Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

oaUNY8P657.exe

PE32+ executable (console) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	7.5978739911000535
Filename:	oaUNY8P657.exe
Filesize:	118784
MD5:	4f0c8a81138b78a1f40ef1d383632130
SHA1:	96b6c6ff5c5b1aa90014e975bb851d23acbed598
SHA256:	4560c263255a3f4682b69a3e989591ee4b4df60a8a7680a3905c0c7b33a83d42
SHA512:	687dddf2a070acbb5eee3af912dc1461968a67b05992f76f5a77a5bb0d773ae1049c7e44386c4a44d5971ace7784a8601c2fc3f47f1f8dbbb06a7e04646bbf1c
SSDEEP:	3072:oziOToQz31V4b1pCoLd7H7dwsIc6rmGBLYdLrfncO:+ToQzFjox7bCs5WmGVYVrfn
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....<.e.d........&....'. .....................@.....................................3....`... ............................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Contains functionality to inject code into remote processes	HIPS / PFW / Operating System Protection Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion
Machine Learning detection for sample	AV Detection
Modifies the context of a thread in another process (thread injection)	HIPS / PFW / Operating System Protection Evasion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities	Obfuscated Files or Information
Found large amount of non-executed APIs	Malware Analysis System Evasion
PE file contains an invalid checksum	Data Obfuscation
PE file contains more sections than normal	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to modify the execution of threads in other processes
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Users\user\AppData\Local\Temp\sms561F.tmp

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

modified

Details

File:	C:\Users\user\AppData\Local\Temp\sms561F.tmp
Category:	modified
Dump:	sms561F.tmp.3.dr
ID:	dr_0
Target ID:	3
Process:	C:\Users\user\Desktop\oaUNY8P657.exe
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.983605297716181
Encrypted:	false
Ssdeep:	1536:x5sFO8g/9VM5dQ+aomobhr3KXg6wzOB1SmOnU7Ua+GJ:x5sU9Vv4bbhr6SOB1S5nU7MGJ
Size:	79392
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)	Anti Debugging	Security Software Discovery
Machine Learning detection for dropped file	AV Detection
Yara detected Generic Downloader	Networking
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
One or more processes crash	System Summary
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: Use Short Name Path in Command Line	System Summary
Checks the free space of harddrives	Malware Analysis System Evasion	System Information Discovery
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
Uses Microsoft Silverlight	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sms561F.tmp_942c3da8370deac9a4ef501abf272bdc1219b_47ac16bd_5ad1f071-b479-4c6d-8e86-ee4719fcda92\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sms561F.tmp_942c3da8370deac9a4ef501abf272bdc1219b_47ac16bd_5ad1f071-b479-4c6d-8e86-ee4719fcda92\Report.wer
Category:	dropped
Dump:	Report.wer.8.dr
ID:	dr_1
Target ID:	8
Process:	C:\Windows\System32\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	1.208255629454617
Encrypted:	false
Ssdeep:	192:7qJ987OrF0NxMP5iaWz8iyUp2lxPzuiFXZ24lO890:Wj87OaNxMQa48iMxPzuiFXY4lO8m
Size:	65536
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7417.tmp.dmp

Mini DuMP crash report, 16 streams, Sun Nov 17 18:20:16 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER7417.tmp.dmp
Category:	dropped
Dump:	WER7417.tmp.dmp.8.dr
ID:	dr_3
Target ID:	8
Process:	C:\Windows\System32\WerFault.exe
Type:	Mini DuMP crash report, 16 streams, Sun Nov 17 18:20:16 2024, 0x1205a4 type
Entropy:	3.113725737405662
Encrypted:	false
Ssdeep:	3072:GQjpebF78/Vz+nt1CCqkrLVy3+vBmXRIc4XIUAcSCPMfHP:5jpebaKlqWy3Q2X7Civ
Size:	439559
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7B9A.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER7B9A.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER7B9A.tmp.WERInternalMetadata.xml.8.dr
ID:	dr_4
Target ID:	8
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.697640471585611
Encrypted:	false
Ssdeep:	192:R6l7wVeJTtIek46Y5GjgmfZJCopDp89b82EfkP0m:R6lXJZV6Y4jgmfXCT8NfkJ
Size:	8702
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7C08.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER7C08.tmp.xml
Category:	dropped
Dump:	WER7C08.tmp.xml.8.dr
ID:	dr_5
Target ID:	8
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.427180456738418
Encrypted:	false
Ssdeep:	48:cvIwWl8zseNJg771I9DoWpW8VYaYm8M4JGLPF/Byq8v8LcVf9Rod:uIjfenI7YB7VmJwBWbVlRod
Size:	4745
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.8.dr
ID:	dr_2
Target ID:	8
Process:	C:\Windows\System32\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.413963638087642
Encrypted:	false
Ssdeep:	6144:s/cifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNb5+:ji58oSWIZBk2MM6AFBZo
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\oaUNY8P657.exe

"C:\Users\user\Desktop\oaUNY8P657.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7400
Target ID:	0
Parent PID:	4056
Name:	oaUNY8P657.exe
Path:	C:\Users\user\Desktop\oaUNY8P657.exe
Commandline:	"C:\Users\user\Desktop\oaUNY8P657.exe"
Size:	118784
MD5:	4F0C8A81138B78A1F40EF1D383632130
Time:	13:20:06
Date:	17/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff78cb20000
Modulesize:	172032
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file contains an invalid checksum	Data Obfuscation
PE file contains more sections than normal	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Use Short Name Path in Command Line	System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Users\user\Desktop\oaUNY8P657.exe

"C:\Users\user\Desktop\oaUNY8P657.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7456
Target ID:	3
Parent PID:	7400
Name:	oaUNY8P657.exe
Path:	C:\Users\user\Desktop\oaUNY8P657.exe
Commandline:	"C:\Users\user\Desktop\oaUNY8P657.exe"
Size:	118784
MD5:	4F0C8A81138B78A1F40EF1D383632130
Time:	13:20:06
Date:	17/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff78cb20000
Modulesize:	172032
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file contains an invalid checksum	Data Obfuscation
PE file contains more sections than normal	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Use Short Name Path in Command Line	System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Users\user\AppData\Local\Temp\sms561F.tmp

"C:\Users\user~1\AppData\Local\Temp\sms561F.tmp"

Details

Is windows:	false
Is dropped:	true
PID:	7508
Target ID:	4
Parent PID:	7456
Name:	sms561F.tmp
Path:	C:\Users\user\AppData\Local\Temp\sms561F.tmp
Commandline:	"C:\Users\user~1\AppData\Local\Temp\sms561F.tmp"
Size:	79392
MD5:	8032A5E68376A879472C297749CDB4C4
Time:	13:20:07
Date:	17/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x1e0000
Modulesize:	106496
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: Use Short Name Path in Command Line	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7408
Target ID:	1
Parent PID:	7400
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	13:20:06
Date:	17/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff75da10000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 7508 -s 1664

Details

Is windows:	true
Is dropped:	false
PID:	7752
Target ID:	8
Parent PID:	7508
Name:	WerFault.exe
Path:	C:\Windows\System32\WerFault.exe
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7508 -s 1664
Size:	570736
MD5:	FD27D9F6D02763BDE32511B5DF7FF7A0
Time:	13:20:13
Date:	17/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xc00000
Modulesize:	155648
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

left-noon.gl.at.ply.gg

Details

Name:	left-noon.gl.at.ply.gg
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\oaUNY8P657.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection

https://i.ibb.co/Dwrj41N/Image.png

unknown

http://upx.sf.net

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	4
From Memory:	true
Current Path:	C:\Users\user\AppData\Local\Temp\sms561F.tmp
Source:	sms561F.tmp, 00000004.00000002.1578890311.00000000023E8000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://go.micu

unknown

http://ip-api.com/line/?fields=hosting

208.95.112.1

Details

Name:	http://ip-api.com/line/?fields=hosting
IP:	208.95.112.1
TargetID:	4
From Memory:	false
Current Path:	C:\Users\user\AppData\Local\Temp\sms561F.tmp
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking

http://ip-api.com

unknown

Details

Name:	http://ip-api.com
TargetID:	4
From Memory:	true
Current Path:	C:\Users\user\AppData\Local\Temp\sms561F.tmp
Source:	sms561F.tmp, 00000004.00000002.1578890311.00000000023E8000.00000004.00000800.00020000.00000000.sdmp, sms561F.tmp, 00000004.00000002.1578890311.0000000002400000.00000004.00000800.00020000.00000000.sdmp, sms561F.tmp, 00000004.00000002.1578890311.00000000023F6000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

ip-api.com

208.95.112.1

Details

Name:	ip-api.com
IP:	208.95.112.1
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Check if machine is in data center or colocation facility	Malware Analysis System Evasion	Security Software Discovery
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

208.95.112.1

ip-api.com

United States

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sms561F_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sms561F_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sms561F_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sms561F_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sms561F_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sms561F_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sms561F_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sms561F_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sms561F_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sms561F_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sms561F_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sms561F_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sms561F_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\sms561F_RASMANCS

FileDirectory

There are 4 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

234C000

trusted library allocation

page read and write

1F9C5F20000

heap

page read and write

1E2000

unkown

page readonly

7FF78CB20000

unkown

page readonly

400000

remote allocation

page execute and read and write

1B217000

heap

page read and write

7A2000

heap

page read and write

7FFAAC370000

trusted library allocation

page read and write

2230000

heap

page read and write

7FFB0B631000

unkown

page execute read

21E766B0000

heap

page read and write

7FFAAC420000

trusted library allocation

page execute and read and write

70D000

heap

page read and write

531000

stack

page read and write

21E766F0000

heap

page read and write

23D5000

trusted library allocation

page read and write

7FF78CB48000

unkown

page readonly

716000

heap

page read and write

1AD9B000

stack

page read and write

7FF78CB21000

unkown

page execute read

754000

heap

page read and write

21E0000

trusted library allocation

page read and write

233E000

stack

page read and write

21D0000

trusted library allocation

page read and write

7FF78CB20000

unkown

page readonly

660000

heap

page read and write

7FF78CB20000

unkown

page readonly

1AC90000

heap

page execute and read and write

7FF78CB24000

unkown

page readonly

1B6FE000

stack

page read and write

21E76700000

heap

page read and write

915000

heap

page read and write

724000

heap

page read and write

7FFAAC446000

trusted library allocation

page execute and read and write

23E5000

trusted library allocation

page read and write

23E8000

trusted library allocation

page read and write

7FF78CB20000

unkown

page readonly

705000

heap

page read and write

70F000

heap

page read and write

7FF78CB28000

unkown

page read and write

23D2000

trusted library allocation

page read and write

1AFBE000

stack

page read and write

79D000

heap

page read and write

1B1CB000

heap

page read and write

8DE000

stack

page read and write

910000

heap

page read and write

7FFAAC510000

trusted library allocation

page execute and read and write

6EC000

heap

page read and write

1B219000

heap

page read and write

7FFAAC480000

trusted library allocation

page execute and read and write

7FFAAC380000

trusted library allocation

page read and write

7FFAAC37D000

trusted library allocation

page execute and read and write

7FF78CB48000

unkown

page readonly

1F9C5E2F000

heap

page read and write

7FF78CB44000

unkown

page readonly

7FFB0B652000

unkown

page readonly

7FFAAC38D000

trusted library allocation

page execute and read and write

21E765D0000

heap

page read and write

2341000

trusted library allocation

page read and write

7FF78CB21000

unkown

page execute read

7FF78CB24000

unkown

page readonly

1B223000

heap

page read and write

7FFAAC500000

trusted library allocation

page read and write

1E0000

unkown

page readonly

1F9C5E20000

heap

page read and write

6A0000

heap

page read and write

7FF78CB28000

unkown

page write copy

7FF78CB28000

unkown

page write copy

BB5000

heap

page read and write

1B1ED000

heap

page read and write

1B5FE000

stack

page read and write

1B1C3000

heap

page read and write

2400000

trusted library allocation

page read and write

7FF78CB28000

unkown

page write copy

7FF78CB2B000

unkown

page readonly

1F9C5DF0000

heap

page read and write

1F9C5E28000

heap

page read and write

74E000

heap

page read and write

7FF78CB44000

unkown

page readonly

7FF78CB44000

unkown

page readonly

7FF78CB23000

unkown

page write copy

7FF78CB44000

unkown

page readonly

7FF78CB24000

unkown

page readonly

F320FE5000

stack

page read and write

7FF47A0F0000

trusted library allocation

page execute and read and write

1A8CC000

stack

page read and write

1F9C5D70000

heap

page read and write

21E76772000

heap

page read and write

BB0000

heap

page read and write

580000

heap

page read and write

7FF78CB23000

unkown

page write copy

7FFAAC373000

trusted library allocation

page read and write

7FF78CB21000

unkown

page execute read

1B1BB000

stack

page read and write

1AEBE000

stack

page read and write

2210000

heap

page execute and read and write

21E3000

trusted library allocation

page read and write

1F6000

unkown

page readonly

7FFB0B630000

unkown

page readonly

2368000

trusted library allocation

page read and write

7FFAAC38B000

trusted library allocation

page execute and read and write

21E7676C000

heap

page read and write

7FFB0B655000

unkown

page readonly

1F9C5D90000

heap

page read and write

1E0000

unkown

page readonly

7FFAAC363000

trusted library allocation

page execute and read and write

12341000

trusted library allocation

page read and write

21E76766000

heap

page read and write

7A0000

heap

page read and write

3177FFC000

stack

page read and write

31780FF000

stack

page read and write

12348000

trusted library allocation

page read and write

79B000

heap

page read and write

7FF78CB21000

unkown

page execute read

7FFAAC3BC000

trusted library allocation

page execute and read and write

7FF78CB48000

unkown

page readonly

680000

heap

page read and write

1B0BE000

stack

page read and write

1B7FD000

stack

page read and write

23D8000

trusted library allocation

page read and write

1B4FF000

stack

page read and write

23F6000

trusted library allocation

page read and write

7FFB0B646000

unkown

page readonly

F3211FF000

stack

page read and write

23DE000

trusted library allocation

page read and write

7FF78CB24000

unkown

page readonly

31781FF000

stack

page read and write

7FFB0B650000

unkown

page read and write

1B1C0000

heap

page read and write

6E0000

heap

page read and write

7FFAAC364000

trusted library allocation

page read and write

722000

heap

page read and write

1F9C5C90000

heap

page read and write

A1F000

stack

page read and write

21E76760000

heap

page read and write

23DB000

trusted library allocation

page read and write

7FF78CB2B000

unkown

page readonly

7FF78CB23000

unkown

page write copy

7FF78CB2B000

unkown

page readonly

7FFAAC41C000

trusted library allocation

page execute and read and write

7DE000

heap

page read and write

7FFAAC36D000

trusted library allocation

page execute and read and write

7FFAAC502000

trusted library allocation

page read and write

7FFAAC410000

trusted library allocation

page read and write

F3213FF000

stack

page read and write

7FF78CB2B000

unkown

page readonly

7FF78CB23000

unkown

page write copy

1ADB0000

heap

page read and write

8F0000

trusted library allocation

page read and write

7FF78CB48000

unkown

page readonly

720000

heap

page read and write

There are 141 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
oaUNY8P657.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportoaUNY8P657.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
oaUNY8P657.exe