Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

z17Mz7zumpwTUMRxyS.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.633026498789311
Filename:	z17Mz7zumpwTUMRxyS.exe
Filesize:	694272
MD5:	337574f09ff0a772aedbd6f7c2064496
SHA1:	f24b5b9369763cc23758407fa1729294750d8e5e
SHA256:	96bfa7096fb76234a5774f70dc444d719c7553ac83db00fdbb04c1eec318d4c4
SHA512:	2cf83e21895266cf05e65bc4934c09c8aba59fe9a1db62b07ec2dd4e463d5a4555d46c1e1ae74447c7c5e120885d72027ec763fb32634ba63441ef9e519d3d26
SSDEEP:	12288:tn9Inte+7jOOIQ7vCSfm5F28BaaiR+fzszuSFtQhU1atc2/Q4AyrrRPdw:tK7tIS8QaikfgqSFtcUUa2o4JPd
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....#g..............0..n...(........... ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion
Machine Learning detection for sample	AV Detection
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Abnormal high CPU Usage	System Summary
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
.NET source code contains long base64-encoded strings	System Summary	Disable or Modify Tools
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z17Mz7zumpwTUMRxyS.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z17Mz7zumpwTUMRxyS.exe.log
Category:	dropped
Dump:	z17Mz7zumpwTUMRxyS.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\z17Mz7zumpwTUMRxyS.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\z17Mz7zumpwTUMRxyS.exe

"C:\Users\user\Desktop\z17Mz7zumpwTUMRxyS.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6368
Target ID:	0
Parent PID:	4004
Name:	z17Mz7zumpwTUMRxyS.exe
Path:	C:\Users\user\Desktop\z17Mz7zumpwTUMRxyS.exe
Commandline:	"C:\Users\user\Desktop\z17Mz7zumpwTUMRxyS.exe"
Size:	694272
MD5:	337574F09FF0A772AEDBD6F7C2064496
Time:	13:31:56
Date:	31/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x950000
Modulesize:	720896
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\z17Mz7zumpwTUMRxyS.exe

"C:\Users\user\Desktop\z17Mz7zumpwTUMRxyS.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5692
Target ID:	3
Parent PID:	6368
Name:	z17Mz7zumpwTUMRxyS.exe
Path:	C:\Users\user\Desktop\z17Mz7zumpwTUMRxyS.exe
Commandline:	"C:\Users\user\Desktop\z17Mz7zumpwTUMRxyS.exe"
Size:	694272
MD5:	337574F09FF0A772AEDBD6F7C2064496
Time:	13:31:58
Date:	31/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x320000
Modulesize:	720896
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\z17Mz7zumpwTUMRxyS.exe

"C:\Users\user\Desktop\z17Mz7zumpwTUMRxyS.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5712
Target ID:	4
Parent PID:	6368
Name:	z17Mz7zumpwTUMRxyS.exe
Path:	C:\Users\user\Desktop\z17Mz7zumpwTUMRxyS.exe
Commandline:	"C:\Users\user\Desktop\z17Mz7zumpwTUMRxyS.exe"
Size:	694272
MD5:	337574F09FF0A772AEDBD6F7C2064496
Time:	13:31:58
Date:	31/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xea0000
Modulesize:	720896
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

https://reallyfreegeoip.org

unknown

http://reallyfreegeoip.orgX

unknown

https://reallyfreegeoip.org/xml/173.254.250.77$

unknown

http://checkip.dyndns.org

unknown

http://checkip.dyndns.org/

132.226.247.73

http://checkip.dyndns.com

unknown

https://reallyfreegeoip.org/xml/173.254.250.77

188.114.96.3

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://checkip.dyndns.org/q

unknown

http://reallyfreegeoip.org

unknown

https://reallyfreegeoip.org/xml/

unknown

There are 1 hidden URLs, click here to show them.

Domains

Name

Malicious

reallyfreegeoip.org

188.114.96.3

Details

Name:	reallyfreegeoip.org
IP:	188.114.96.3
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Tries to detect the country of the analysis system (by using the IP)	Location Tracking
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Suricata IDS alerts with low severity for network traffic	Networking
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.com

132.226.247.73

IPs

Domain

Country

Malicious

188.114.96.3

reallyfreegeoip.org

European Union

Details

IP:	188.114.96.3
TargetID:	4
Current Path:	C:\Users\user\Desktop\z17Mz7zumpwTUMRxyS.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	reallyfreegeoip.org

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

132.226.247.73

checkip.dyndns.com

United States

Details

IP:	132.226.247.73
TargetID:	4
Current Path:	C:\Users\user\Desktop\z17Mz7zumpwTUMRxyS.exe
Country:	United States
Countrycode:	USA
ASN number:	16989
ASN name:	UTMEMUS
Private:	false
Domain:	checkip.dyndns.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z17Mz7zumpwTUMRxyS_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z17Mz7zumpwTUMRxyS_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z17Mz7zumpwTUMRxyS_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z17Mz7zumpwTUMRxyS_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z17Mz7zumpwTUMRxyS_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z17Mz7zumpwTUMRxyS_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z17Mz7zumpwTUMRxyS_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z17Mz7zumpwTUMRxyS_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z17Mz7zumpwTUMRxyS_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z17Mz7zumpwTUMRxyS_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z17Mz7zumpwTUMRxyS_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z17Mz7zumpwTUMRxyS_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z17Mz7zumpwTUMRxyS_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\z17Mz7zumpwTUMRxyS_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

3361000

trusted library allocation

page read and write

352F000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

4A0A000

trusted library allocation

page read and write

3625000

trusted library allocation

page read and write

2EB0000

trusted library allocation

page read and write

56CA000

trusted library allocation

page read and write

5723000

heap

page read and write

1835000

trusted library allocation

page execute and read and write

3418000

trusted library allocation

page read and write

71E0000

trusted library allocation

page execute and read and write

6EF0000

trusted library allocation

page read and write

E40000

heap

page read and write

7314000

heap

page read and write

1810000

trusted library allocation

page read and write

6F00000

trusted library allocation

page execute and read and write

6D8F000

stack

page read and write

2EA0000

trusted library allocation

page read and write

5720000

heap

page read and write

5EC0000

heap

page read and write

EE8E000

stack

page read and write

EB10000

heap

page read and write

580E000

stack

page read and write

D87000

stack

page read and write

58F0000

trusted library allocation

page read and write

74EE000

stack

page read and write

1420000

heap

page read and write

16DE000

stack

page read and write

112B000

trusted library allocation

page execute and read and write

57CE000

stack

page read and write

56B6000

trusted library allocation

page read and write

180D000

trusted library allocation

page execute and read and write

34B2000

trusted library allocation

page read and write

1803000

trusted library allocation

page execute and read and write

2E90000

trusted library allocation

page read and write

17DF000

stack

page read and write

3512000

trusted library allocation

page read and write

2ED0000

trusted library allocation

page read and write

9FA000

unkown

page readonly

17F0000

trusted library allocation

page read and write

EB0D000

stack

page read and write

E8E000

stack

page read and write

1850000

trusted library allocation

page read and write

10F0000

trusted library allocation

page read and write

1116000

trusted library allocation

page execute and read and write

10F4000

trusted library allocation

page read and write

2F00000

heap

page execute and read and write

169E000

stack

page read and write

53E0000

trusted library allocation

page read and write

ED8D000

stack

page read and write

35F4000

trusted library allocation

page read and write

F0E000

heap

page read and write

694E000

stack

page read and write

34B6000

trusted library allocation

page read and write

1820000

trusted library allocation

page read and write

3455000

trusted library allocation

page read and write

2E7E000

trusted library allocation

page read and write

7320000

heap

page read and write

6EF3000

trusted library allocation

page read and write

31A0000

heap

page read and write

10FD000

trusted library allocation

page execute and read and write

7C8F000

stack

page read and write

1804000

trusted library allocation

page read and write

56CE000

trusted library allocation

page read and write

71A1000

trusted library allocation

page read and write

55F0000

trusted library section

page readonly

35AC000

trusted library allocation

page read and write

6F10000

trusted library allocation

page execute and read and write

14A0000

heap

page read and write

7DCF000

stack

page read and write

F45000

heap

page read and write

7F5E0000

trusted library allocation

page execute and read and write

1430000

heap

page read and write

43EF000

trusted library allocation

page read and write

6EFF000

trusted library allocation

page read and write

1180000

heap

page read and write

6F90000

trusted library allocation

page read and write

58DE000

stack

page read and write

43E5000

trusted library allocation

page read and write

5600000

heap

page read and write

34BB000

trusted library allocation

page read and write

57CD000

stack

page read and write

1410000

heap

page read and write

1587000

heap

page read and write

1826000

trusted library allocation

page execute and read and write

2EC0000

heap

page read and write

138F000

stack

page read and write

3350000

heap

page execute and read and write

F08000

heap

page read and write

1160000

trusted library allocation

page read and write

74E0000

heap

page read and write

5580000

heap

page execute and read and write

147E000

stack

page read and write

6AB1000

heap

page read and write

56A0000

trusted library allocation

page read and write

128E000

stack

page read and write

183B000

trusted library allocation

page execute and read and write

34F3000

trusted library allocation

page read and write

5730000

trusted library allocation

page read and write

319E000

stack

page read and write

5390000

heap

page read and write

14D6000

heap

page read and write

35B5000

trusted library allocation

page read and write

6F20000

trusted library allocation

page read and write

6DCE000

stack

page read and write

1830000

trusted library allocation

page read and write

1140000

trusted library allocation

page read and write

35E2000

trusted library allocation

page read and write

ED4E000

stack

page read and write

6EDB000

trusted library allocation

page read and write

10E0000

trusted library allocation

page read and write

6A4E000

stack

page read and write

5BAE000

stack

page read and write

6ED6000

trusted library allocation

page read and write

3466000

trusted library allocation

page read and write

35A2000

trusted library allocation

page read and write

2EB5000

trusted library allocation

page read and write

3424000

trusted library allocation

page read and write

2E5B000

stack

page read and write

7B8E000

stack

page read and write

56E2000

trusted library allocation

page read and write

730E000

heap

page read and write

6ABB000

heap

page read and write

7ECF000

stack

page read and write

359C000

trusted library allocation

page read and write

334D000

stack

page read and write

1837000

trusted library allocation

page execute and read and write

5815000

heap

page read and write

5700000

trusted library allocation

page read and write

181D000

trusted library allocation

page execute and read and write

305E000

stack

page read and write

5EE0000

heap

page read and write

182A000

trusted library allocation

page execute and read and write

1100000

trusted library allocation

page read and write

3521000

trusted library allocation

page read and write

EB7000

heap

page read and write

7346000

heap

page read and write

6C0E000

stack

page read and write

5360000

heap

page read and write

1170000

trusted library allocation

page read and write

2E8D000

trusted library allocation

page read and write

56DD000

trusted library allocation

page read and write

1860000

trusted library allocation

page execute and read and write

400000

remote allocation

page execute and read and write

5590000

trusted library allocation

page read and write

B960000

trusted library section

page read and write

717E000

stack

page read and write

5810000

heap

page read and write

72FE000

stack

page read and write

34AE000

trusted library allocation

page read and write

DF0000

heap

page read and write

2D70000

heap

page read and write

35BE000

trusted library allocation

page read and write

6ED0000

trusted library allocation

page read and write

2E60000

trusted library allocation

page read and write

FDA000

stack

page read and write

E3E000

stack

page read and write

7010000

trusted library allocation

page execute and read and write

5EB0000

heap

page read and write

2EF0000

trusted library allocation

page read and write

346A000

trusted library allocation

page read and write

DE0000

heap

page read and write

1330000

heap

page read and write

950000

unkown

page readonly

53A0000

trusted library allocation

page execute and read and write

3597000

trusted library allocation

page read and write

F27000

heap

page read and write

56F4000

trusted library allocation

page read and write

6EE0000

trusted library allocation

page execute and read and write

5BEE000

stack

page read and write

500C000

stack

page read and write

5870000

heap

page read and write

53B0000

trusted library allocation

page read and write

5780000

heap

page execute and read and write

34A6000

trusted library allocation

page read and write

5CDE000

trusted library allocation

page read and write

3462000

trusted library allocation

page read and write

4361000

trusted library allocation

page read and write

349E000

trusted library allocation

page read and write

1870000

heap

page read and write

71D0000

trusted library allocation

page read and write

F99000

heap

page read and write

43FD000

trusted library allocation

page read and write

12F7000

stack

page read and write

111A000

trusted library allocation

page execute and read and write

34C8000

trusted library allocation

page read and write

71F0000

trusted library allocation

page execute and read and write

1150000

trusted library allocation

page execute and read and write

6D4E000

stack

page read and write

56BE000

trusted library allocation

page read and write

476A000

trusted library allocation

page read and write

55EB000

stack

page read and write

6ED8000

trusted library allocation

page read and write

2F11000

trusted library allocation

page read and write

345E000

trusted library allocation

page read and write

56D1000

trusted library allocation

page read and write

56BB000

trusted library allocation

page read and write

2EC3000

heap

page read and write

43CA000

trusted library allocation

page read and write

315E000

stack

page read and write

56D6000

trusted library allocation

page read and write

3F19000

trusted library allocation

page read and write

2FD5000

trusted library allocation

page read and write

6FBE000

heap

page read and write

6F30000

trusted library allocation

page read and write

1127000

trusted library allocation

page execute and read and write

34E5000

trusted library allocation

page read and write

5610000

heap

page read and write

1112000

trusted library allocation

page read and write

EB0000

heap

page read and write

3F55000

trusted library allocation

page read and write

1528000

heap

page read and write

2D88000

trusted library allocation

page read and write

5CD0000

trusted library allocation

page read and write

10F3000

trusted library allocation

page execute and read and write

2C6E000

stack

page read and write

638F000

stack

page read and write

71A6000

trusted library allocation

page read and write

5620000

trusted library allocation

page execute and read and write

6A50000

heap

page read and write

5CB0000

trusted library allocation

page read and write

34AA000

trusted library allocation

page read and write

43FB000

trusted library allocation

page read and write

F00000

heap

page read and write

1103000

trusted library allocation

page read and write

5CC0000

trusted library allocation

page execute and read and write

7560000

trusted library allocation

page read and write

1120000

trusted library allocation

page read and write

350E000

trusted library allocation

page read and write

6FB0000

heap

page read and write

6BCE000

stack

page read and write

1598000

heap

page read and write

7590000

trusted library allocation

page execute and read and write

148F000

stack

page read and write

EA0D000

stack

page read and write

2D6E000

stack

page read and write

3427000

trusted library allocation

page read and write

71C0000

trusted library allocation

page execute and read and write

56B0000

trusted library allocation

page read and write

EFE000

stack

page read and write

1110000

trusted library allocation

page read and write

7300000

heap

page read and write

30EB000

trusted library allocation

page read and write

1122000

trusted library allocation

page read and write

7CCE000

stack

page read and write

1832000

trusted library allocation

page read and write

7570000

trusted library allocation

page read and write

6ECE000

stack

page read and write

6EFA000

trusted library allocation

page read and write

1800000

trusted library allocation

page read and write

1822000

trusted library allocation

page read and write

2E81000

trusted library allocation

page read and write

6B8D000

stack

page read and write

4389000

trusted library allocation

page read and write

35E8000

trusted library allocation

page read and write

7180000

trusted library section

page read and write

952000

unkown

page readonly

76B2000

trusted library allocation

page read and write

3F11000

trusted library allocation

page read and write

C89000

stack

page read and write

1593000

heap

page read and write

34A2000

trusted library allocation

page read and write

56F0000

trusted library allocation

page read and write

71B0000

trusted library allocation

page read and write

EC4D000

stack

page read and write

53D0000

trusted library allocation

page read and write

56C2000

trusted library allocation

page read and write

110D000

trusted library allocation

page execute and read and write

6FC0000

heap

page read and write

2E86000

trusted library allocation

page read and write

35EE000

trusted library allocation

page read and write

14A8000

heap

page read and write

6D0E000

stack

page read and write

35BA000

trusted library allocation

page read and write

343F000

trusted library allocation

page read and write

There are 265 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
z17Mz7zumpwTUMRxyS.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportz17Mz7zumpwTUMRxyS.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
z17Mz7zumpwTUMRxyS.exe