Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

ynhHNexysa.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.848719392804634
Filename:	ynhHNexysa.exe
Filesize:	671744
MD5:	3d33cbde84d0a1197ec0d459d634473e
SHA1:	abd0074c5b2eed8fbab4d30443ceac4b403ad09d
SHA256:	33647cf1d7ba05386d44a608a94979925883f8e8c0e5f63b3f2e7ffdc7380461
SHA512:	36f31309dddf020fd9fee7c44d8847924c4f8a9306a7f04dfa15fd2b73645c982f98d4b7a616b2b31d4b3c14510f2858608beda519eb8475780b544a4eedcea1
SSDEEP:	12288:6ChcU7r3FL0YtcCCvLLgov4CnDUOt7TDM2DG0oSb3fqEVzXfmhujHeis3c:Jco3FYYtajLX4stTA2DGbSeEUh+ei8c
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0......@......B.... ........@.. ... ...................@... ........@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
.NET source code contains potential unpacker	Data Obfuscation
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)	Malware Analysis System Evasion
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information	Credentials in Registry
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information
Tries to harvest and steal ftp login credentials	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation Virtualization/Sandbox Evasion Security Software Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary	System Information Discovery
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ynhHNexysa.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ynhHNexysa.exe.log
Category:	dropped
Dump:	ynhHNexysa.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\ynhHNexysa.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\ynhHNexysa.exe

"C:\Users\user\Desktop\ynhHNexysa.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2412
Target ID:	0
Parent PID:	1028
Name:	ynhHNexysa.exe
Path:	C:\Users\user\Desktop\ynhHNexysa.exe
Commandline:	"C:\Users\user\Desktop\ynhHNexysa.exe"
Size:	671744
MD5:	3D33CBDE84D0A1197EC0D459D634473E
Time:	01:29:54
Date:	26/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xc50000
Modulesize:	671744
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\ynhHNexysa.exe

"C:\Users\user\Desktop\ynhHNexysa.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2796
Target ID:	3
Parent PID:	2412
Name:	ynhHNexysa.exe
Path:	C:\Users\user\Desktop\ynhHNexysa.exe
Commandline:	"C:\Users\user\Desktop\ynhHNexysa.exe"
Size:	671744
MD5:	3D33CBDE84D0A1197EC0D459D634473E
Time:	01:29:56
Date:	26/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x410000
Modulesize:	671744
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\ynhHNexysa.exe

"C:\Users\user\Desktop\ynhHNexysa.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6104
Target ID:	4
Parent PID:	2412
Name:	ynhHNexysa.exe
Path:	C:\Users\user\Desktop\ynhHNexysa.exe
Commandline:	"C:\Users\user\Desktop\ynhHNexysa.exe"
Size:	671744
MD5:	3D33CBDE84D0A1197EC0D459D634473E
Time:	01:29:56
Date:	26/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x110000
Modulesize:	671744
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\ynhHNexysa.exe

"C:\Users\user\Desktop\ynhHNexysa.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2684
Target ID:	5
Parent PID:	2412
Name:	ynhHNexysa.exe
Path:	C:\Users\user\Desktop\ynhHNexysa.exe
Commandline:	"C:\Users\user\Desktop\ynhHNexysa.exe"
Size:	671744
MD5:	3D33CBDE84D0A1197EC0D459D634473E
Time:	01:29:56
Date:	26/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x670000
Modulesize:	671744
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

https://api.ipify.org/

172.67.74.152

Details

Name:	https://api.ipify.org/
IP:	172.67.74.152
TargetID:	5
From Memory:	false
Current Path:	C:\Users\user\Desktop\ynhHNexysa.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

http://smtp.jlahuachem.com

unknown

https://api.ipify.org

unknown

Details

Name:	https://api.ipify.org
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\ynhHNexysa.exe
Source:	ynhHNexysa.exe, 00000000.00000002.2065195598.0000000003FA9000.00000004.00000800.00020000.00000000.sdmp, ynhHNexysa.exe, 00000000.00000002.2065195598.0000000004024000.00000004.00000800.00020000.00000000.sdmp, ynhHNexysa.exe, 00000005.00000002.4495357530.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, ynhHNexysa.exe, 00000005.00000002.4492696673.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://tempuri.org/dxsss.xsd

unknown

https://account.dyn.com/

unknown

Details

Name:	https://account.dyn.com/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\ynhHNexysa.exe
Source:	ynhHNexysa.exe, 00000000.00000002.2065195598.0000000003FA9000.00000004.00000800.00020000.00000000.sdmp, ynhHNexysa.exe, 00000000.00000002.2065195598.0000000004024000.00000004.00000800.00020000.00000000.sdmp, ynhHNexysa.exe, 00000005.00000002.4492696673.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://api.ipify.org/t

unknown

http://us2.smtp.mailhostbox.com

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Domains

Name

Malicious

smtp.jlahuachem.com

unknown

Details

Name:	smtp.jlahuachem.com
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

us2.smtp.mailhostbox.com

208.91.199.225

Details

Name:	us2.smtp.mailhostbox.com
IP:	208.91.199.225
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
URLs found in memory or binary data	Networking

api.ipify.org

172.67.74.152

Details

Name:	api.ipify.org
IP:	172.67.74.152
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

208.91.198.143

unknown

United States

Details

IP:	208.91.198.143
TargetID:	5
Current Path:	C:\Users\user\Desktop\ynhHNexysa.exe
Country:	United States
Countrycode:	USA
ASN number:	394695
ASN name:	PUBLIC-DOMAIN-REGISTRYUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Uses SMTP (mail sending)	Networking	Application Layer Protocol

208.91.199.225

us2.smtp.mailhostbox.com

United States

Details

IP:	208.91.199.225
TargetID:	5
Current Path:	C:\Users\user\Desktop\ynhHNexysa.exe
Country:	United States
Countrycode:	USA
ASN number:	394695
ASN name:	PUBLIC-DOMAIN-REGISTRYUS
Private:	false
Domain:	us2.smtp.mailhostbox.com

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

208.91.199.223

unknown

United States

Details

IP:	208.91.199.223
TargetID:	5
Current Path:	C:\Users\user\Desktop\ynhHNexysa.exe
Country:	United States
Countrycode:	USA
ASN number:	394695
ASN name:	PUBLIC-DOMAIN-REGISTRYUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Uses SMTP (mail sending)	Networking	Application Layer Protocol

208.91.199.224

unknown

United States

Details

IP:	208.91.199.224
TargetID:	5
Current Path:	C:\Users\user\Desktop\ynhHNexysa.exe
Country:	United States
Countrycode:	USA
ASN number:	394695
ASN name:	PUBLIC-DOMAIN-REGISTRYUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Uses SMTP (mail sending)	Networking	Application Layer Protocol

172.67.74.152

api.ipify.org

United States

Details

IP:	172.67.74.152
TargetID:	5
Current Path:	C:\Users\user\Desktop\ynhHNexysa.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ynhHNexysa_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ynhHNexysa_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ynhHNexysa_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ynhHNexysa_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ynhHNexysa_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ynhHNexysa_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ynhHNexysa_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ynhHNexysa_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ynhHNexysa_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ynhHNexysa_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ynhHNexysa_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ynhHNexysa_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ynhHNexysa_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ynhHNexysa_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

2AB5000

trusted library allocation

page read and write

2A91000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

3FA9000

trusted library allocation

page read and write

4024000

trusted library allocation

page read and write

1620000

trusted library allocation

page execute and read and write

2F40000

heap

page read and write

732E000

stack

page read and write

29EA000

trusted library allocation

page read and write

5AB0000

heap

page read and write

71F0000

heap

page read and write

75F0000

trusted library allocation

page read and write

28BC000

stack

page read and write

29DE000

trusted library allocation

page read and write

DE5000

heap

page read and write

D8A000

stack

page read and write

5680000

heap

page read and write

54E0000

trusted library allocation

page read and write

2A8D000

trusted library allocation

page read and write

D94000

heap

page read and write

5630000

trusted library allocation

page execute and read and write

CB0000

heap

page read and write

2F60000

trusted library allocation

page read and write

2F70000

heap

page read and write

B20000

heap

page read and write

D10000

trusted library allocation

page read and write

62D0000

heap

page read and write

3AA7000

trusted library allocation

page read and write

15C3000

trusted library allocation

page execute and read and write

5670000

trusted library allocation

page read and write

D04000

trusted library allocation

page read and write

7A9000

stack

page read and write

29E2000

trusted library allocation

page read and write

28C0000

heap

page execute and read and write

66DD000

stack

page read and write

F97000

heap

page read and write

54F5000

trusted library allocation

page read and write

679E000

stack

page read and write

2ACF000

trusted library allocation

page read and write

F3B000

trusted library allocation

page execute and read and write

6364000

heap

page read and write

3A69000

trusted library allocation

page read and write

EBE000

stack

page read and write

4F30000

heap

page read and write

54C6000

trusted library allocation

page read and write

A4DD000

stack

page read and write

5580000

trusted library allocation

page read and write

54D2000

trusted library allocation

page read and write

C50000

unkown

page readonly

F37000

trusted library allocation

page execute and read and write

2A05000

trusted library allocation

page read and write

5A80000

heap

page read and write

2E3E000

stack

page read and write

5570000

heap

page read and write

A81E000

stack

page read and write

75FB000

trusted library allocation

page read and write

D03000

trusted library allocation

page execute and read and write

15F7000

trusted library allocation

page execute and read and write

287E000

stack

page read and write

604E000

stack

page read and write

7440000

heap

page read and write

A5DD000

stack

page read and write

2A7F000

trusted library allocation

page read and write

5640000

trusted library allocation

page read and write

50E3000

heap

page read and write

B45000

heap

page read and write

C20000

trusted library allocation

page execute and read and write

7F350000

trusted library allocation

page execute and read and write

5A20000

trusted library allocation

page execute and read and write

6510000

heap

page read and write

C30000

trusted library allocation

page read and write

10F7000

stack

page read and write

15FB000

trusted library allocation

page execute and read and write

128A000

heap

page read and write

2A41000

trusted library allocation

page read and write

158E000

stack

page read and write

D5A000

heap

page read and write

3F81000

trusted library allocation

page read and write

2A02000

trusted library allocation

page read and write

54CD000

trusted library allocation

page read and write

D26000

trusted library allocation

page execute and read and write

567E000

stack

page read and write

15E6000

trusted library allocation

page execute and read and write

1340000

heap

page read and write

D30000

heap

page read and write

DB9000

heap

page read and write

15F0000

trusted library allocation

page read and write

15CD000

trusted library allocation

page execute and read and write

6520000

trusted library allocation

page read and write

A25E000

stack

page read and write

5A75000

heap

page read and write

532C000

stack

page read and write

1234000

heap

page read and write

6680000

trusted library allocation

page read and write

6700000

trusted library allocation

page execute and read and write

5030000

heap

page execute and read and write

75E0000

trusted library allocation

page read and write

54A0000

trusted library allocation

page read and write

1640000

trusted library allocation

page read and write

54BE000

trusted library allocation

page read and write

F32000

trusted library allocation

page read and write

D67000

heap

page read and write

A39E000

stack

page read and write

7FDB0000

trusted library allocation

page execute and read and write

C50000

trusted library allocation

page read and write

148E000

stack

page read and write

2C52000

trusted library allocation

page read and write

2C46000

trusted library allocation

page read and write

15F2000

trusted library allocation

page read and write

15C0000

trusted library allocation

page read and write

5582000

trusted library allocation

page read and write

54A4000

trusted library allocation

page read and write

8DCE000

stack

page read and write

1227000

heap

page read and write

A85E000

stack

page read and write

56CB000

stack

page read and write

78F2000

trusted library allocation

page read and write

2A14000

trusted library allocation

page read and write

CF7000

heap

page read and write

29DB000

trusted library allocation

page read and write

29FD000

trusted library allocation

page read and write

D20000

trusted library allocation

page read and write

56D0000

trusted library section

page readonly

C60000

trusted library allocation

page read and write

5A30000

trusted library allocation

page read and write

F90000

heap

page read and write

4BDE000

stack

page read and write

1630000

heap

page execute and read and write

6529000

trusted library allocation

page read and write

650E000

stack

page read and write

7462000

heap

page read and write

3016000

trusted library allocation

page read and write

6690000

trusted library allocation

page read and write

7600000

trusted library allocation

page execute and read and write

542E000

stack

page read and write

54C1000

trusted library allocation

page read and write

15E2000

trusted library allocation

page read and write

2C48000

trusted library allocation

page read and write

A49E000

stack

page read and write

11FA000

heap

page read and write

144E000

stack

page read and write

5C30000

trusted library allocation

page read and write

B40000

heap

page read and write

D65000

heap

page read and write

3BD5000

trusted library allocation

page read and write

2A76000

trusted library allocation

page read and write

B10000

heap

page read and write

C58000

trusted library allocation

page read and write

1224000

heap

page read and write

1657000

heap

page read and write

D0D000

trusted library allocation

page execute and read and write

DB3000

heap

page read and write

3060000

trusted library allocation

page read and write

CE0000

trusted library allocation

page read and write

4FFE000

stack

page read and write

D38000

heap

page read and write

1231000

heap

page read and write

109E000

stack

page read and write

2A30000

heap

page read and write

F70000

trusted library allocation

page read and write

2AC4000

trusted library allocation

page read and write

F60000

trusted library allocation

page execute and read and write

29F6000

trusted library allocation

page read and write

15C4000

trusted library allocation

page read and write

12B6000

heap

page read and write

6697000

trusted library allocation

page read and write

62FA000

heap

page read and write

5870000

heap

page read and write

5520000

trusted library allocation

page read and write

2C0A000

trusted library allocation

page read and write

11E0000

heap

page read and write

D00000

trusted library allocation

page read and write

A71E000

stack

page read and write

54AB000

trusted library allocation

page read and write

742E000

stack

page read and write

29D6000

trusted library allocation

page read and write

11F0000

heap

page read and write

E60000

heap

page read and write

7560000

trusted library section

page read and write

29CF000

stack

page read and write

F50000

trusted library allocation

page read and write

E40000

trusted library allocation

page execute and read and write

D2A000

trusted library allocation

page execute and read and write

515C000

stack

page read and write

5A90000

heap

page read and write

640E000

stack

page read and write

A35E000

stack

page read and write

C40000

trusted library allocation

page execute and read and write

50DE000

stack

page read and write

2C17000

trusted library allocation

page read and write

F35000

trusted library allocation

page execute and read and write

507C000

stack

page read and write

1610000

trusted library allocation

page read and write

2A20000

trusted library allocation

page read and write

D4E000

heap

page read and write

656E000

stack

page read and write

F80000

trusted library allocation

page read and write

C70000

trusted library allocation

page read and write

C52000

unkown

page readonly

5860000

heap

page read and write

CF0000

heap

page read and write

415E000

trusted library allocation

page read and write

54F0000

trusted library allocation

page read and write

D1D000

trusted library allocation

page execute and read and write

7430000

heap

page read and write

56E0000

heap

page read and write

3F89000

trusted library allocation

page read and write

2C39000

trusted library allocation

page read and write

29D0000

trusted library allocation

page read and write

132E000

stack

page read and write

1100000

heap

page read and write

5C20000

trusted library section

page read and write

3A41000

trusted library allocation

page read and write

2FC5000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

5BF0000

trusted library allocation

page read and write

15DD000

trusted library allocation

page execute and read and write

668D000

trusted library allocation

page read and write

5540000

heap

page execute and read and write

50E0000

heap

page read and write

DE0000

heap

page read and write

505B000

stack

page read and write

15E0000

trusted library allocation

page read and write

666F000

stack

page read and write

2A10000

trusted library allocation

page read and write

A95E000

stack

page read and write

6384000

heap

page read and write

4FBE000

stack

page read and write

5A60000

trusted library allocation

page execute and read and write

5A1E000

stack

page read and write

E30000

heap

page read and write

DCC000

heap

page read and write

6320000

heap

page read and write

2F81000

trusted library allocation

page read and write

2F3F000

stack

page read and write

29F1000

trusted library allocation

page read and write

4A48000

trusted library allocation

page read and write

15D0000

trusted library allocation

page read and write

1650000

heap

page read and write

D22000

trusted library allocation

page read and write

A21F000

stack

page read and write

DDE000

heap

page read and write

15EA000

trusted library allocation

page execute and read and write

15D3000

trusted library allocation

page read and write

5683000

heap

page read and write

29EE000

trusted library allocation

page read and write

5500000

trusted library allocation

page read and write

5C10000

trusted library section

page read and write

A5E0000

heap

page read and write

5A70000

heap

page read and write

7627000

trusted library allocation

page read and write

66E0000

heap

page read and write

11FE000

heap

page read and write

AF9000

stack

page read and write

15B0000

trusted library allocation

page read and write

There are 245 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
ynhHNexysa.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportynhHNexysa.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
ynhHNexysa.exe