Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

7l2s6qwHg7.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.082314394462888
Filename:	7l2s6qwHg7.exe
Filesize:	311296
MD5:	efeaaeb1be566969f1ee9333cf828c9d
SHA1:	c6ce1744d201715216ef0e9cb8c2c699555ad5fc
SHA256:	6bce463db5e9683428f40370efc41ae6e04f0ec36e439cfd04b86372da3e2e14
SHA512:	bd2d57d9394c6df63ac11129625fdfd9c836933ca10a017b9e4144b998aab98e6abc8ac74b6bdacf971eb08687e800f7b04a3d4c893c93040da519d460d95d43
SSDEEP:	3072:sq6EgY6iArUjz5MiwPmmduzYevTAZtAgK2NcZqf7D34VeqiOLibBOk:nqY6izwPpSYevTAfAeNcZqf7DI/L
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Y................0.................. ... ....@.. ....................... ............@................................

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Installs new ROOT certificates	Persistence and Installation Behavior	Install Root Certificate
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops certificate files (DER)	E-Banking Fraud
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\Public\Desktop\Google Chrome.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Thu Oct 5 07:36:34 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide

dropped

Details

File:	C:\Users\Public\Desktop\Google Chrome.lnk
Category:	dropped
Dump:	Google Chrome.lnk.1.dr
ID:	dr_3
Target ID:	1
Process:	C:\Users\user\Desktop\7l2s6qwHg7.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Thu Oct 5 07:36:34 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
Entropy:	3.459461522074106
Encrypted:	false
Ssdeep:	48:8SUF0dYTclzRYrnvPdAKRkdAGdAKRFdAKR1:8SUF7r
Size:	2104
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\Tmp3A95.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Tmp3A95.tmp
Category:	dropped
Dump:	Tmp3A95.tmp.1.dr
ID:	dr_0
Target ID:	1
Process:	C:\Users\user\Desktop\7l2s6qwHg7.exe
Type:	data
Entropy:	7.8230547059446645
Encrypted:	false
Ssdeep:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
Size:	2662
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops certificate files (DER)	E-Banking Fraud
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\Tmp3AE4.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Tmp3AE4.tmp
Category:	dropped
Dump:	Tmp3AE4.tmp.1.dr
ID:	dr_1
Target ID:	1
Process:	C:\Users\user\Desktop\7l2s6qwHg7.exe
Type:	data
Entropy:	7.8230547059446645
Encrypted:	false
Ssdeep:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
Size:	2662
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops certificate files (DER)	E-Banking Fraud

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06
Category:	dropped
Dump:	76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06.1.dr
ID:	dr_2
Target ID:	1
Process:	C:\Users\user\Desktop\7l2s6qwHg7.exe
Type:	data
Entropy:	7.630398106676328
Encrypted:	false
Ssdeep:	48:S7SjQDUYmeS8kPHt0G4KaNkFJg6b6iizFn09NUTSy5l:ASUDpme4FaKnjbHiz2NUTSq
Size:	2251
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\7l2s6qwHg7.exe

"C:\Users\user\Desktop\7l2s6qwHg7.exe"

Details

Is windows:	false
Is dropped:	false
PID:	1712
Target ID:	1
Parent PID:	4084
Name:	7l2s6qwHg7.exe
Path:	C:\Users\user\Desktop\7l2s6qwHg7.exe
Commandline:	"C:\Users\user\Desktop\7l2s6qwHg7.exe"
Size:	311296
MD5:	EFEAAEB1BE566969F1EE9333CF828C9D
Time:	12:38:08
Date:	25/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7b0000
Modulesize:	335872
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

185.215.113.9:12617

http://tempuri.org/Entity/Id24LR

unknown

http://tempuri.org/Entity/Id20LR

unknown

http://tempuri.org/Entity/Id12Response

unknown

http://tempuri.org/Entity/Id15Responsex

unknown

http://tempuri.org/

unknown

http://tempuri.org/Entity/Id2Response

unknown

http://tempuri.org/Entity/Id21Response

unknown

http://tempuri.org/Entity/Id9

unknown

http://tempuri.org/Entity/Id8

unknown

http://tempuri.org/Entity/Id5

unknown

http://tempuri.org/Entity/Id4

unknown

http://tempuri.org/Entity/Id17LR

unknown

http://tempuri.org/Entity/Id7

unknown

http://tempuri.org/Entity/Id6

unknown

http://tempuri.org/Entity/Id9LR

unknown

http://tempuri.org/Entity/Id10Responsex

unknown

http://tempuri.org/Entity/Id19Response

unknown

http://tempuri.org/Entity/Id13LR

unknown

http://tempuri.org/Entity/Id1LR

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence

unknown

http://tempuri.org/Entity/Id5LR

unknown

http://tempuri.org/Ent

unknown

http://tempuri.org/Entity/Id6Responsex

unknown

http://tempuri.org/Entity/Id7Responsex

unknown

http://tempuri.org/Entity/Id15Response

unknown

http://tempuri.org/Entity/Id1Responsex

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9

unknown

http://tempuri.org/Entity/Id6Response

unknown

https://api.ip.sb/ip

unknown

http://tempuri.org/Entity/Id23Responsex

unknown

http://tempuri.org/Entity/Id21LR

unknown

http://tempuri.org/Entity/Id5Responsex

unknown

http://tempuri.org/Entity/Id14Responsex

unknown

http://tempuri.org/Entity/Id9Response

unknown

http://tempuri.org/Entity/Id20Responsex

unknown

http://tempuri.org/Entity/Id20

unknown

http://tempuri.org/Entity/Id21

unknown

http://tempuri.org/Entity/Id22

unknown

http://tempuri.org/Entity/Id23

unknown

http://tempuri.org/Entity/Id24

unknown

http://tempuri.org/Entity/Id24Response

unknown

http://tempuri.org/Entity/Id1Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested

unknown

http://tempuri.org/Entity/Id8Responsex

unknown

http://tempuri.org/Entity/Id18LR

unknown

http://tempuri.org/Entity/Id14LR

unknown

http://tempuri.org/Entity/Id6LR

unknown

http://tempuri.org/Entity/

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing

unknown

http://tempuri.org/Entity/Id10LR

unknown

http://tempuri.org/Entity/Id3Responsex

unknown

http://tempuri.org/Entity/Id2LR

unknown

http://tempuri.org/Entity/Id10

unknown

http://tempuri.org/Entity/Id11

unknown

http://tempuri.org/Entity/Id12

unknown

http://tempuri.org/Entity/Id16Response

unknown

http://tempuri.org/Entity/Id13

unknown

http://tempuri.org/Entity/Id14

unknown

http://tempuri.org/Entity/Id15

unknown

http://tempuri.org/Entity/Id16

unknown

http://tempuri.org/Entity/Id12Responsex

unknown

http://tempuri.org/Entity/Id17

unknown

http://tempuri.org/Entity/Id17Responsex

unknown

http://tempuri.org/Entity/Id18

unknown

http://tempuri.org/Entity/Id5Response

unknown

http://tempuri.org/Entity/Id19

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns

unknown

http://tempuri.org/Entity/Id10Response

unknown

http://tempuri.org/Entity/Id8Response

unknown

http://tempuri.org/Entity/Id22LR

unknown

http://tempuri.org/Entity/Id18Responsex

unknown

http://schemas.xmlsoap.org/soap/envelope/

unknown

http://tempuri.org/Entity/Id19LR

unknown

http://tempuri.org/Entity/Id23Response

unknown

http://tempuri.org/Entity/Id22Responsex

unknown

http://tempuri.org/Entity/Id15LR

unknown

http://tempuri.org/Entity/Id19Responsex

unknown

http://tempuri.org/Entity/Id7LR

unknown

http://tempuri.org/Entity/Id11LR

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse

unknown

http://tempuri.org/Entity/Id17Response

unknown

http://tempuri.org/Entity/Id20Response

unknown

http://tempuri.org/Entity/Id3LR

unknown

http://tempuri.org/Entity/Id13Response

unknown

http://tempuri.org/Entity/Id4Response

unknown

http://tempuri.org/Entity/Id21Responsex

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement

unknown

http://tempuri.org/Entity/Id23LR

unknown

http://tempuri.org/Entity/Id7Response

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous

unknown

http://tempuri.org/Entity/Id11Response

unknown

http://tempuri.org/Entity/Id2Responsex

unknown

http://tempuri.org/Entity/Id11Responsex

unknown

http://tempuri.org/Entity/Id22Response

unknown

http://tempuri.org/Entity/Id1

unknown

http://tempuri.org/Entity/Id13Responsex

unknown

http://tempuri.org/Entity/Id16Responsex

unknown

http://tempuri.org/Entity/Id16LR

unknown

There are 90 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

185.215.113.9

unknown

Portugal

Details

IP:	185.215.113.9
TargetID:	1
Current Path:	C:\Users\user\Desktop\7l2s6qwHg7.exe
Country:	Portugal
Countrycode:	PRT
ASN number:	206894
ASN name:	WHOLESALECONNECTIONSNL
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064

Blob

Details

TargetID:	1
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064
Value name:	Blob
Value data:	0B 00 00 00 01 00 00 00 48 00 00 00 54 00 69 00 74 00 61 00 6E 00 69 00 75 00 6D 00 20 00 52 00 6F 00 6F 00 74 00 20 00 43 00 65 00 72 00 74 00 69 00 66 00 69 00 63 00 61 00 74 00 65 00 20 00 41 00 75 00 74 00 68 00 6F 00 72 00 69 00 74 00 79 00 00 00 02 00 00 00 01 00 00 00 CC 00 00 00 1C 00 00 00 6C 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 7B 00 34 00 31 00 37 00 34 00 34 00 42 00 45 00 34 00 2D 00 31 00 31 00 43 00 35 00 2D 00 34 00 39 00 34 00 43 00 2D 00 41 00 32 00 31 00 33 00 2D 00 42 00 41 00 30 00 43 00 45 00 39 00 34 00 34 00 39 00 33 00 38 00 45 00 7D 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 45 00 6E 00 68 00 61 00 6E 00 63 00 65 00 64 00 20 00 43 00 72 00 79 00 70 00 74 00 6F 00 67 00 72 00 61 00 70 00 68 00 69 00 63 00 20 00 50 00 72 00 6F 00 76 00 69 00 64 00 65 00 72 00 20 00 76 00 31 00 2E 00 30 00 00 00 00 00 03 00 00 00 01 00 00 00 14 00 00 00 F1 A5 78 C4 CB 5D E7 9A 37 08 93 98 3F D4 DA 8B 67 B2 B0 64 20 00 00 00 01 00 00 00 0A 03 00 00 30 82 03 06 30 82 01 EE A0 03 02 01 02 02 08 67 F7 BE B9 6A 4C 27 98 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30 2E 31 2C 30 2A 06 03 55 04 03 0C 23 54 69 74 61 6E 69 75 6D 20 52 6F 6F 74 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6F 72 69 74 79 30 1E 17 0D 32 33 30 33 31 34 31 30 33 35 32 30 5A 17 0D 32 36 30 36 31 37 31 30 33 35 32 30 5A 30 2E 31 2C 30 2A 06 03 55 04 03 0C 23 54 69 74 61 6E 69 75 6D 20 52 6F 6F 74 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6F 72 69 74 79 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 86 E4 57 7A 58 61 CE 81 91 77 D0 05 FA 51 D5 51 5A 93 6C 61 0C CF CB DE 53 32 CD 15 1D A6 47 EE 88 1A 24 5C 9B 02 83 3B 02 AF 3D 76 FE 20 BD 3B FA F7 A2 09 73 E7 2E BD 94 40 D0 9D 8C 3D 27 13 BD F0 D0 9F EB 95 32 AC D7 A4 2D A2 A9 52 DA A8 6A 2A 88 EE 42 7D 30 95 9D 90 BF BA 05 27 6A A0 29 98 A6 98 6F C0 13 06 62 9B 79 B8 40 5D 1F 1F A6 D9 A4 2F 82 7A FC 75 66 34 0D C2 DE 27 01 2B 94 BB 4A 27 B3 CB 1C 21 9A 3C B2 C1 42 03 F3 44 51 BD 62 65 20 ED D4 DB CC 41 4F 59 3F 2A CB C4 84 79 F7 14 3C BE 13 9C FD 12 9C 91 3E 53 03 DC 20 F9 4C 44 35 89 01 B6 9A 84 8D 7E A0 2E 30 8A 31 15 60 AC 00 AE 00 9A 29 10 9A EE D9 71 3D D8 91 9B 97 ED 59 80 58 E1 7F 07 26 C7 A0 20 F7 10 AB C0 62 91 DF AA F1 81 C6 BE 6A 76 C8 9C B6 8E B0 B0 EC 1C D9 5F 32 6C 7E 55 58 8B FD 76 C5 19 02 03 01 00 01 A3 28 30 26 30 13 06 03 55 1D 25 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 30 0F 06 03 55 1D 13 01 01 FF 04 05 30 03 01 01 FF 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 03 82 01 01 00 70 85 12 93 D7 57 E9 82 79 7D C5 F7 F2 7D A8 94 EF 0C DB 32 9F 06 A6 09 6E 0C F6 04 B0 E5 47 11 56 0E F4 0F 52 82 08 2E 21 0F 55 A3 DB 41 F3 12 54 8B 76 11 F5 F0 DA CE A3 C7 8B 13 F6 FC 24 3C 02 B1 06 66 5B E6 9E 18 40 88 41 5B 27 39 99 B8 77 BE E3 53 A2 48 CE C7 EE B5 A0 95 C2 17 4B C9 52 6C AF E3 37 2C 59 DB FB E7 58 13 4E D3 51 E5 14 72 73 FE C6 85 77 AE 45 52 A6 F9 9A C8 0C A8 D0 EE 42 2A F5 28 85 8C 6B E8 1C B0 A8 03 1A B0 AE 83 C0 EB 55 64 F4 E8 7A 5C 06 29 5D 39 03 EE E2 FD F9 2D 62 A7 F4 D4 05 4D EA A7 9B CA EB DA 4E 8B 1A 6E FD 42 AE F9 D0 1C 70 75 72 8C B1 3A A8 55 7C 85 A7 25 32 B5 E2 D6 C3 E5 50 41 C9 86 7C A8 F5 62 BB D2 AB 0C 37 10 D8 31 73 EC 37 81 D1 DC AA C5 C6 E0 7E E7 26 62 4D FD C5 81 4C FF D3 36 E1 79 32 F8 9B EB 9C F7 FD BE E9 BE BF 61

Signature Hits	Behavior Group	Mitre Attack
Installs new ROOT certificates	Persistence and Installation Behavior	Install Root Certificate

Memdumps

Base Address

Regiontype

Protect

Malicious

7B2000

unkown

page readonly

6761000

trusted library allocation

page read and write

60FE000

stack

page read and write

2D28000

trusted library allocation

page read and write

568F000

stack

page read and write

127D000

trusted library allocation

page execute and read and write

4AB8000

trusted library allocation

page read and write

4C4E000

stack

page read and write

2D77000

trusted library allocation

page read and write

5CFE000

stack

page read and write

67A0000

trusted library allocation

page read and write

69E0000

trusted library allocation

page read and write

5FBE000

stack

page read and write

4FA0000

trusted library allocation

page read and write

5080000

heap

page read and write

675B000

trusted library allocation

page read and write

1286000

trusted library allocation

page execute and read and write

56B0000

trusted library allocation

page read and write

4FB0000

trusted library allocation

page read and write

3AD2000

trusted library allocation

page read and write

6A00000

trusted library allocation

page execute and read and write

303F000

trusted library allocation

page read and write

62C0000

heap

page read and write

7F420000

trusted library allocation

page execute and read and write

2BE3000

trusted library allocation

page read and write

1297000

trusted library allocation

page execute and read and write

1292000

trusted library allocation

page read and write

4FF0000

trusted library allocation

page read and write

659E000

stack

page read and write

5015000

trusted library allocation

page read and write

1295000

trusted library allocation

page execute and read and write

12C6000

heap

page read and write

997000

stack

page read and write

5040000

trusted library allocation

page read and write

6772000

trusted library allocation

page read and write

67D0000

trusted library allocation

page read and write

2AB1000

trusted library allocation

page read and write

67F0000

trusted library allocation

page read and write

5020000

trusted library allocation

page read and write

4FD6000

trusted library allocation

page read and write

6290000

heap

page read and write

60BE000

stack

page read and write

C00000

heap

page read and write

4FE2000

trusted library allocation

page read and write

6830000

trusted library allocation

page read and write

EBD000

heap

page read and write

2E63000

trusted library allocation

page read and write

56B8000

trusted library allocation

page read and write

30DC000

trusted library allocation

page read and write

12B0000

trusted library allocation

page read and write

4FCE000

trusted library allocation

page read and write

1263000

trusted library allocation

page execute and read and write

5480000

heap

page read and write

52EE000

stack

page read and write

5008000

trusted library allocation

page read and write

68A0000

trusted library allocation

page execute and read and write

66FE000

stack

page read and write

6710000

trusted library allocation

page read and write

291E000

stack

page read and write

7E7000

unkown

page readonly

6750000

trusted library allocation

page read and write

4FBE000

trusted library allocation

page read and write

636E000

heap

page read and write

6A10000

trusted library allocation

page read and write

D50000

heap

page read and write

677E000

trusted library allocation

page read and write

1280000

trusted library allocation

page read and write

2F9E000

trusted library allocation

page read and write

E9F000

heap

page read and write

6766000

trusted library allocation

page read and write

5110000

heap

page read and write

504E000

trusted library allocation

page read and write

67A5000

trusted library allocation

page read and write

296C000

stack

page read and write

6720000

trusted library allocation

page read and write

67AE000

trusted library allocation

page read and write

7F6000

unkown

page readonly

E96000

heap

page read and write

54A1000

heap

page read and write

1260000

trusted library allocation

page read and write

2990000

trusted library allocation

page execute and read and write

5092000

trusted library allocation

page read and write

129B000

trusted library allocation

page execute and read and write

308E000

trusted library allocation

page read and write

67B0000

trusted library allocation

page read and write

6729000

trusted library allocation

page read and write

5113000

heap

page read and write

2C3B000

trusted library allocation

page read and write

68B0000

trusted library allocation

page execute and read and write

678A000

trusted library allocation

page read and write

5090000

trusted library allocation

page read and write

62E0000

heap

page read and write

E91000

heap

page read and write

65FE000

stack

page read and write

5300000

heap

page execute and read and write

2970000

heap

page read and write

6200000

trusted library allocation

page read and write

6820000

trusted library allocation

page read and write

1264000

trusted library allocation

page read and write

4FDD000

trusted library allocation

page read and write

5010000

trusted library allocation

page read and write

67E0000

trusted library allocation

page read and write

D55000

heap

page read and write

5CBE000

stack

page read and write

DC0000

trusted library allocation

page read and write

2DC6000

trusted library allocation

page read and write

62A0000

trusted library allocation

page execute and read and write

69D0000

trusted library allocation

page read and write

89A000

stack

page read and write

DDE000

heap

page read and write

67C0000

trusted library allocation

page read and write

2CD9000

trusted library allocation

page read and write

67AB000

trusted library allocation

page read and write

1273000

trusted library allocation

page read and write

3ABF000

trusted library allocation

page read and write

4FB4000

trusted library allocation

page read and write

2F50000

trusted library allocation

page read and write

3AB1000

trusted library allocation

page read and write

6715000

trusted library allocation

page read and write

649E000

stack

page read and write

5000000

trusted library allocation

page read and write

631E000

heap

page read and write

6727000

trusted library allocation

page read and write

CE0000

heap

page read and write

6781000

trusted library allocation

page read and write

2AAE000

stack

page read and write

4FBB000

trusted library allocation

page read and write

671B000

trusted library allocation

page read and write

62C8000

heap

page read and write

128A000

trusted library allocation

page execute and read and write

312B000

trusted library allocation

page read and write

6850000

trusted library allocation

page execute and read and write

61FF000

stack

page read and write

2F01000

trusted library allocation

page read and write

634D000

heap

page read and write

1270000

trusted library allocation

page read and write

4FB6000

trusted library allocation

page read and write

2C8A000

trusted library allocation

page read and write

6790000

trusted library allocation

page read and write

62C3000

heap

page read and write

126D000

trusted library allocation

page execute and read and write

12C0000

heap

page read and write

DDA000

heap

page read and write

6725000

trusted library allocation

page read and write

6840000

trusted library allocation

page execute and read and write

69F0000

trusted library allocation

page read and write

6718000

trusted library allocation

page read and write

62B0000

trusted library allocation

page execute and read and write

2FEE000

trusted library allocation

page read and write

E04000

heap

page read and write

EBB000

heap

page read and write

7E2000

unkown

page readonly

DD0000

heap

page read and write

7B0000

unkown

page readonly

D30000

heap

page read and write

E11000

heap

page read and write

50A0000

trusted library allocation

page execute and read and write

56C0000

trusted library allocation

page read and write

1282000

trusted library allocation

page read and write

29A0000

heap

page execute and read and write

4FD1000

trusted library allocation

page read and write

2E14000

trusted library allocation

page read and write

2EB2000

trusted library allocation

page read and write

4FC2000

trusted library allocation

page read and write

62CF000

heap

page read and write

1290000

trusted library allocation

page read and write

2920000

heap

page read and write

4F90000

trusted library allocation

page read and write

There are 158 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
7l2s6qwHg7.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report7l2s6qwHg7.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
7l2s6qwHg7.exe