Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

TT Copy.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.4735500770865375
Filename:	TT Copy.exe
Filesize:	1264047
MD5:	847c36bbe5b395799fc9fda5a349f648
SHA1:	b64433abd4279165c67aa670fd56c683ba0de825
SHA256:	e1b1977304e64bee19fbd6938f4f7b9541bb7e3dcd8a4b07b7bc22c57f29dd25
SHA512:	11f6e3f9d4257a6314aee119ab168ae9dfd797b2a357cad3c12372430e0f139d169262e085890266590749a90c8752a6d526455553cceed30006776dcf9f7018
SSDEEP:	24576:ffmMv6Ckr7Mny5QLv2USjRR0cMrI4r6XxQcA65SoEHaF1:f3v+7/5QLOTjRlMr36Xx/AuEHa
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Contains functionality to detect sleep reduction / modifications	Malware Analysis System Evasion	File and Directory Discovery
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Switches to a custom stack to bypass stack traces	Malware Analysis System Evasion
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Valid Accounts Access Token Manipulation
Contains functionality to launch a process as a different user	System Summary	Native API
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to shutdown / reboot the system	System Summary	System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Encrypted Channel
Found large amount of non-executed APIs	Malware Analysis System Evasion
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information	System Shutdown/Reboot
PE file contains an invalid checksum	Data Obfuscation
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Sample file is different than original file name gathered from version info	System Summary	System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Contains functionality for error logging	System Summary
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary
Contains functionality to check free disk space	System Summary
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enum processes or threads	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Reads ini files	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\Clinton

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Clinton
Category:	dropped
Dump:	Clinton.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\TT Copy.exe
Type:	data
Entropy:	7.880468987328074
Encrypted:	false
Ssdeep:	6144:WF7dNy7JiZeaNV6G06R3v+Edv8UdxJtl2HhVO/d:+dNC5azt08mU0yJEE
Size:	265728
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\TT Copy.exe

"C:\Users\user\Desktop\TT Copy.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7484
Target ID:	0
Parent PID:	2580
Name:	TT Copy.exe
Path:	C:\Users\user\Desktop\TT Copy.exe
Commandline:	"C:\Users\user\Desktop\TT Copy.exe"
Size:	1264047
MD5:	847C36BBE5B395799FC9FDA5A349F648
Time:	17:23:55
Date:	31/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	741376
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
PE file contains an invalid checksum	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\TT Copy.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7516
Target ID:	1
Parent PID:	7484
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\TT Copy.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	17:23:57
Date:	31/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x1c0000
Modulesize:	57344
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Users\user\Desktop\TT Copy.exe

"C:\Users\user\Desktop\TT Copy.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7524
Target ID:	2
Parent PID:	7484
Name:	TT Copy.exe
Path:	C:\Users\user\Desktop\TT Copy.exe
Commandline:	"C:\Users\user\Desktop\TT Copy.exe"
Size:	1264047
MD5:	847C36BBE5B395799FC9FDA5A349F648
Time:	17:23:57
Date:	31/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	741376
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
PE file contains an invalid checksum	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\TT Copy.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7580
Target ID:	3
Parent PID:	7524
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\TT Copy.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	17:23:59
Date:	31/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x890000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

URLs

Name

Malicious

http://mail.mbarieservicesltd.com

unknown

Domains

Name

Malicious

mail.mbarieservicesltd.com

199.79.62.115

Details

Name:	mail.mbarieservicesltd.com
IP:	199.79.62.115
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
Sample uses string decryption to hide its real strings	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

199.79.62.115

mail.mbarieservicesltd.com

United States

Details

IP:	199.79.62.115
TargetID:	3
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	United States
Countrycode:	USA
ASN number:	394695
ASN name:	PUBLIC-DOMAIN-REGISTRYUS
Private:	false
Domain:	mail.mbarieservicesltd.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

Memdumps

Base Address

Regiontype

Protect

Malicious

53B0000

trusted library section

page read and write

2D90000

trusted library section

page read and write

2E4B000

trusted library allocation

page read and write

296E000

heap

page read and write

2DF1000

trusted library allocation

page read and write

3DF1000

trusted library allocation

page read and write

1288000

heap

page read and write

3F12000

heap

page read and write

3DC4000

heap

page read and write

1E0000

heap

page read and write

B9E000

heap

page read and write

5356000

trusted library allocation

page read and write

3DB3000

heap

page read and write

2DE0000

heap

page execute and read and write

6630000

trusted library allocation

page read and write

150000

heap

page read and write

B03000

heap

page read and write

2920000

trusted library allocation

page read and write

E20000

trusted library section

page read and write

45A3000

direct allocation

page read and write

482000

unkown

page readonly

E30000

heap

page read and write

990000

heap

page read and write

4480000

direct allocation

page read and write

57AF000

stack

page read and write

535D000

trusted library allocation

page read and write

5342000

trusted library allocation

page read and write

8AF000

stack

page read and write

F5D000

trusted library allocation

page execute and read and write

990000

heap

page read and write

3D60000

heap

page read and write

3F23000

heap

page read and write

533B000

trusted library allocation

page read and write

2C10000

trusted library allocation

page read and write

6C2E000

stack

page read and write

4480000

direct allocation

page read and write

534E000

trusted library allocation

page read and write

2C60000

heap

page read and write

54A0000

trusted library allocation

page read and write

401000

unkown

page execute read

3EB8000

heap

page read and write

2FCE000

heap

page read and write

4620000

direct allocation

page read and write

4EED000

stack

page read and write

291A000

trusted library allocation

page execute and read and write

B19000

heap

page read and write

3AF0000

heap

page read and write

2FD0000

direct allocation

page read and write

3C5F000

stack

page read and write

6910000

trusted library allocation

page read and write

BD3000

heap

page read and write

3F01000

heap

page read and write

6A2E000

stack

page read and write

1390000

heap

page read and write

155000

heap

page read and write

A40000

heap

page read and write

B90000

heap

page read and write

385E000

stack

page read and write

FB4000

heap

page read and write

444000

system

page execute and read and write

3114000

heap

page read and write

A3E000

stack

page read and write

AA6000

heap

page read and write

4A7000

unkown

page read and write

3B20000

direct allocation

page read and write

3EB1000

heap

page read and write

F6D000

trusted library allocation

page execute and read and write

5330000

trusted library allocation

page read and write

3FAE000

heap

page read and write

47BE000

direct allocation

page read and write

AB7000

heap

page read and write

C23000

heap

page read and write

4AB000

unkown

page readonly

5B2E000

stack

page read and write

1C0000

heap

page read and write

1370000

heap

page read and write

55AE000

stack

page read and write

9EE000

stack

page read and write

4480000

direct allocation

page read and write

5351000

trusted library allocation

page read and write

47BE000

direct allocation

page read and write

4749000

direct allocation

page read and write

FD8000

heap

page read and write

C37000

heap

page read and write

4620000

direct allocation

page read and write

3F52000

heap

page read and write

3DBF000

heap

page read and write

BD3000

heap

page read and write

3F61000

heap

page read and write

B0F000

heap

page read and write

4480000

direct allocation

page read and write

401000

unkown

page execute read

FE3000

heap

page read and write

3F48000

heap

page read and write

2C40000

heap

page read and write

401000

unkown

page execute read

400000

unkown

page readonly

B42000

heap

page read and write

3F19000

heap

page read and write

990000

heap

page read and write

5250000

heap

page read and write

3F00000

heap

page read and write

533E000

trusted library allocation

page read and write

AB1000

heap

page read and write

474D000

direct allocation

page read and write

3F8E000

heap

page read and write

2C0C000

stack

page read and write

45A3000

direct allocation

page read and write

68F0000

trusted library allocation

page execute and read and write

9A000

stack

page read and write

482000

unkown

page readonly

E35000

heap

page read and write

490000

unkown

page read and write

100000

heap

page read and write

474D000

direct allocation

page read and write

3B07000

heap

page read and write

53A0000

heap

page execute and read and write

4AB000

unkown

page readonly

160000

heap

page read and write

C2F000

heap

page read and write

B42000

heap

page read and write

A90000

heap

page read and write

482000

unkown

page readonly

2A50000

trusted library allocation

page read and write

AB1000

heap

page read and write

4480000

direct allocation

page read and write

2916000

trusted library allocation

page execute and read and write

CF8000

stack

page read and write

292B000

trusted library allocation

page execute and read and write

6A6E000

stack

page read and write

366E000

stack

page read and write

4749000

direct allocation

page read and write

7FDD0000

trusted library allocation

page execute and read and write

178E000

stack

page read and write

4749000

direct allocation

page read and write

BD3000

heap

page read and write

3F4E000

heap

page read and write

F40000

trusted library allocation

page read and write

6919000

trusted library allocation

page read and write

929000

stack

page read and write

93E000

stack

page read and write

100000

heap

page read and write

474D000

direct allocation

page read and write

4620000

direct allocation

page read and write

4749000

direct allocation

page read and write

3FB2000

heap

page read and write

47BE000

direct allocation

page read and write

3FAE000

heap

page read and write

3F4C000

heap

page read and write

5334000

trusted library allocation

page read and write

AB1000

heap

page read and write

4420000

direct allocation

page read and write

3A7E000

heap

page read and write

6990000

trusted library allocation

page read and write

3F16000

heap

page read and write

2BB0000

trusted library allocation

page execute and read and write

F63000

trusted library allocation

page read and write

542C000

stack

page read and write

4301000

heap

page read and write

FA0000

heap

page read and write

F70000

heap

page read and write

3110000

heap

page read and write

A45000

heap

page read and write

3EB1000

heap

page read and write

3E36000

heap

page read and write

2BC0000

heap

page read and write

46E9000

direct allocation

page read and write

3E43000

heap

page read and write

474D000

direct allocation

page read and write

6600000

heap

page read and write

3EB1000

heap

page read and write

2C78000

trusted library allocation

page read and write

4AB000

unkown

page readonly

A95000

heap

page read and write

3F4C000

heap

page read and write

2AA0000

heap

page read and write

4A7000

unkown

page read and write

3F15000

heap

page execute and read and write

3DD5000

heap

page read and write

3F61000

heap

page read and write

3FAC000

heap

page read and write

426000

system

page execute and read and write

3EC2000

heap

page read and write

FFB000

heap

page read and write

3F4E000

heap

page read and write

9EE000

stack

page read and write

3C60000

heap

page read and write

3F01000

heap

page read and write

8FE000

stack

page read and write

4749000

direct allocation

page read and write

1F0000

heap

page read and write

3EB5000

heap

page read and write

583C000

heap

page read and write

2A9E000

stack

page read and write

AAB000

heap

page read and write

A80000

heap

page read and write

45A3000

direct allocation

page read and write

45C0000

direct allocation

page read and write

45C0000

direct allocation

page read and write

3E3C000

heap

page read and write

45A3000

direct allocation

page read and write

3F48000

heap

page read and write

FAF000

heap

page read and write

3E89000

heap

page read and write

46ED000

direct allocation

page read and write

FD2000

heap

page read and write

89F000

stack

page read and write

E10000

trusted library section

page read and write

2922000

trusted library allocation

page read and write

2E5B000

trusted library allocation

page read and write

89F000

stack

page read and write

4360000

heap

page read and write

5370000

trusted library allocation

page read and write

401000

unkown

page execute read

F78000

heap

page read and write

5362000

trusted library allocation

page read and write

400000

unkown

page readonly

4620000

direct allocation

page read and write

4543000

direct allocation

page read and write

47BE000

direct allocation

page read and write

5240000

heap

page read and write

8AF000

stack

page read and write

138E000

stack

page read and write

400000

system

page execute and read and write

8B4000

stack

page read and write

2D30000

trusted library allocation

page read and write

1B2F000

stack

page read and write

BC9000

heap

page read and write

482000

unkown

page readonly

3D00000

heap

page read and write

2927000

trusted library allocation

page execute and read and write

6900000

heap

page read and write

2D10000

trusted library allocation

page read and write

9E0000

heap

page read and write

A85000

heap

page read and write

58EE000

stack

page read and write

3FEE000

heap

page read and write

F53000

trusted library allocation

page execute and read and write

974000

heap

page read and write

FDB000

heap

page read and write

6634000

trusted library allocation

page read and write

4AB000

unkown

page readonly

2F4B000

heap

page read and write

B42000

heap

page read and write

2912000

trusted library allocation

page read and write

127F000

stack

page read and write

B9A000

heap

page read and write

14E000

stack

page read and write

3DA2000

heap

page read and write

3F12000

heap

page read and write

F50000

trusted library allocation

page read and write

5480000

trusted library allocation

page read and write

490000

unkown

page read and write

4543000

direct allocation

page read and write

5336000

trusted library allocation

page read and write

3C00000

heap

page read and write

57F2000

heap

page read and write

3DBC000

heap

page read and write

56AC000

stack

page read and write

2D20000

trusted library allocation

page read and write

3F60000

heap

page read and write

F60000

trusted library allocation

page read and write

490000

unkown

page write copy

547E000

stack

page read and write

2940000

heap

page read and write

4420000

direct allocation

page read and write

5490000

trusted library allocation

page execute and read and write

490000

unkown

page write copy

4480000

direct allocation

page read and write

45A3000

direct allocation

page read and write

3E24000

heap

page read and write

5A2D000

stack

page read and write

3E87000

heap

page read and write

475E000

direct allocation

page read and write

65F0000

heap

page read and write

B42000

heap

page read and write

5B50000

trusted library allocation

page execute and read and write

3F12000

heap

page read and write

3E60000

heap

page read and write

950000

heap

page read and write

2D8E000

stack

page read and write

1AE000

stack

page read and write

5235000

heap

page read and write

474D000

direct allocation

page read and write

46E9000

direct allocation

page read and write

47BE000

direct allocation

page read and write

9A000

stack

page read and write

45A3000

direct allocation

page read and write

3EB4000

heap

page execute and read and write

47BE000

direct allocation

page read and write

2925000

trusted library allocation

page execute and read and write

3EEA000

heap

page read and write

4749000

direct allocation

page read and write

BD7000

heap

page read and write

3F48000

heap

page read and write

2910000

trusted library allocation

page read and write

4620000

direct allocation

page read and write

4620000

direct allocation

page read and write

A2E000

stack

page read and write

3E1F000

heap

page read and write

400000

unkown

page readonly

970000

heap

page read and write

A80000

heap

page read and write

1016000

heap

page read and write

2C63000

heap

page read and write

FE9000

heap

page read and write

2BAE000

stack

page read and write

2E59000

trusted library allocation

page read and write

57B0000

heap

page read and write

A88000

heap

page read and write

3A6F000

stack

page read and write

46ED000

direct allocation

page read and write

FB1000

heap

page read and write

5B30000

trusted library allocation

page read and write

474D000

direct allocation

page read and write

695D000

stack

page read and write

B7B000

heap

page read and write

59EE000

stack

page read and write

8B4000

stack

page read and write

663E000

trusted library allocation

page read and write

537C000

trusted library allocation

page read and write

2C20000

heap

page read and write

400000

unkown

page readonly

68E0000

trusted library allocation

page read and write

475E000

direct allocation

page read and write

F54000

trusted library allocation

page read and write

3FAC000

heap

page read and write

There are 317 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
TT Copy.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportTT Copy.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
TT Copy.exe