Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

LisectAVT_2403002A_1.exe

PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy:	7.651089318341196
Filename:	LisectAVT_2403002A_1.exe
Filesize:	706570
MD5:	b482f2939a99aa59a86f1897ae6a259f
SHA1:	a6785b567dcd1f65785cc26c4e7c5d58884b5e3f
SHA256:	5e367e602750bb9f6815450f43c4c36ae9734730835839ec85b9ef2b926f16ee
SHA512:	a31a68e29f5ed846fc266ef4fa8b470af686ab7566c1854475685428f9a87995c479355106f554e075560f207c70bea1870133376f81c117d5d30d2ba1596c8c
SSDEEP:	12288:0YV6MorX7qzuC3QHO9FQVHPF51jgc++he0u2Y/ygAkcCMBM:zBXu9HGaVHRhe9ygjZ
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Binary is likely a compiled AutoIt script file	System Summary	Virtualization/Sandbox Evasion
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Switches to a custom stack to bypass stack traces	Malware Analysis System Evasion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging
Contains functionality to call native functions	System Summary
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Application Window Discovery
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion
Contains functionality to launch a process as a different user	System Summary	Valid Accounts Native API Access Token Manipulation
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Process Discovery
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to shutdown / reboot the system	System Summary	System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Process Discovery Encrypted Channel
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found evasive API chain (date check)	Malware Analysis System Evasion
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information	System Shutdown/Reboot
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Sample file is different than original file name gathered from version info	System Summary	System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
Contains functionality for error logging	System Summary
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary
Contains functionality to check free disk space	System Summary
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion
Program exit points	Malware Analysis System Evasion
Reads software policies	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Local\Temp\atule

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\atule
Category:	dropped
Dump:	atule.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\LisectAVT_2403002A_1.exe
Type:	data
Entropy:	6.5692091423954775
Encrypted:	false
Ssdeep:	6144:340hDF0ppMjMgOMiLADlGqcj0Yi/EL4R195Ik5m:3foikAJGqcj/Ui4Rl5m
Size:	244224
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\aut1D2B.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut1D2B.tmp
Category:	dropped
Dump:	aut1D2B.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\LisectAVT_2403002A_1.exe
Type:	data
Entropy:	7.836539941415579
Encrypted:	false
Ssdeep:	3072:AQ5Wd2gfUuNLYYaR1Uhn9giCKsOOtpXDvK/qNSPh/4x0saYrK1H8jW2+2:XWdPoRSnlCKkPDHMPhPfH8CQ
Size:	139266
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\aut1D8A.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut1D8A.tmp
Category:	dropped
Dump:	aut1D8A.tmp.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\LisectAVT_2403002A_1.exe
Type:	data
Entropy:	7.719976035566066
Encrypted:	false
Ssdeep:	192:LDIZM0On/nSF/ZaZgUMBLJmf4stSNYwohCcjM99nwSjGn/NtiIz/CfJiXFTfm:LDIDuM/ZaZgrBLJstSNZMU9nwjiIrCZ
Size:	11724
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\prespecialist

Unicode text, UTF-8 text, with very long lines (29698), with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\prespecialist
Category:	dropped
Dump:	prespecialist.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\LisectAVT_2403002A_1.exe
Type:	Unicode text, UTF-8 text, with very long lines (29698), with no line terminators
Entropy:	3.238172498467149
Encrypted:	false
Ssdeep:	768:XXcPkTPWdJr8zeXleLfeO/VyVfC97ZmJtH:nDqdJr8zgleLfeO/Uo97ZmJtH
Size:	59396
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

"C:\Users\user\Desktop\LisectAVT_2403002A_1.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6300
Target ID:	0
Parent PID:	1028
Name:	LisectAVT_2403002A_1.exe
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_1.exe
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_1.exe"
Size:	706570
MD5:	B482F2939A99AA59A86F1897AE6A259F
Time:	18:35:09
Date:	25/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x280000
Modulesize:	1593344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Binary is likely a compiled AutoIt script file	System Summary
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\LisectAVT_2403002A_1.exe"

Details

Is windows:	true
Is dropped:	false
PID:	2704
Target ID:	2
Parent PID:	6300
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_1.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	18:35:12
Date:	25/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x10000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://account.dyn.com/

unknown

Details

Name:	https://account.dyn.com/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\LisectAVT_2403002A_1.exe
Source:	LisectAVT_2403002A_1.exe, 00000000.00000002.2069328083.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3292761755.0000000000402000.00000040.80000000.00040000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000002.00000002.3293827231.0000000002391000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3293827231.0000000002458000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://ip-api.com/line/?fields=hosting

208.95.112.1

Details

Name:	http://ip-api.com/line/?fields=hosting
IP:	208.95.112.1
TargetID:	2
From Memory:	false
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking

http://ip-api.com

unknown

Details

Name:	http://ip-api.com
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000002.00000002.3293827231.0000000002472000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3293827231.0000000002391000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3293827231.0000000002458000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

ip-api.com

208.95.112.1

Details

Name:	ip-api.com
IP:	208.95.112.1
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Check if machine is in data center or colocation facility	Malware Analysis System Evasion	Security Software Discovery
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

208.95.112.1

ip-api.com

United States

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

3FD0000

direct allocation

page read and write

402000

system

page execute and read and write

860000

trusted library allocation

page read and write

2482000

trusted library allocation

page read and write

42D9000

direct allocation

page read and write

33B9000

trusted library allocation

page read and write

4A50000

heap

page read and write

4D0000

heap

page read and write

1714000

heap

page read and write

58BF000

stack

page read and write

1905000

heap

page read and write

4EDE000

stack

page read and write

2380000

heap

page read and write

4FBE000

stack

page read and write

2472000

trusted library allocation

page read and write

1821000

heap

page read and write

2480000

trusted library allocation

page read and write

1A9000

stack

page read and write

1820000

heap

page read and write

F70000

heap

page read and write

2391000

trusted library allocation

page read and write

4060000

direct allocation

page read and write

460000

heap

page read and write

15CE000

stack

page read and write

358000

unkown

page execute and write copy

5C00000

trusted library allocation

page execute and read and write

4329000

direct allocation

page read and write

FDE000

stack

page read and write

434E000

direct allocation

page read and write

940000

trusted library allocation

page read and write

4F0000

heap

page read and write

8EE000

stack

page read and write

2406000

trusted library allocation

page read and write

42D9000

direct allocation

page read and write

4010000

direct allocation

page read and write

1905000

heap

page read and write

33F9000

trusted library allocation

page read and write

844000

trusted library allocation

page read and write

2452000

trusted library allocation

page read and write

2320000

trusted library allocation

page read and write

2458000

trusted library allocation

page read and write

1916000

heap

page read and write

1820000

heap

page read and write

42DD000

direct allocation

page read and write

400000

system

page execute and read and write

866000

trusted library allocation

page execute and read and write

24A2000

trusted library allocation

page read and write

432D000

direct allocation

page read and write

85D000

trusted library allocation

page execute and read and write

84D000

trusted library allocation

page execute and read and write

58C8000

heap

page read and write

2494000

trusted library allocation

page read and write

3AF000

unkown

page read and write

17D0000

heap

page read and write

5D00000

heap

page read and write

439E000

direct allocation

page read and write

235A000

trusted library allocation

page read and write

92C000

stack

page read and write

1710000

heap

page read and write

1822000

heap

page read and write

5C50000

trusted library allocation

page execute and read and write

966000

heap

page read and write

850000

trusted library allocation

page read and write

559000

heap

page read and write

41B0000

direct allocation

page read and write

4880000

heap

page read and write

24E0000

heap

page read and write

1916000

heap

page read and write

54A000

heap

page read and write

1916000

heap

page read and write

4133000

direct allocation

page read and write

33F000

unkown

page execute and read and write

4133000

direct allocation

page read and write

432D000

direct allocation

page read and write

2490000

trusted library allocation

page read and write

235E000

trusted library allocation

page read and write

335000

unkown

page execute and read and write

4329000

direct allocation

page read and write

7F650000

trusted library allocation

page execute and read and write

1848000

heap

page read and write

4183000

direct allocation

page read and write

5E5000

heap

page read and write

2310000

trusted library allocation

page read and write

1FCE000

stack

page read and write

180D000

heap

page read and write

53E000

heap

page read and write

862000

trusted library allocation

page read and write

520000

heap

page read and write

4010000

direct allocation

page read and write

4B0000

heap

page read and write

58C0000

heap

page read and write

3391000

trusted library allocation

page read and write

5000000

trusted library allocation

page read and write

5C20000

trusted library allocation

page read and write

4060000

direct allocation

page read and write

1700000

heap

page read and write

1849000

heap

page read and write

4200000

direct allocation

page read and write

1905000

heap

page read and write

182F000

heap

page read and write

17D7000

heap

page read and write

5C30000

trusted library allocation

page read and write

2366000

trusted library allocation

page read and write

872000

trusted library allocation

page read and write

41B0000

direct allocation

page read and write

42D9000

direct allocation

page read and write

830000

trusted library allocation

page read and write

5C27000

trusted library allocation

page read and write

F6E000

stack

page read and write

4200000

direct allocation

page read and write

18F5000

heap

page read and write

950000

trusted library allocation

page read and write

281000

unkown

page execute and read and write

528000

heap

page read and write

452E000

stack

page read and write

87B000

trusted library allocation

page execute and read and write

4010000

direct allocation

page read and write

2361000

trusted library allocation

page read and write

23C5000

trusted library allocation

page read and write

23CE000

stack

page read and write

4FFE000

stack

page read and write

4A40000

heap

page read and write

5FC000

heap

page read and write

4F5000

heap

page read and write

1916000

heap

page read and write

15DB000

stack

page read and write

18CB000

heap

page read and write

1848000

heap

page read and write

3399000

trusted library allocation

page read and write

2340000

trusted library allocation

page read and write

4DDD000

stack

page read and write

1848000

heap

page read and write

49BC000

stack

page read and write

49D0000

heap

page execute and read and write

1810000

heap

page read and write

960000

heap

page read and write

18F6000

heap

page read and write

5C17000

trusted library allocation

page read and write

41B0000

direct allocation

page read and write

234B000

trusted library allocation

page read and write

86A000

trusted library allocation

page execute and read and write

1848000

heap

page read and write

234E000

trusted library allocation

page read and write

42DD000

direct allocation

page read and write

4133000

direct allocation

page read and write

15FC000

stack

page read and write

1810000

heap

page read and write

5C40000

trusted library allocation

page read and write

15BE000

stack

page read and write

434E000

direct allocation

page read and write

4C5E000

stack

page read and write

42DD000

direct allocation

page read and write

55B000

heap

page read and write

4B5C000

stack

page read and write

2330000

heap

page execute and read and write

1820000

heap

page read and write

247C000

trusted library allocation

page read and write

843000

trusted library allocation

page execute and read and write

4200000

direct allocation

page read and write

8A0000

trusted library allocation

page read and write

4398000

trusted library allocation

page read and write

A9000

stack

page read and write

5CE0000

trusted library allocation

page read and write

F20000

heap

page read and write

280000

unkown

page readonly

1805000

heap

page read and write

432D000

direct allocation

page read and write

930000

trusted library allocation

page execute and read and write

1848000

heap

page read and write

4183000

direct allocation

page read and write

4C9E000

stack

page read and write

EBA000

stack

page read and write

17B0000

direct allocation

page execute and read and write

1915000

heap

page read and write

1806000

heap

page read and write

24A9000

trusted library allocation

page read and write

4D9E000

stack

page read and write

1907000

heap

page read and write

434E000

direct allocation

page read and write

890000

heap

page read and write

2352000

trusted library allocation

page read and write

4060000

direct allocation

page read and write

4329000

direct allocation

page read and write

5B3000

heap

page read and write

1848000

heap

page read and write

3AE000

unkown

page execute and write copy

1915000

heap

page read and write

1916000

heap

page read and write

840000

trusted library allocation

page read and write

3AF000

unkown

page write copy

877000

trusted library allocation

page execute and read and write

1848000

heap

page read and write

5C10000

trusted library allocation

page read and write

246C000

trusted library allocation

page read and write

F90000

heap

page read and write

439E000

direct allocation

page read and write

182F000

heap

page read and write

4183000

direct allocation

page read and write

1848000

heap

page read and write

1848000

heap

page read and write

230E000

stack

page read and write

373000

unkown

page execute and read and write

1905000

heap

page read and write

5BFE000

stack

page read and write

18CB000

heap

page read and write

236D000

trusted library allocation

page read and write

439E000

direct allocation

page read and write

3A8000

unkown

page execute and read and write

1848000

heap

page read and write

5CD0000

heap

page read and write

4A2E000

stack

page read and write

280000

unkown

page readonly

4A53000

heap

page read and write

18CB000

heap

page read and write

43E000

system

page execute and read and write

18F6000

heap

page read and write

There are 206 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
LisectAVT_2403002A_1.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportLisectAVT_2403002A_1.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
LisectAVT_2403002A_1.exe