Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

z95g0YV3PKzM3LA5zt.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.7371445717797585
Filename:	z95g0YV3PKzM3LA5zt.exe
Filesize:	648192
MD5:	b37fbc315b7e7bb63be8df480dc06e9e
SHA1:	4067d052f93087281edbe16f86cfd5fbac07c145
SHA256:	8e1469a8d3fac63fefa4affff492ca82c6d3059bc5c8097a38c04e4e965e1a39
SHA512:	7c95ee856caba832301ef0eeafd63807d620c645eba424589a65ac8d2973026d3c5986e0947d2f9a78d5a3e91441132b34b690a9d869a443f86aeeb7a0e2c0de
SSDEEP:	12288:lIwFcDL0sj9HstDlYsjnZDw9MGaUPExCQ8NqEwrJ9by/C:2wFcDL59SDlYmw1EoQ8NqFJ9bmC
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&r...............0.................. ........@.. .......................@............@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation	Software Packing
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion
Machine Learning detection for sample	AV Detection
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Abnormal high CPU Usage	System Summary
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Archive Collected Data
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
.NET source code contains long base64-encoded strings	System Summary	Disable or Modify Tools
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Contains functionality to modify the execution of threads in other processes
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z95g0YV3PKzM3LA5zt.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z95g0YV3PKzM3LA5zt.exe.log
Category:	dropped
Dump:	z95g0YV3PKzM3LA5zt.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe

"C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3564
Target ID:	0
Parent PID:	4004
Name:	z95g0YV3PKzM3LA5zt.exe
Path:	C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe
Commandline:	"C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe"
Size:	648192
MD5:	B37FBC315B7E7BB63BE8DF480DC06E9E
Time:	15:23:00
Date:	25/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x810000
Modulesize:	671744
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe

"C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4344
Target ID:	3
Parent PID:	3564
Name:	z95g0YV3PKzM3LA5zt.exe
Path:	C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe
Commandline:	"C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe"
Size:	648192
MD5:	B37FBC315B7E7BB63BE8DF480DC06E9E
Time:	15:23:00
Date:	25/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x360000
Modulesize:	671744
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe

"C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3608
Target ID:	4
Parent PID:	3564
Name:	z95g0YV3PKzM3LA5zt.exe
Path:	C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe
Commandline:	"C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe"
Size:	648192
MD5:	B37FBC315B7E7BB63BE8DF480DC06E9E
Time:	15:23:00
Date:	25/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xd10000
Modulesize:	671744
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

https://reallyfreegeoip.org

unknown

http://checkip.dyndns.org

unknown

http://checkip.dyndns.org/

132.226.247.73

http://checkip.dyndns.com

unknown

https://reallyfreegeoip.org/xml/8.46.123.33

188.114.96.3

https://reallyfreegeoip.org/xml/8.46.123.33$

unknown

https://static.wikia.nocookie.net/mitologa/images/a/a3/Imagen_por_defecto.png/revision/latest/thumbn

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://checkip.dyndns.org/q

unknown

http://reallyfreegeoip.org

unknown

https://reallyfreegeoip.org/xml/

unknown

There are 1 hidden URLs, click here to show them.

Domains

Name

Malicious

reallyfreegeoip.org

188.114.96.3

Details

Name:	reallyfreegeoip.org
IP:	188.114.96.3
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Tries to detect the country of the analysis system (by using the IP)	Location Tracking
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Suricata IDS alerts with low severity for network traffic	Networking
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.com

132.226.247.73

IPs

Domain

Country

Malicious

188.114.96.3

reallyfreegeoip.org

European Union

Details

IP:	188.114.96.3
TargetID:	4
Current Path:	C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	reallyfreegeoip.org

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

132.226.247.73

checkip.dyndns.com

United States

Details

IP:	132.226.247.73
TargetID:	4
Current Path:	C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe
Country:	United States
Countrycode:	USA
ASN number:	16989
ASN name:	UTMEMUS
Private:	false
Domain:	checkip.dyndns.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z95g0YV3PKzM3LA5zt_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z95g0YV3PKzM3LA5zt_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z95g0YV3PKzM3LA5zt_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z95g0YV3PKzM3LA5zt_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z95g0YV3PKzM3LA5zt_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z95g0YV3PKzM3LA5zt_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z95g0YV3PKzM3LA5zt_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z95g0YV3PKzM3LA5zt_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z95g0YV3PKzM3LA5zt_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z95g0YV3PKzM3LA5zt_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z95g0YV3PKzM3LA5zt_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z95g0YV3PKzM3LA5zt_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z95g0YV3PKzM3LA5zt_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z95g0YV3PKzM3LA5zt_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

3316000

trusted library allocation

page read and write

3D4C000

trusted library allocation

page read and write

3E65000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

3151000

trusted library allocation

page read and write

691E000

stack

page read and write

5090000

trusted library allocation

page read and write

7702000

trusted library allocation

page read and write

3288000

trusted library allocation

page read and write

B87D000

stack

page read and write

74BE000

stack

page read and write

810000

unkown

page readonly

5650000

trusted library allocation

page execute and read and write

15A0000

trusted library allocation

page read and write

3C49000

trusted library allocation

page read and write

7F8E000

stack

page read and write

3396000

trusted library allocation

page read and write

329C000

trusted library allocation

page read and write

323F000

trusted library allocation

page read and write

17C0000

trusted library allocation

page read and write

3140000

heap

page read and write

141B000

heap

page read and write

5596000

trusted library allocation

page read and write

56F0000

trusted library allocation

page read and write

5B3E000

stack

page read and write

5153000

heap

page read and write

15A5000

trusted library allocation

page execute and read and write

55AE000

trusted library allocation

page read and write

DBD000

trusted library allocation

page execute and read and write

75FE000

stack

page read and write

3212000

trusted library allocation

page read and write

52C0000

heap

page execute and read and write

1440000

heap

page read and write

1574000

trusted library allocation

page read and write

3298000

trusted library allocation

page read and write

E02000

heap

page read and write

5150000

heap

page read and write

324C000

trusted library allocation

page read and write

3C41000

trusted library allocation

page read and write

1580000

trusted library allocation

page read and write

6DC0000

heap

page read and write

157D000

trusted library allocation

page execute and read and write

528B000

stack

page read and write

1596000

trusted library allocation

page execute and read and write

812000

unkown

page readonly

BB7E000

stack

page read and write

1780000

trusted library allocation

page read and write

32CD000

trusted library allocation

page read and write

5230000

trusted library allocation

page read and write

2C06000

trusted library allocation

page read and write

DB3000

trusted library allocation

page read and write

1260000

trusted library allocation

page execute and read and write

D8E000

stack

page read and write

32BF000

trusted library allocation

page read and write

521B000

trusted library allocation

page read and write

CF7000

stack

page read and write

12E0000

heap

page read and write

5660000

trusted library allocation

page read and write

52A0000

heap

page read and write

1350000

heap

page read and write

5680000

trusted library allocation

page read and write

5B8A000

trusted library allocation

page read and write

6920000

heap

page read and write

165F000

stack

page read and write

5690000

trusted library allocation

page execute and read and write

E70000

heap

page read and write

1297000

heap

page read and write

32A0000

trusted library allocation

page read and write

338D000

trusted library allocation

page read and write

11B0000

trusted library allocation

page read and write

132E000

stack

page read and write

5440000

heap

page read and write

5BA0000

trusted library allocation

page execute and read and write

1790000

trusted library allocation

page read and write

109E000

stack

page read and write

7B9E000

stack

page read and write

55B6000

trusted library allocation

page read and write

BA7F000

stack

page read and write

DB0000

trusted library allocation

page read and write

4179000

trusted library allocation

page read and write

6ADE000

stack

page read and write

7C9F000

stack

page read and write

2E92000

trusted library allocation

page read and write

55BD000

trusted library allocation

page read and write

EC0000

heap

page read and write

32A4000

trusted library allocation

page read and write

3406000

trusted library allocation

page read and write

6DD0000

heap

page read and write

52B0000

heap

page read and write

3248000

trusted library allocation

page read and write

12DE000

stack

page read and write

6A5E000

stack

page read and write

55F0000

heap

page read and write

3250000

trusted library allocation

page read and write

563E000

stack

page read and write

58E0000

trusted library allocation

page execute and read and write

6E40000

heap

page read and write

58D8000

trusted library allocation

page read and write

2C01000

trusted library allocation

page read and write

DC0000

heap

page read and write

1770000

trusted library allocation

page read and write

554D000

stack

page read and write

5581000

heap

page read and write

175D000

stack

page read and write

6D9E000

stack

page read and write

1560000

trusted library allocation

page read and write

5095000

trusted library allocation

page read and write

5119000

trusted library allocation

page read and write

33C9000

trusted library allocation

page read and write

11C0000

heap

page read and write

400000

remote allocation

page execute and read and write

6E50000

heap

page read and write

2C20000

trusted library allocation

page read and write

2C0D000

trusted library allocation

page read and write

322A000

trusted library allocation

page read and write

DC8000

heap

page read and write

56AE000

stack

page read and write

15A7000

trusted library allocation

page execute and read and write

9B0000

heap

page read and write

DAD000

trusted library allocation

page execute and read and write

2C30000

heap

page read and write

307E000

stack

page read and write

D40000

heap

page read and write

3378000

trusted library allocation

page read and write

9C0000

heap

page read and write

4D3B000

stack

page read and write

708F000

stack

page read and write

1378000

heap

page read and write

41D0000

trusted library allocation

page read and write

11A2000

trusted library allocation

page read and write

5210000

trusted library allocation

page read and write

11AA000

trusted library allocation

page execute and read and write

169E000

stack

page read and write

2B3E000

stack

page read and write

125B000

stack

page read and write

33CF000

trusted library allocation

page read and write

7B50000

trusted library allocation

page read and write

6C9E000

stack

page read and write

73BF000

stack

page read and write

5110000

trusted library allocation

page read and write

121E000

stack

page read and write

74FE000

stack

page read and write

72B0000

trusted library allocation

page execute and read and write

1157000

stack

page read and write

DA4000

trusted library allocation

page read and write

11A6000

trusted library allocation

page execute and read and write

DF5000

heap

page read and write

3290000

trusted library allocation

page read and write

5700000

trusted library allocation

page read and write

5220000

trusted library allocation

page execute and read and write

1280000

trusted library allocation

page read and write

17B0000

heap

page execute and read and write

4151000

trusted library allocation

page read and write

2D17000

trusted library allocation

page read and write

7F200000

trusted library allocation

page execute and read and write

50A0000

trusted library allocation

page read and write

5080000

trusted library allocation

page read and write

5130000

heap

page read and write

33D6000

trusted library allocation

page read and write

159A000

trusted library allocation

page execute and read and write

7F4E000

stack

page read and write

7AE0000

trusted library section

page read and write

160E000

stack

page read and write

1358000

heap

page read and write

55F3000

heap

page read and write

2C41000

trusted library allocation

page read and write

6BDE000

stack

page read and write

5550000

heap

page read and write

6E24000

heap

page read and write

11D0000

trusted library allocation

page read and write

70C0000

trusted library allocation

page execute and read and write

58D0000

trusted library allocation

page read and write

154E000

stack

page read and write

5445000

heap

page read and write

11B2000

trusted library allocation

page read and write

1270000

heap

page execute and read and write

1290000

heap

page read and write

DCE000

heap

page read and write

5B80000

trusted library allocation

page read and write

5740000

heap

page read and write

7090000

trusted library section

page read and write

339B000

trusted library allocation

page read and write

7EC0000

trusted library allocation

page read and write

41DA000

trusted library allocation

page read and write

1760000

trusted library allocation

page execute and read and write

15AB000

trusted library allocation

page execute and read and write

11A0000

trusted library allocation

page read and write

6DCC000

heap

page read and write

1590000

trusted library allocation

page read and write

7F0D000

stack

page read and write

328C000

trusted library allocation

page read and write

1190000

heap

page read and write

524E000

stack

page read and write

339F000

trusted library allocation

page read and write

58D6000

trusted library allocation

page read and write

72A0000

trusted library allocation

page read and write

559B000

trusted library allocation

page read and write

55AA000

trusted library allocation

page read and write

5140000

trusted library allocation

page read and write

33C3000

trusted library allocation

page read and write

681E000

stack

page read and write

55B1000

trusted library allocation

page read and write

6DC4000

heap

page read and write

6EC0000

trusted library allocation

page execute and read and write

6CC0000

heap

page read and write

11BB000

trusted library allocation

page execute and read and write

56EE000

stack

page read and write

5112000

trusted library allocation

page read and write

DA3000

trusted library allocation

page execute and read and write

5560000

heap

page read and write

33CB000

trusted library allocation

page read and write

158D000

trusted library allocation

page execute and read and write

58DB000

trusted library allocation

page read and write

5B8F000

trusted library allocation

page read and write

32FA000

trusted library allocation

page read and write

94A000

stack

page read and write

105A000

stack

page read and write

119F000

stack

page read and write

1784000

trusted library allocation

page read and write

5B87000

trusted library allocation

page read and write

1386000

heap

page read and write

B880000

heap

page read and write

3294000

trusted library allocation

page read and write

5100000

heap

page read and write

559E000

trusted library allocation

page read and write

6F8E000

stack

page read and write

5B83000

trusted library allocation

page read and write

5290000

trusted library section

page readonly

32DA000

trusted library allocation

page read and write

58F0000

heap

page execute and read and write

1610000

heap

page read and write

D90000

trusted library allocation

page read and write

41B5000

trusted library allocation

page read and write

2BFE000

trusted library allocation

page read and write

6E02000

heap

page read and write

3383000

trusted library allocation

page read and write

41E6000

trusted library allocation

page read and write

2BE0000

trusted library allocation

page read and write

15A2000

trusted library allocation

page read and write

5590000

trusted library allocation

page read and write

6DA0000

trusted library allocation

page read and write

55C2000

trusted library allocation

page read and write

6DB0000

trusted library allocation

page read and write

6A9E000

stack

page read and write

5120000

trusted library allocation

page execute and read and write

50C0000

trusted library allocation

page read and write

58CE000

trusted library allocation

page read and write

1573000

trusted library allocation

page execute and read and write

6EA0000

trusted library allocation

page execute and read and write

5B90000

trusted library allocation

page execute and read and write

6DE0000

heap

page read and write

1592000

trusted library allocation

page read and write

DA0000

trusted library allocation

page read and write

1570000

trusted library allocation

page read and write

58C0000

trusted library allocation

page read and write

17D0000

heap

page read and write

D3E000

stack

page read and write

337D000

trusted library allocation

page read and write

32F6000

trusted library allocation

page read and write

2B48000

trusted library allocation

page read and write

11B7000

trusted library allocation

page execute and read and write

625E000

stack

page read and write

6DC0000

trusted library allocation

page read and write

There are 253 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
z95g0YV3PKzM3LA5zt.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportz95g0YV3PKzM3LA5zt.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
z95g0YV3PKzM3LA5zt.exe