Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

z25RFQ945894-PDF.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.990544688899181
Filename:	z25RFQ945894-PDF.exe
Filesize:	1049600
MD5:	6cfb2ab5bfb52347d141ab2a82ab9ab2
SHA1:	cdc4e03046d770a589e09ec9e9ba56f16afce2f5
SHA256:	97aed74a1556b5b96eacd10c8ba1e206036d8f6fc35fab882689566c8c16aa6b
SHA512:	52d9f6ebd2c088d765d022bfdc037476cece11e63753be3a4aa7bbf0b2d824291d19ecd9aa70ccc503b9c4356ad929c47a4072cb0e65abc3ba0cad3faa359367
SSDEEP:	24576:VCdxte/80jYLT3U1jfsWaIsp0CL/rf6pQ:8w80cTsjkWaIs2GzV
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection	Disable or Modify Tools
Binary is likely a compiled AutoIt script file	System Summary
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Switches to a custom stack to bypass stack traces	Malware Analysis System Evasion	System Information Discovery
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging	Disable or Modify Tools
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Application Window Discovery
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Contains functionality to launch a process as a different user	System Summary	Valid Accounts Access Token Manipulation
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	Disable or Modify Tools
Contains functionality to read the PEB	Anti Debugging
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Disable or Modify Tools
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to shutdown / reboot the system	System Summary	System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Detected potential crypto function	System Summary	System Time Discovery Archive Collected Data Encrypted Channel
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found evasive API chain (date check)	Malware Analysis System Evasion	Native API
Found large amount of non-executed APIs	Malware Analysis System Evasion	System Time Discovery
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information	Disable or Modify Tools System Shutdown/Reboot
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Disable or Modify Tools
Sample file is different than original file name gathered from version info	System Summary	System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary	Disable or Modify Tools
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary	Disable or Modify Tools
.NET source code contains calls to encryption/decryption functions	System Summary
Contains functionality for error logging	System Summary	Disable or Modify Tools
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary
Contains functionality to check free disk space	System Summary
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enum processes or threads	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Disable or Modify Tools
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion	Disable or Modify Tools
Reads software policies	System Summary
Sample is known by Antivirus	System Summary	Disable or Modify Tools
Tries to load missing DLLs	System Summary	DLL Side-Loading Disable or Modify Tools
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary	Disable or Modify Tools

C:\Users\user\AppData\Local\Temp\autA113.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\autA113.tmp
Category:	dropped
Dump:	autA113.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\z25RFQ945894-PDF.exe
Type:	data
Entropy:	7.878459591650458
Encrypted:	false
Ssdeep:	1536:llg3ykDSbGulpuTtO6XzlB5YtLaz/G8+/Oe20xSD+QtVhUG4bt7YRRVMJ0K0v2Hr:llPyQpAt/hYFarxbJRsyfMuK1gh4V3i+
Size:	154754
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\quinquenniad

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\quinquenniad
Category:	dropped
Dump:	quinquenniad.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\z25RFQ945894-PDF.exe
Type:	data
Entropy:	6.714326844933443
Encrypted:	false
Ssdeep:	6144:TIY/HWjbLhZwR2Fp+RXIT/Kgk4pyQSKLawCJBMd:TD/HsbLhZw8mYbBEHl/U
Size:	240128
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\z25RFQ945894-PDF.exe

"C:\Users\user\Desktop\z25RFQ945894-PDF.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7432
Target ID:	0
Parent PID:	2580
Name:	z25RFQ945894-PDF.exe
Path:	C:\Users\user\Desktop\z25RFQ945894-PDF.exe
Commandline:	"C:\Users\user\Desktop\z25RFQ945894-PDF.exe"
Size:	1049600
MD5:	6CFB2AB5BFB52347D141AB2A82AB9AB2
Time:	05:57:56
Date:	30/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x220000
Modulesize:	1077248
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Binary is likely a compiled AutoIt script file	System Summary
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\z25RFQ945894-PDF.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7448
Target ID:	1
Parent PID:	7432
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\z25RFQ945894-PDF.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	05:57:57
Date:	30/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xf20000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://mail.zqamcx.com

unknown

Details

Name:	http://mail.zqamcx.com
TargetID:	1
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000001.00000002.2894103472.00000000032DE000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for domain / URL	AV Detection
URLs found in memory or binary data	Networking

http://zqamcx.com

unknown

Details

Name:	http://zqamcx.com
TargetID:	1
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000001.00000002.2894103472.00000000032DE000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for domain / URL	AV Detection
URLs found in memory or binary data	Networking

https://account.dyn.com/

unknown

Details

Name:	https://account.dyn.com/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\z25RFQ945894-PDF.exe
Source:	z25RFQ945894-PDF.exe, 00000000.00000002.1664669287.0000000001160000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2893009529.0000000000402000.00000040.80000000.00040000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://r11.o.lencr.org0#

unknown

Details

Name:	http://r11.o.lencr.org0#
TargetID:	1
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000001.00000002.2894103472.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2893472088.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2895612844.0000000006730000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://r11.i.lencr.org/0#

unknown

Details

Name:	http://r11.i.lencr.org/0#
TargetID:	1
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000001.00000002.2894103472.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2893472088.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2895612844.0000000006730000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://x1.c.lencr.org/0

unknown

Details

Name:	http://x1.c.lencr.org/0
TargetID:	1
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000001.00000002.2894103472.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2893472088.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2895612844.0000000006730000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://x1.i.lencr.org/0

unknown

Details

Name:	http://x1.i.lencr.org/0
TargetID:	1
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000001.00000002.2894103472.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2893472088.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2895612844.0000000006730000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

zqamcx.com

78.110.166.82

Details

Name:	zqamcx.com
IP:	78.110.166.82
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

mail.zqamcx.com

unknown

Details

Name:	mail.zqamcx.com
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for domain / URL	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

15.164.165.52.in-addr.arpa

unknown

IPs

Domain

Country

Malicious

78.110.166.82

zqamcx.com

United Kingdom

Details

IP:	78.110.166.82
TargetID:	1
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	42831
ASN name:	UKSERVERS-ASUKDedicatedServersHostingandCo-Location
Private:	false
Domain:	zqamcx.com

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

Memdumps

Base Address

Regiontype

Protect

Malicious

402000

system

page execute and read and write

32DE000

trusted library allocation

page read and write

3308000

trusted library allocation

page read and write

1160000

direct allocation

page read and write

3291000

trusted library allocation

page read and write

3C70000

direct allocation

page read and write

3BF3000

direct allocation

page read and write

3D99000

direct allocation

page read and write

11F9000

heap

page read and write

18EC000

stack

page read and write

5D50000

trusted library allocation

page read and write

123C000

heap

page execute and read and write

221000

unkown

page execute read

3D9D000

direct allocation

page read and write

5D4C000

trusted library allocation

page read and write

13E5000

heap

page read and write

1355000

heap

page read and write

11E2000

heap

page read and write

1370000

heap

page read and write

135F000

heap

page read and write

3694000

heap

page read and write

1406000

heap

page read and write

123D000

heap

page read and write

FFC000

stack

page read and write

13AC000

heap

page read and write

6795000

heap

page read and write

3D9D000

direct allocation

page read and write

2D4000

unkown

page readonly

1214000

heap

page read and write

3C70000

direct allocation

page read and write

1308000

heap

page read and write

FCF000

stack

page read and write

5D60000

trusted library allocation

page read and write

57D0000

heap

page read and write

141F000

heap

page read and write

12C2000

heap

page read and write

145E000

heap

page read and write

1454000

heap

page read and write

3310000

trusted library allocation

page read and write

5298000

trusted library allocation

page read and write

1214000

heap

page read and write

3D99000

direct allocation

page read and write

1722000

trusted library allocation

page read and write

400000

system

page execute and read and write

145F000

heap

page read and write

1DBE000

stack

page read and write

9DE000

stack

page read and write

2E7000

unkown

page readonly

13BD000

heap

page read and write

1340000

heap

page read and write

16C0000

heap

page read and write

57AC000

stack

page read and write

3304000

trusted library allocation

page read and write

1497000

heap

page read and write

1219000

heap

page read and write

31E0000

trusted library allocation

page read and write

3BF3000

direct allocation

page read and write

5D66000

trusted library allocation

page read and write

123D000

heap

page read and write

1426000

heap

page read and write

1214000

heap

page read and write

13F9000

heap

page read and write

642F000

stack

page read and write

3AD0000

direct allocation

page read and write

3D99000

direct allocation

page read and write

3BF3000

direct allocation

page read and write

3240000

heap

page read and write

1487000

heap

page read and write

6720000

trusted library allocation

page read and write

3E0E000

direct allocation

page read and write

1406000

heap

page read and write

6670000

trusted library allocation

page execute and read and write

1454000

heap

page read and write

1394000

heap

page read and write

5B4E000

stack

page read and write

13D4000

heap

page read and write

1242000

heap

page read and write

3221000

trusted library allocation

page read and write

6FD0000

trusted library allocation

page execute and read and write

14D7000

heap

page read and write

134F000

heap

page read and write

542D000

stack

page read and write

3D9D000

direct allocation

page read and write

14C0000

heap

page read and write

1430000

heap

page read and write

16F0000

trusted library allocation

page read and write

1840000

trusted library allocation

page read and write

3280000

heap

page read and write

12F9000

stack

page read and write

2DE000

unkown

page write copy

322D000

trusted library allocation

page read and write

147F000

heap

page read and write

137B000

heap

page read and write

18AE000

stack

page read and write

1703000

trusted library allocation

page execute and read and write

1845000

trusted library allocation

page execute and read and write

7FDE0000

trusted library allocation

page execute and read and write

1383000

heap

page read and write

11C8000

heap

page read and write

670F000

stack

page read and write

5D18000

trusted library allocation

page read and write

3AD0000

direct allocation

page read and write

11F1000

heap

page read and write

184B000

trusted library allocation

page execute and read and write

6717000

trusted library allocation

page read and write

13D4000

heap

page read and write

133C000

heap

page read and write

1301000

heap

page read and write

3BF3000

direct allocation

page read and write

1262000

heap

page read and write

4291000

trusted library allocation

page read and write

31F0000

heap

page execute and read and write

1441000

heap

page read and write

221000

unkown

page execute read

3200000

trusted library allocation

page read and write

3D9D000

direct allocation

page read and write

990000

heap

page read and write

1430000

heap

page read and write

139D000

heap

page read and write

12D1000

heap

page read and write

1498000

heap

page read and write

59CC000

stack

page read and write

3E0E000

direct allocation

page read and write

1454000

heap

page read and write

134E000

heap

page read and write

FDB000

stack

page read and write

1476000

heap

page read and write

1343000

heap

page read and write

13B4000

heap

page read and write

170D000

trusted library allocation

page execute and read and write

18F0000

trusted library allocation

page execute and read and write

42B9000

trusted library allocation

page read and write

13DF000

heap

page read and write

31D0000

trusted library allocation

page read and write

3AD0000

direct allocation

page read and write

32F7000

trusted library allocation

page read and write

32DC000

trusted library allocation

page read and write

FBA000

stack

page read and write

13FB000

heap

page read and write

6710000

trusted library allocation

page read and write

1355000

heap

page read and write

320B000

trusted library allocation

page read and write

12BE000

heap

page read and write

1243000

heap

page read and write

1860000

trusted library allocation

page read and write

1428000

heap

page read and write

14AE000

heap

page read and write

1467000

heap

page read and write

3AD0000

direct allocation

page read and write

1394000

heap

page read and write

1150000

heap

page read and write

140E000

heap

page read and write

122C000

heap

page read and write

14C0000

heap

page read and write

7210000

heap

page read and write

6D6E000

stack

page read and write

1730000

heap

page read and write

122C000

heap

page read and write

148E000

heap

page read and write

2AF000

unkown

page readonly

11F1000

heap

page read and write

9E0000

heap

page read and write

2D4000

unkown

page readonly

1704000

trusted library allocation

page read and write

68B0000

trusted library allocation

page read and write

1330000

heap

page read and write

3E0E000

direct allocation

page read and write

666E000

stack

page read and write

12E1000

heap

page read and write

3C70000

direct allocation

page read and write

3690000

heap

page read and write

144A000

heap

page read and write

2AF000

unkown

page readonly

11C0000

heap

page read and write

147C000

heap

page read and write

1417000

heap

page read and write

5C8E000

stack

page read and write

5C4E000

stack

page read and write

144A000

heap

page read and write

1120000

heap

page read and write

3243000

heap

page read and write

3212000

trusted library allocation

page read and write

1407000

heap

page read and write

137A000

heap

page read and write

3BF3000

direct allocation

page read and write

2E7000

unkown

page readonly

320E000

trusted library allocation

page read and write

1320000

heap

page read and write

1242000

heap

page read and write

5A0E000

stack

page read and write

13F0000

heap

page read and write

1425000

heap

page read and write

3D9D000

direct allocation

page read and write

31B0000

trusted library allocation

page read and write

5B0F000

stack

page read and write

5D10000

trusted library allocation

page read and write

3226000

trusted library allocation

page read and write

1370000

heap

page read and write

146E000

heap

page read and write

5D70000

trusted library allocation

page execute and read and write

1726000

trusted library allocation

page execute and read and write

3C70000

direct allocation

page read and write

1241000

heap

page read and write

3E0E000

direct allocation

page read and write

1847000

trusted library allocation

page execute and read and write

13AC000

heap

page read and write

1242000

heap

page read and write

19BE000

stack

page read and write

140E000

heap

page read and write

3D99000

direct allocation

page read and write

122C000

heap

page read and write

2E2000

unkown

page write copy

11F1000

heap

page read and write

5D40000

trusted library allocation

page read and write

6A6D000

stack

page read and write

148E000

heap

page read and write

1496000

heap

page read and write

141A000

heap

page read and write

121C000

heap

page read and write

3E0E000

direct allocation

page read and write

3D99000

direct allocation

page read and write

1496000

heap

page read and write

2DE000

unkown

page read and write

220000

unkown

page readonly

1345000

heap

page read and write

11F2000

heap

page read and write

14C2000

heap

page read and write

1439000

heap

page read and write

3D99000

direct allocation

page read and write

1311000

heap

page read and write

1710000

trusted library allocation

page read and write

3E0E000

direct allocation

page read and write

220000

unkown

page readonly

1366000

heap

page read and write

3AD0000

direct allocation

page read and write

6730000

heap

page read and write

1394000

heap

page read and write

3AD0000

direct allocation

page read and write

3D9D000

direct allocation

page read and write

321A000

trusted library allocation

page read and write

31C0000

trusted library allocation

page read and write

172A000

trusted library allocation

page execute and read and write

1406000

heap

page read and write

1476000

heap

page read and write

144A000

heap

page read and write

1430000

heap

page read and write

6FC0000

heap

page read and write

1842000

trusted library allocation

page read and write

123A000

heap

page read and write

6E6E000

stack

page read and write

12C2000

heap

page read and write

1700000

trusted library allocation

page read and write

1454000

heap

page read and write

1204000

heap

page read and write

11F9000

heap

page read and write

98E000

stack

page read and write

11FD000

heap

page read and write

940000

heap

page read and write

11FD000

heap

page read and write

138A000

heap

page read and write

686D000

stack

page read and write

FBF000

stack

page read and write

13DE000

heap

page read and write

3BF3000

direct allocation

page read and write

120C000

heap

page read and write

13D5000

heap

page read and write

57C0000

heap

page execute and read and write

1900000

heap

page read and write

3C70000

direct allocation

page read and write

8DA000

stack

page read and write

31AF000

stack

page read and write

11FD000

heap

page read and write

42FC000

trusted library allocation

page read and write

13F8000

heap

page read and write

321E000

trusted library allocation

page read and write

131E000

heap

page read and write

3C70000

direct allocation

page read and write

12D0000

heap

page read and write

1406000

heap

page read and write

122C000

heap

page read and write

1467000

heap

page read and write

171D000

trusted library allocation

page execute and read and write

1720000

trusted library allocation

page read and write

13E5000

heap

page read and write

144A000

heap

page read and write

133C000

heap

page read and write

There are 276 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
z25RFQ945894-PDF.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportz25RFQ945894-PDF.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
z25RFQ945894-PDF.exe