Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

lkOawAWJRO.exe

PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy:	5.315284808680583
Filename:	lkOawAWJRO.exe
Filesize:	6840320
MD5:	1b05ebbfcec15b251b93721338e525c8
SHA1:	475e17fb4ea6e1d41b18086c541c338b862e1bf4
SHA256:	ab30569e57ecb3c3d674890e89a90bebe8884071053a48c2a18dbf8ffc8aa7c3
SHA512:	4a947908cd362d359b76d7b8a7cf16635a0712ad35e0fe787441ca07f4d56eedd8f08ed5e04983f9d390efa30bae7e7e27f6d2328baa505a06435a26a720f150
SSDEEP:	49152:bJlOWXpWa3IO7tr7ppOdVDFQejeP7eevRwk8pJ4bK5l1dCSzbL7YI4oCK6yjzcwp:bJlzFP7hCVhQeSP7eepwbpJ4b
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g...............(..H..\h...............H...@...........................h.....*.h...@... ............................

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Drops large PE files	System Summary
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Contains capabilities to detect virtual machines	Malware Analysis System Evasion	Virtualization/Sandbox Evasion Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
PE file contains sections with non-standard names	Data Obfuscation
Queries information about the installed CPU (vendor, model number etc)	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Creates files inside the user directory	System Summary	Masquerading
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Enumerates the file system	Spreading, Malware Analysis System Evasion	File and Directory Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\service123.exe

PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\service123.exe
Category:	dropped
Dump:	service123.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\lkOawAWJRO.exe
Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy:	0.0023405856158797084
Encrypted:	false
Size:	314617856
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Found evasive API chain (may stop execution after checking mutex)	Malware Analysis System Evasion	Native API
Found stalling execution ending in API Sleep call	Malware Analysis System Evasion
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities	Obfuscated Files or Information
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	Encrypted Channel
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to register its own exception handler	Anti Debugging
Creates mutexes	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Local\Temp\FuLvJKHyBveQGVRTqGwm.dll

PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\FuLvJKHyBveQGVRTqGwm.dll
Category:	dropped
Dump:	FuLvJKHyBveQGVRTqGwm.dll.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\lkOawAWJRO.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy:	0.054352357918072115
Encrypted:	false
Ssdeep:	24576:enUSRBO/35zIY7/KcNtHoptIIRvmd48WPn/T3fMoV7FcRlNVE:fBIZmNWPnzflVBcRlNVE
Size:	315803136
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\lkOawAWJRO.exe

"C:\Users\user\Desktop\lkOawAWJRO.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5648
Target ID:	0
Parent PID:	1028
Name:	lkOawAWJRO.exe
Path:	C:\Users\user\Desktop\lkOawAWJRO.exe
Commandline:	"C:\Users\user\Desktop\lkOawAWJRO.exe"
Size:	6840320
MD5:	1B05EBBFCEC15B251B93721338E525C8
Time:	06:30:01
Date:	12/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x140000
Modulesize:	6868992
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Clipboard Hijacker	Stealing of Sensitive Information
Yara detected Cryptbot	Stealing of Sensitive Information, Remote Access Functionality
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information	Data from Local System
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\service123.exe

"C:\Users\user\AppData\Local\Temp\service123.exe"

Details

Is windows:	false
Is dropped:	true
PID:	1048
Target ID:	5
Parent PID:	5648
Name:	service123.exe
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Commandline:	"C:\Users\user\AppData\Local\Temp\service123.exe"
Size:	314617856
MD5:	751D09B372396BF3012988CD55D9E27E
Time:	06:31:02
Date:	12/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x6c0000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Clipboard Hijacker	Stealing of Sensitive Information
Drops large PE files	System Summary
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f

Details

Is windows:	true
Is dropped:	false
PID:	6432
Target ID:	6
Parent PID:	5648
Name:	schtasks.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\schtasks.exe
Commandline:	"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Size:	187904
MD5:	48C2FE20575769DE916F48EF0676A965
Time:	06:31:02
Date:	12/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xeb0000
Modulesize:	204800
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\service123.exe

C:\Users\user\AppData\Local\Temp\/service123.exe

Details

Is windows:	false
Is dropped:	true
PID:	1628
Target ID:	8
Parent PID:	1068
Name:	service123.exe
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Size:	314617856
MD5:	751D09B372396BF3012988CD55D9E27E
Time:	06:31:05
Date:	12/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x6c0000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Clipboard Hijacker	Stealing of Sensitive Information
Drops large PE files	System Summary
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\service123.exe

C:\Users\user\AppData\Local\Temp\/service123.exe

Details

Is windows:	false
Is dropped:	true
PID:	5672
Target ID:	9
Parent PID:	1068
Name:	service123.exe
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Size:	314617856
MD5:	751D09B372396BF3012988CD55D9E27E
Time:	06:32:03
Date:	12/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x6c0000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Clipboard Hijacker	Stealing of Sensitive Information
Drops large PE files	System Summary
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	1848
Target ID:	7
Parent PID:	6432
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	06:31:02
Date:	12/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

analforeverlovyu.top

+sevtvr17pt.top

sevtvr17pt.top

http://sevtvr17pt.top/

unknown

https://ac.ecosia.org/autocomplete?q=

unknown

https://duckduckgo.com/chrome_newtab

unknown

https://gcc.gnu.org/bugs/):

unknown

https://keruzam.com/update.php?compName

unknown

http://sevtvr17pt.top/v1/upload.php

unknown

https://duckduckgo.com/ac/?q=

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

http://sevtvr17pt.top:80/v1/upload.php

unknown

https://keruzam.com/update.php?compName=

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

https://www.ecosia.org/newtab/

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

There are 8 hidden URLs, click here to show them.

Domains

Name

Malicious

sevtvr17pt.top

80.66.81.78

Details

Name:	sevtvr17pt.top
IP:	80.66.81.78
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

80.66.81.78

sevtvr17pt.top

Russian Federation

Details

IP:	80.66.81.78
TargetID:	0
Current Path:	C:\Users\user\Desktop\lkOawAWJRO.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	202984
ASN name:	TEAM-HOSTASRU
Private:	false
Domain:	sevtvr17pt.top

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

4106000

heap

page read and write

6A03A000

direct allocation

page read and write

18A3000

heap

page read and write

6A043000

direct allocation

page read and write

6B1000

unkown

page read and write

6C1000

unkown

page execute read

74C000

unkown

page readonly

1248000

heap

page read and write

1110000

heap

page read and write

18C8000

heap

page read and write

75F000

unkown

page read and write

1883000

heap

page read and write

6C0000

unkown

page readonly

E73000

heap

page read and write

148D000

stack

page read and write

D89B000

heap

page read and write

E15000

heap

page read and write

6C0000

unkown

page readonly

E32000

heap

page read and write

3CAE000

stack

page read and write

187E000

heap

page read and write

9FF000

stack

page read and write

C28000

stack

page read and write

6A2F9000

direct allocation

page read and write

9BE000

stack

page read and write

E74000

heap

page read and write

E0A000

heap

page read and write

6CE000

unkown

page read and write

E18000

heap

page read and write

69B000

unkown

page write copy

6A05B000

direct allocation

page read and write

D20000

heap

page read and write

18B0000

heap

page read and write

6A8000

unkown

page read and write

6CE000

unkown

page write copy

DF4000

heap

page read and write

133E000

stack

page read and write

6A0000

heap

page read and write

D831000

heap

page read and write

1210000

heap

page read and write

D85B000

heap

page read and write

6D1000

unkown

page readonly

6B4000

unkown

page read and write

6D1000

unkown

page readonly

6AD000

unkown

page write copy

CC0000

heap

page read and write

E6B000

heap

page read and write

8E0000

heap

page read and write

18A3000

heap

page read and write

113E000

stack

page read and write

6A375000

direct allocation

page read and write

1873000

heap

page read and write

140000

unkown

page readonly

6C211000

unkown

page execute read

69CC0000

direct allocation

page read and write

B10000

heap

page read and write

E0A000

heap

page read and write

1240000

heap

page read and write

18A4000

heap

page read and write

D8E4000

heap

page read and write

18C6000

heap

page read and write

BDC000

stack

page read and write

DAC000

stack

page read and write

18A3000

heap

page read and write

DC0000

heap

page read and write

6D1000

unkown

page readonly

13F0000

heap

page read and write

187E000

heap

page read and write

69CF3000

direct allocation

page read and write

E3E000

heap

page read and write

D8DB000

heap

page read and write

18BB000

heap

page read and write

DCE000

heap

page read and write

6A056000

direct allocation

page read and write

E7E000

heap

page read and write

14B0000

remote allocation

page read and write

18B5000

heap

page read and write

E28000

heap

page read and write

DED000

heap

page read and write

14B0000

remote allocation

page read and write

168E000

stack

page read and write

6C339000

unkown

page read and write

6A040000

direct allocation

page read and write

3EEE000

stack

page read and write

40EF000

stack

page read and write

141000

unkown

page execute read

18B7000

heap

page read and write

65C000

stack

page read and write

1F55000

heap

page read and write

186F000

heap

page read and write

18C0000

heap

page read and write

18C3000

heap

page read and write

188F000

stack

page read and write

6B2000

unkown

page write copy

6CA000

unkown

page readonly

6C1000

unkown

page execute read

443F000

stack

page read and write

1873000

heap

page read and write

6CE000

unkown

page read and write

6CA000

unkown

page readonly

187D000

heap

page read and write

69C000

unkown

page write copy

CC5000

heap

page read and write

18AA000

heap

page read and write

37DD000

stack

page read and write

E6D000

heap

page read and write

59A000

stack

page read and write

11EE000

heap

page read and write

75F000

unkown

page write copy

6CA000

unkown

page readonly

1220000

heap

page read and write

E0D000

heap

page read and write

D764000

heap

page read and write

18A9000

heap

page read and write

E6B000

heap

page read and write

1900000

heap

page read and write

C57000

stack

page read and write

6A372000

direct allocation

page read and write

6CE000

unkown

page write copy

E18000

heap

page read and write

11E0000

heap

page read and write

6B6000

unkown

page write copy

3800000

heap

page read and write

E26000

heap

page read and write

1347000

heap

page read and write

E0A000

heap

page read and write

55D000

stack

page read and write

447B000

stack

page read and write

14C6000

heap

page read and write

A6B000

heap

page read and write

1A90000

heap

page read and write

E30000

heap

page read and write

E46000

heap

page read and write

E28000

heap

page read and write

18D3000

heap

page read and write

6C1000

unkown

page execute read

D84A000

heap

page read and write

C42000

stack

page read and write

D830000

heap

page read and write

D555000

heap

page read and write

807000

heap

page read and write

DA0000

heap

page read and write

140000

unkown

page readonly

6D1000

unkown

page readonly

6D1000

unkown

page readonly

A9C000

stack

page read and write

18AA000

heap

page read and write

69DF5000

direct allocation

page read and write

DF4000

heap

page read and write

185E000

heap

page read and write

6B0000

heap

page read and write

6C1000

unkown

page execute read

11EA000

heap

page read and write

18AE000

heap

page read and write

E3B000

heap

page read and write

DED000

heap

page read and write

E18000

heap

page read and write

3EAF000

stack

page read and write

D831000

heap

page read and write

18BA000

heap

page read and write

D849000

heap

page read and write

164F000

stack

page read and write

1810000

heap

page read and write

6CA000

unkown

page readonly

14C0000

heap

page read and write

6D1000

unkown

page readonly

D89B000

heap

page read and write

DF4000

heap

page read and write

E46000

heap

page read and write

1876000

heap

page read and write

69E34000

direct allocation

page read and write

69CC1000

direct allocation

page execute read

186C000

heap

page read and write

E46000

heap

page read and write

18A4000

heap

page read and write

D8E4000

heap

page read and write

DC45000

heap

page read and write

E16000

heap

page read and write

6CA000

unkown

page readonly

6CE000

unkown

page write copy

380A000

heap

page read and write

69B000

unkown

page read and write

FFD000

stack

page read and write

18D3000

heap

page read and write

6B8000

unkown

page read and write

144E000

stack

page read and write

A60000

heap

page read and write

D8A3000

heap

page read and write

191D000

heap

page read and write

3A6D000

stack

page read and write

97F000

unkown

page read and write

18CE000

heap

page read and write

800000

heap

page read and write

6C0000

unkown

page readonly

1879000

heap

page read and write

5CD000

unkown

page write copy

3C6D000

stack

page read and write

467C000

stack

page read and write

74C000

unkown

page readonly

6C2ED000

unkown

page read and write

5CC000

unkown

page write copy

B00000

heap

page read and write

6C0000

unkown

page readonly

141000

unkown

page execute read

93E000

unkown

page read and write

6C1000

unkown

page execute read

DAB0000

heap

page read and write

6AE000

unkown

page read and write

10FF000

stack

page read and write

18A3000

heap

page read and write

6A04A000

direct allocation

page read and write

6A048000

direct allocation

page read and write

A5B000

stack

page read and write

5D2000

unkown

page read and write

7F0000

heap

page read and write

CB0000

heap

page read and write

1873000

heap

page read and write

E18000

heap

page read and write

E76000

heap

page read and write

144D000

stack

page read and write

6A364000

direct allocation

page readonly

E36000

heap

page read and write

6C33C000

unkown

page readonly

6C0000

unkown

page readonly

187E000

heap

page read and write

800000

heap

page read and write

6CE000

unkown

page read and write

8F0000

heap

page read and write

BF6000

stack

page read and write

6C1000

unkown

page execute read

E6D000

heap

page read and write

AF0000

heap

page read and write

6C210000

unkown

page readonly

5CC000

unkown

page read and write

762000

unkown

page readonly

D831000

heap

page read and write

187E000

heap

page read and write

EFE000

stack

page read and write

D8E4000

heap

page read and write

11FC000

stack

page read and write

18D3000

heap

page read and write

E69000

heap

page read and write

E18000

heap

page read and write

DA31000

heap

page read and write

18A3000

heap

page read and write

6C338000

unkown

page readonly

18A4000

heap

page read and write

B30000

heap

page read and write

E16000

heap

page read and write

6AF000

unkown

page write copy

E1C2000

heap

page read and write

D839000

heap

page read and write

45C000

stack

page read and write

E69000

heap

page read and write

E16000

heap

page read and write

69FF9000

direct allocation

page read and write

14B0000

remote allocation

page read and write

DF0000

heap

page read and write

6C0000

unkown

page readonly

423E000

stack

page read and write

18A4000

heap

page read and write

DCA000

heap

page read and write

DB0000

heap

page read and write

6A03C000

direct allocation

page read and write

762000

unkown

page readonly

6C2EF000

unkown

page readonly

6CA000

unkown

page readonly

DCBE000

stack

page read and write

C0E000

stack

page read and write

141000

unkown

page execute read

1878000

heap

page read and write

There are 261 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
lkOawAWJRO.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportlkOawAWJRO.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
lkOawAWJRO.exe