write

A9B000

heap

page read and write

4FD5000

heap

page read and write

7400000

heap

page read and write

6FFE000

stack

page read and write

6A3B000

heap

page read and write

1728000

heap

page read and write

3100000

trusted library allocation

page read and write

169B000

trusted library allocation

page execute and read and write

263E000

stack

page read and write

172D000

heap

page read and write

ABE000

heap

page read and write

7030000

trusted library allocation

page execute and read and write

26F0000

trusted library allocation

page execute and read and write

6A78000

heap

page read and write

28B0000

trusted library allocation

page read and write

A19000

heap

page read and write

656F000

stack

page read and write

7050000

trusted library allocation

page read and write

A36F000

stack

page read and write

5B8C000

stack

page read and write

7410000

trusted library allocation

page execute and read and write

4C9E000

trusted library allocation

page read and write

1917000

heap

page read and write

3140000

heap

page execute and read and write

7880000

trusted library section

page read and write

6ABA000

heap

page read and write

151D000

trusted library allocation

page execute and read and write

74EF000

stack

page read and write

A6B000

heap

page read and write

5903000

heap

page read and write

1692000

trusted library allocation

page read and write

6A30000

heap

page read and write

96E000

stack

page read and write

5130000

heap

page read and write

319E000

trusted library allocation

page read and write

493C000

stack

page read and write

532E000

stack

page read and write

3849000

trusted library allocation

page read and write

38E5000

trusted library allocation

page read and write

4F80000

trusted library section

page readonly

1697000

trusted library allocation

page execute and read and write

6F60000

trusted library allocation

page execute and read and write

2841000

trusted library allocation

page read and write

6C6E000

stack

page read and write

70ED000

stack

page read and write

26E0000

heap

page execute and read and write

CEF000

stack

page read and write

DF0000

heap

page read and write

1535000

heap

page read and write

31B6000

trusted library allocation

page read and write

4FD0000

heap

page read and write

73EE000

stack

page read and write

9E2000

trusted library allocation

page read and write

4CC5000

trusted library allocation

page read and write

268D000

stack

page read and write

70A0000

trusted library allocation

page execute and read and write

176A000

heap

page read and write

6F6F000

heap

page read and write

4F90000

heap

page read and write

8BBF000

stack

page read and write

68F0000

trusted library allocation

page read and write

31A2000

trusted library allocation

page read and write

A34000

heap

page read and write

512D000

stack

page read and write

A16D000

stack

page read and write

2710000

trusted library allocation

page read and write

123A000

stack

page read and write

5EB0000

trusted library allocation

page read and write

177D000

heap

page read and write

4CD0000

trusted library allocation

page read and write

9B0000

trusted library allocation

page read and write

4D80000

heap

page read and write

16A0000

heap

page read and write

5330000

trusted library section

page read and write

4D40000

trusted library allocation

page read and write

5900000

heap

page read and write

168A000

trusted library allocation

page execute and read and write

3124000

trusted library allocation

page read and write

7FE000

stack

page read and write

1390000

heap

page read and write

63A000

stack

page read and write

6CAE000

stack

page read and write

1500000

trusted library allocation

page read and write

7B0000

heap

page read and write

5CCE000

stack

page read and write

8918000

trusted library allocation

page read and write

4CB2000

trusted library allocation

page read and write

1910000

heap

page read and write

6A2E000

stack

page read and write

32F1000

trusted library allocation

page read and write

4FA0000

heap

page read and write

400000

remote allocation

page execute and read and write

4D30000

heap

page read and write

9E7000

trusted library allocation

page execute and read and write

7040000

trusted library allocation

page read and write

3130000

trusted library allocation

page read and write

16D7000

heap

page read and write

72CE000

stack

page read and write

4F7C000

stack

page read and write

3A1E000

trusted library allocation

page read and write

6EEF000

stack

page read and write

5E4E000

stack

page read and write

2F0000

unkown

page readonly

73D0000

trusted library allocation

page read and write

16A8000

heap

page read and write

548D000

stack

page read and write

25FE000

stack

page read and write

4D83000

heap

page read and write

25B0000

trusted library allocation

page read and write

52F8000

trusted library allocation

page read and write

2875000

trusted library allocation

page read and write

4CC0000

trusted library allocation

page read and write

7040000

trusted library allocation

page execute and read and write

31E0000

heap

page read and write

BEE000

stack

page read and write

4C8B000

trusted library allocation

page read and write

7A0000

heap

page read and write

42F1000

trusted library allocation

page read and write

3120000

trusted library allocation

page read and write

18FE000

stack

page read and write

6F50000

trusted library allocation

page read and write

4D50000

trusted library allocation

page execute and read and write

4FE0000

trusted library allocation

page execute and read and write

1513000

trusted library allocation

page execute and read and write

692D000

stack

page read and write

5EA0000

trusted library allocation

page read and write

6EF7000

trusted library allocation

page read and write

5020000

heap

page execute and read and write

9DA000

trusted library allocation

page execute and read and write

4C80000

trusted library allocation

page read and write

6CF0000

heap

page read and write

5BCE000

stack

page read and write

57D0000

heap

page read and write

5E0E000

stack

page read and write

2720000

trusted library allocation

page read and write

16D5000

heap

page read and write

9F0000

heap

page read and write

6B6D000

stack

page read and write

14B0000

heap

page read and write

4CF0000

trusted library allocation

page read and write

737000

stack

page read and write

6DEE000

stack

page read and write

1686000

trusted library allocation

page execute and read and write

6EF0000

trusted library allocation

page read and write

68EE000

stack

page read and write

6E2E000

stack

page read and write

92E000

stack

page read and write

319B000

trusted library allocation

page read and write

4D42000

trusted library allocation

page read and write

3933000

trusted library allocation

page read and write

9EB000

trusted library allocation

page execute and read and write

67EE000

stack

page read and write

9A0000

trusted library allocation

page read and write

6F2E000

stack

page read and write

52EE000

stack

page read and write

58F0000

heap

page read and write

1530000

heap

page read and write

4CAD000

trusted library allocation

page read and write

9D2000

trusted library allocation

page read and write

2F2000

unkown

page readonly

16CB000

heap

page read and write

18B0000

trusted library allocation

page read and write

9D0000

trusted library allocation

page read and write

30FC000

stack

page read and write

4FC0000

trusted library allocation

page read and write

4CA6000

trusted library allocation

page read and write

3B41000

trusted library allocation

page read and write

9A3000

trusted library allocation

page execute and read and write

9A4000

trusted library allocation

page read and write

332F000

trusted library allocation

page read and write

There are 249 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
LisectAVT_2403002A_124.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportLisectAVT_2403002A_124.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
LisectAVT_2403002A_124.exe