Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Offer 2024-30496.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	0.19431788377763193
Filename:	Offer 2024-30496.exe
Filesize:	73400320
MD5:	ab64db1f849b146e66310ae4533bae41
SHA1:	dfeddf8068abf927b764f81759ca840e9dfaf52d
SHA256:	b1b41226d170c28b22a37e77ae8c81accdd3c192fc5847bbde50b48a4fbb34c6
SHA512:	b4df4dbcac88cb96baea463624ab8eeabc64a5ef04128bea479814b882b241d4eab923ac4c77b9b29ae8e65911c9ad9633aec2ccc35de0695a5ce731820809f5
SSDEEP:	24576:EqDEvCTbMWu7rQYlBQcBiT6rprG8aE1/XkV/+:ETvC/MTQYxsWR7aE1/X
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection	Disable or Modify Tools
Binary is likely a compiled AutoIt script file	System Summary
Found API chain indicative of sandbox detection	Malware Analysis System Evasion	Disable or Modify Tools System Time Discovery
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection Disable or Modify Tools
Switches to a custom stack to bypass stack traces	Malware Analysis System Evasion	Security Software Discovery
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging	Disable or Modify Tools
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Application Window Discovery
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Valid Accounts Access Token Manipulation Disable or Modify Tools
Contains functionality to launch a process as a different user	System Summary	Native API
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	Disable or Modify Tools
Contains functionality to read the PEB	Anti Debugging
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Disable or Modify Tools
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to shutdown / reboot the system	System Summary	System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Detected potential crypto function	System Summary	System Time Discovery Archive Collected Data Encrypted Channel
Found large amount of non-executed APIs	Malware Analysis System Evasion	System Time Discovery
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information	Disable or Modify Tools System Shutdown/Reboot
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Disable or Modify Tools Input Capture
Sample file is different than original file name gathered from version info	System Summary	System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary	Disable or Modify Tools
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary	Disable or Modify Tools
.NET source code contains calls to encryption/decryption functions	System Summary
Contains functionality for error logging	System Summary	Disable or Modify Tools
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary
Contains functionality to check free disk space	System Summary
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enum processes or threads	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Disable or Modify Tools
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary	Disable or Modify Tools
Tries to load missing DLLs	System Summary	DLL Side-Loading Disable or Modify Tools
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary	Disable or Modify Tools

C:\Users\user\AppData\Local\Temp\Hezron

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Hezron
Category:	dropped
Dump:	Hezron.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\Offer 2024-30496.exe
Type:	data
Entropy:	6.784760282767791
Encrypted:	false
Ssdeep:	3072:5pK0886gkpsimP2C+wDGnql0N5cogJBDPwd3Z1G4b:af0kPuogJBLw/A4b
Size:	135168
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\aut7867.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut7867.tmp
Category:	dropped
Dump:	aut7867.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Offer 2024-30496.exe
Type:	data
Entropy:	7.912635002456745
Encrypted:	false
Ssdeep:	1536:h6Ptvk6OZeOFF2eyDQ8GjkivpOP/PecH+Ud2/qgJ/Bhj28ui90cV:EPtv5OwFeyDQ3jvOP3eO+UdJgf28ui9T
Size:	88398
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\aut78D6.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut78D6.tmp
Category:	dropped
Dump:	aut78D6.tmp.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\Offer 2024-30496.exe
Type:	data
Entropy:	7.818095769091543
Encrypted:	false
Ssdeep:	768:MSvSxC8TemadpQZaunCduBaFISx2tEVDUQaOhFd:MGSQnvpQcea6y2SVDDa0z
Size:	43580
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\preinhered

ASCII text, with very long lines (65536), with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\preinhered
Category:	dropped
Dump:	preinhered.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\Offer 2024-30496.exe
Type:	ASCII text, with very long lines (65536), with no line terminators
Entropy:	4.178837296097941
Encrypted:	false
Ssdeep:	1536:jKq5ajZwcez04TTAo/CgXwS3AFkqkY4TG+:j+lwcnF2DnqkHf
Size:	86022
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Offer 2024-30496.exe

"C:\Users\user\Desktop\Offer 2024-30496.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6212
Target ID:	0
Parent PID:	4088
Name:	Offer 2024-30496.exe
Path:	C:\Users\user\Desktop\Offer 2024-30496.exe
Commandline:	"C:\Users\user\Desktop\Offer 2024-30496.exe"
Size:	73400320
MD5:	AB64DB1F849B146E66310AE4533BAE41
Time:	06:02:44
Date:	29/08/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x950000
Modulesize:	1130496
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Binary is likely a compiled AutoIt script file	System Summary
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\Offer 2024-30496.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6408
Target ID:	2
Parent PID:	6212
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\Offer 2024-30496.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	06:02:45
Date:	29/08/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x8f0000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://reallyfreegeoip.org

unknown

http://checkip.dyndns.org

unknown

http://checkip.dyndns.org/

193.122.6.168

http://checkip.dyndns.com

unknown

https://reallyfreegeoip.org/xml/8.46.123.33

188.114.97.3

https://reallyfreegeoip.org/xml/8.46.123.33$

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://reallyfreegeoip.org/xml/8.46.123.33x

unknown

http://checkip.dyndns.org/q

unknown

http://reallyfreegeoip.org

unknown

https://reallyfreegeoip.org/xml/

unknown

There are 1 hidden URLs, click here to show them.

Domains

Name

Malicious

reallyfreegeoip.org

188.114.97.3

Details

Name:	reallyfreegeoip.org
IP:	188.114.97.3
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Tries to detect the country of the analysis system (by using the IP)	Location Tracking
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Suricata IDS alerts with low severity for network traffic	Networking
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.com

193.122.6.168

IPs

Domain

Country

Malicious

188.114.97.3

reallyfreegeoip.org

European Union

Details

IP:	188.114.97.3
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	reallyfreegeoip.org

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

193.122.6.168

checkip.dyndns.com

United States

Details

IP:	193.122.6.168
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	United States
Countrycode:	USA
ASN number:	31898
ASN name:	ORACLE-BMC-31898US
Private:	false
Domain:	checkip.dyndns.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

2D71000

trusted library allocation

page read and write

1200000

direct allocation

page read and write

2BA1000

trusted library allocation

page read and write

402000

system

page execute and read and write

2D19000

trusted library allocation

page read and write

2A90000

heap

page read and write

2CE2000

trusted library allocation

page read and write

880000

heap

page read and write

1300000

heap

page read and write

135F000

heap

page read and write

137F000

heap

page read and write

1ABE000

stack

page read and write

54BD000

stack

page read and write

37B4000

heap

page read and write

4D7E000

stack

page read and write

10D0000

trusted library allocation

page read and write

2A80000

trusted library allocation

page read and write

2D35000

trusted library allocation

page read and write

A12000

unkown

page readonly

2D51000

trusted library allocation

page read and write

50DE000

trusted library allocation

page read and write

6690000

trusted library allocation

page read and write

2C9A000

trusted library allocation

page read and write

1360000

heap

page read and write

3DC9000

direct allocation

page read and write

655E000

stack

page read and write

A1C000

unkown

page write copy

3C09000

trusted library allocation

page read and write

1300000

heap

page read and write

940000

heap

page read and write

3DCD000

direct allocation

page read and write

12FA000

heap

page read and write

14EA000

heap

page read and write

61E0000

heap

page read and write

5160000

heap

page execute and read and write

135F000

heap

page read and write

1315000

heap

page read and write

3025000

trusted library allocation

page read and write

10A0000

trusted library allocation

page read and write

108E000

stack

page read and write

10CD000

trusted library allocation

page execute and read and write

2FDA000

trusted library allocation

page read and write

3DC9000

direct allocation

page read and write

12C8000

heap

page read and write

3DC9000

direct allocation

page read and write

950000

unkown

page readonly

132F000

heap

page read and write

635E000

stack

page read and write

D3E000

stack

page read and write

6C10000

heap

page read and write

1130000

trusted library allocation

page read and write

2FCF000

trusted library allocation

page read and write

3DCD000

direct allocation

page read and write

3DCD000

direct allocation

page read and write

14AB000

heap

page read and write

55BF000

stack

page read and write

14ED000

heap

page read and write

2D63000

trusted library allocation

page read and write

9EC000

unkown

page readonly

10EA000

trusted library allocation

page execute and read and write

D50000

heap

page read and write

301F000

trusted library allocation

page read and write

2D0C000

trusted library allocation

page read and write

3DCD000

direct allocation

page read and write

5650000

trusted library allocation

page execute and read and write

12F2000

heap

page read and write

50C6000

trusted library allocation

page read and write

3CA0000

direct allocation

page read and write

6262000

heap

page read and write

3B00000

direct allocation

page read and write

A24000

unkown

page readonly

50CB000

trusted library allocation

page read and write

951000

unkown

page execute read

2FD3000

trusted library allocation

page read and write

631E000

stack

page read and write

149F000

heap

page read and write

E75000

heap

page read and write

50E6000

trusted library allocation

page read and write

10F2000

trusted library allocation

page read and write

50CE000

trusted library allocation

page read and write

2CF6000

trusted library allocation

page read and write

10F7000

trusted library allocation

page execute and read and write

5170000

trusted library allocation

page read and write

5663000

trusted library allocation

page read and write

651E000

stack

page read and write

13EE000

heap

page read and write

2C50000

trusted library allocation

page read and write

64DE000

stack

page read and write

3BC9000

trusted library allocation

page read and write

2B9F000

stack

page read and write

3C2E000

trusted library allocation

page read and write

10C0000

trusted library allocation

page read and write

D58000

heap

page read and write

1EBF000

stack

page read and write

3E3E000

direct allocation

page read and write

950000

unkown

page readonly

2FF1000

trusted library allocation

page read and write

2D55000

trusted library allocation

page read and write

2CAE000

trusted library allocation

page read and write

14BB000

heap

page read and write

2CA2000

trusted library allocation

page read and write

2A70000

trusted library allocation

page read and write

5240000

heap

page read and write

3C3A000

trusted library allocation

page read and write

2CA6000

trusted library allocation

page read and write

5660000

trusted library allocation

page read and write

50C0000

trusted library allocation

page read and write

1120000

trusted library allocation

page execute and read and write

50F2000

trusted library allocation

page read and write

3CA0000

direct allocation

page read and write

135F000

heap

page read and write

3C23000

direct allocation

page read and write

6680000

trusted library allocation

page read and write

3021000

trusted library allocation

page read and write

D79000

heap

page read and write

135F000

heap

page read and write

566A000

trusted library allocation

page read and write

5180000

trusted library allocation

page execute and read and write

14EF000

heap

page read and write

302B000

trusted library allocation

page read and write

10C4000

trusted library allocation

page read and write

519E000

trusted library allocation

page read and write

639E000

stack

page read and write

6240000

heap

page read and write

1300000

heap

page read and write

3019000

trusted library allocation

page read and write

10E0000

trusted library allocation

page read and write

6224000

heap

page read and write

3CA0000

direct allocation

page read and write

10DD000

trusted library allocation

page execute and read and write

3B00000

direct allocation

page read and write

11EF000

stack

page read and write

3CA0000

direct allocation

page read and write

10F5000

trusted library allocation

page execute and read and write

135F000

heap

page read and write

3C23000

direct allocation

page read and write

1110000

trusted library allocation

page read and write

3B00000

direct allocation

page read and write

134E000

heap

page read and write

2CAA000

trusted library allocation

page read and write

5110000

trusted library allocation

page read and write

60DE000

stack

page read and write

11DB000

stack

page read and write

E3D000

heap

page read and write

3CA0000

direct allocation

page read and write

50DA000

trusted library allocation

page read and write

14FA000

heap

page read and write

1340000

heap

page read and write

E70000

heap

page read and write

10C3000

trusted library allocation

page execute and read and write

14E9000

heap

page read and write

37B0000

heap

page read and write

3C23000

direct allocation

page read and write

3B00000

direct allocation

page read and write

14BC000

heap

page read and write

649F000

stack

page read and write

50ED000

trusted library allocation

page read and write

11FF000

stack

page read and write

135F000

heap

page read and write

3BA1000

trusted library allocation

page read and write

400000

system

page execute and read and write

830000

heap

page read and write

2CFA000

trusted library allocation

page read and write

142F000

heap

page read and write

104E000

stack

page read and write

2FE3000

trusted library allocation

page read and write

A24000

unkown

page readonly

2A13000

heap

page read and write

3E3E000

direct allocation

page read and write

124E000

stack

page read and write

2CEE000

trusted library allocation

page read and write

14C0000

heap

page read and write

8FE000

stack

page read and write

2C58000

trusted library allocation

page read and write

3CA0000

direct allocation

page read and write

3C23000

direct allocation

page read and write

2C6B000

trusted library allocation

page read and write

29F0000

heap

page read and write

2A20000

heap

page execute and read and write

135F000

heap

page read and write

2FED000

trusted library allocation

page read and write

2C68000

trusted library allocation

page read and write

566F000

trusted library allocation

page read and write

665E000

stack

page read and write

5190000

trusted library allocation

page read and write

61DE000

stack

page read and write

2CEA000

trusted library allocation

page read and write

130F000

heap

page read and write

A20000

unkown

page write copy

3C23000

direct allocation

page read and write

12F3000

heap

page read and write

2FF6000

trusted library allocation

page read and write

2CE6000

trusted library allocation

page read and write

3C25000

trusted library allocation

page read and write

3DC9000

direct allocation

page read and write

3E3E000

direct allocation

page read and write

5648000

trusted library allocation

page read and write

12C0000

heap

page read and write

11BF000

stack

page read and write

6670000

trusted library allocation

page execute and read and write

7C9000

stack

page read and write

14AB000

heap

page read and write

D86000

heap

page read and write

87D000

stack

page read and write

98A000

stack

page read and write

2C83000

trusted library allocation

page read and write

620C000

heap

page read and write

3C23000

direct allocation

page read and write

3E3E000

direct allocation

page read and write

14BA000

heap

page read and write

1140000

heap

page read and write

10F0000

trusted library allocation

page read and write

2CFE000

trusted library allocation

page read and write

5640000

trusted library allocation

page read and write

2C98000

trusted library allocation

page read and write

3DCD000

direct allocation

page read and write

2D27000

trusted library allocation

page read and write

8B0000

heap

page read and write

134E000

heap

page read and write

10E2000

trusted library allocation

page read and write

12FA000

heap

page read and write

3DC9000

direct allocation

page read and write

3B00000

direct allocation

page read and write

D40000

heap

page read and write

2A6E000

stack

page read and write

10FB000

trusted library allocation

page execute and read and write

9EC000

unkown

page readonly

66A0000

trusted library allocation

page read and write

14FA000

heap

page read and write

11CE000

stack

page read and write

6660000

trusted library allocation

page execute and read and write

4C7E000

stack

page read and write

10E6000

trusted library allocation

page execute and read and write

2CF2000

trusted library allocation

page read and write

564B000

trusted library allocation

page read and write

3DC9000

direct allocation

page read and write

A12000

unkown

page readonly

12E3000

heap

page read and write

951000

unkown

page execute read

10B0000

heap

page read and write

A1C000

unkown

page read and write

2A10000

heap

page read and write

6730000

trusted library allocation

page execute and read and write

BD0000

direct allocation

page execute and read and write

133F000

heap

page read and write

CF7000

stack

page read and write

D6E000

heap

page read and write

12F2000

heap

page read and write

3E3E000

direct allocation

page read and write

620E000

heap

page read and write

9F0000

heap

page read and write

3E3E000

direct allocation

page read and write

2050000

heap

page read and write

3DCD000

direct allocation

page read and write

50E1000

trusted library allocation

page read and write

6720000

heap

page read and write

3B00000

direct allocation

page read and write

1467000

heap

page read and write

5646000

trusted library allocation

page read and write

E0B000

heap

page read and write

2C48000

trusted library allocation

page read and write

There are 251 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Offer 2024-30496.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportOffer 2024-30496.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
Offer 2024-30496.exe