Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

OC. 4515924646.exe

PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy:	7.8598037909509335
Filename:	OC. 4515924646.exe
Filesize:	657920
MD5:	d4b3f9945cf3c5dde77b59ff2a31d909
SHA1:	138d9e064e5bb1dcab05900e550062f8093d233a
SHA256:	576a8ef62a3aa573eeb32128100bba673c0c967abf51ece921781608e13fbbd0
SHA512:	6548ef0ee3ed23d43e552cd4fc30c848c90e46914198e71eb035f8ead974ce324f02a98f6fa578acff14de9b34bd89a532fd11aa1928ca4c80e2fd860488ec36
SSDEEP:	12288:zOv5jKhsfoPA+yeVKUCUxP4C902bdRtJJPivmtr0XThGhqnqoLZhrJn8vDwNDw:zq5TfcdHj4fmb0Eqnq4187D
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Binary is likely a compiled AutoIt script file	System Summary
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Switches to a custom stack to bypass stack traces	Malware Analysis System Evasion	Access Token Manipulation Security Software Discovery
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging
Contains functionality to call native functions	System Summary
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Application Window Discovery
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Valid Accounts
Contains functionality to launch a process as a different user	System Summary
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation Access Token Manipulation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Access Token Manipulation
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging	Access Token Manipulation
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Access Token Manipulation Encrypted Channel
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found evaded block containing many API calls	Malware Analysis System Evasion	Native API Access Token Manipulation
Found evasive API chain (date check)	Malware Analysis System Evasion	Access Token Manipulation
Found large amount of non-executed APIs	Malware Analysis System Evasion	Access Token Manipulation
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Security Software Discovery
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information	Access Token Manipulation System Shutdown/Reboot
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
Contains functionality for error logging	System Summary	Access Token Manipulation
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to check free disk space	System Summary
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion	Access Token Manipulation
Contains functionality to download additional files from the internet	Networking
Contains functionality to enum processes or threads	System Summary	Access Token Manipulation
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary	Access Token Manipulation
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery System Information Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection	Access Token Manipulation
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Discovery
Program exit points	Malware Analysis System Evasion
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Local\Temp\aut5891.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut5891.tmp
Category:	dropped
Dump:	aut5891.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\OC. 4515924646.exe
Type:	data
Entropy:	7.919271724262161
Encrypted:	false
Ssdeep:	3072:o2nlN3pyFwt0r6SvZmO+4cAogUYRhVfkgYUsiwE0SeaqV/Q2dycg:o2lppyetZQ7n+UsiwMeVV/jdyF
Size:	141900
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\unnervousness

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\unnervousness
Category:	dropped
Dump:	unnervousness.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\OC. 4515924646.exe
Type:	data
Entropy:	6.465214819836548
Encrypted:	false
Ssdeep:	6144:5cpvaoPRILseN0E/2ZlBSpqPlsF1vAY6ZqQdj7E2MN0Qh8:kPRIL5N0Eu4Qde1vwqQ9YLh8
Size:	244224
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\OC. 4515924646.exe

"C:\Users\user\Desktop\OC. 4515924646.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7080
Target ID:	0
Parent PID:	4084
Name:	OC. 4515924646.exe
Path:	C:\Users\user\Desktop\OC. 4515924646.exe
Commandline:	"C:\Users\user\Desktop\OC. 4515924646.exe"
Size:	657920
MD5:	D4B3F9945CF3C5DDE77B59FF2A31D909
Time:	07:45:03
Date:	25/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x770000
Modulesize:	1519616
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Binary is likely a compiled AutoIt script file	System Summary
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\OC. 4515924646.exe"

Details

Is windows:	true
Is dropped:	false
PID:	5312
Target ID:	2
Parent PID:	7080
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\OC. 4515924646.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	07:45:04
Date:	25/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xa0000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://account.dyn.com/

unknown

Details

Name:	https://account.dyn.com/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\OC. 4515924646.exe
Source:	OC. 4515924646.exe, 00000000.00000002.1507934075.0000000001920000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2734974468.0000000000172000.00000040.80000000.00040000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000002.00000002.2735837041.00000000024D0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2735837041.0000000002411000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://ip-api.com/line/?fields=hosting

208.95.112.1

Details

Name:	http://ip-api.com/line/?fields=hosting
IP:	208.95.112.1
TargetID:	2
From Memory:	false
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking

http://ip-api.com

unknown

Details

Name:	http://ip-api.com
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000002.00000002.2735837041.00000000024EB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2735837041.00000000024D0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2735837041.0000000002411000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

ip-api.com

208.95.112.1

Details

Name:	ip-api.com
IP:	208.95.112.1
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Check if machine is in data center or colocation facility	Malware Analysis System Evasion	Security Software Discovery
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

208.95.112.1

ip-api.com

United States

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

172000

system

page execute and read and write

1920000

direct allocation

page read and write

4210000

direct allocation

page read and write

770000

unkown

page readonly

7A8000

heap

page read and write

226E000

stack

page read and write

4210000

direct allocation

page read and write

1BE6000

heap

page read and write

5769000

heap

page read and write

1BE5000

heap

page read and write

1BE6000

heap

page read and write

45AD000

stack

page read and write

1BE5000

heap

page read and write

A17000

trusted library allocation

page execute and read and write

2486000

trusted library allocation

page read and write

1C05000

heap

page read and write

8F6000

trusted library allocation

page execute and read and write

4210000

direct allocation

page read and write

161B000

stack

page read and write

1F0000

heap

page read and write

A20000

heap

page read and write

454E000

direct allocation

page read and write

8E0000

trusted library allocation

page read and write

44D9000

direct allocation

page read and write

1A7D000

heap

page read and write

1C05000

heap

page read and write

1A7E000

heap

page read and write

5B80000

trusted library allocation

page read and write

22F0000

trusted library allocation

page read and write

5C20000

heap

page read and write

5B77000

trusted library allocation

page read and write

3EC4000

heap

page read and write

4970000

heap

page execute and read and write

906000

heap

page read and write

A12000

trusted library allocation

page read and write

1BE6000

heap

page read and write

170000

system

page execute and read and write

1BE6000

heap

page read and write

1C05000

heap

page read and write

19CC000

heap

page read and write

43B0000

direct allocation

page read and write

4F9000

stack

page read and write

8D0000

trusted library allocation

page read and write

1BE6000

heap

page read and write

24F4000

trusted library allocation

page read and write

841000

unkown

page execute and write copy

2508000

trusted library allocation

page read and write

1AAF000

heap

page read and write

22B0000

trusted library allocation

page read and write

22BB000

trusted library allocation

page read and write

454E000

direct allocation

page read and write

5B60000

trusted library allocation

page read and write

24F8000

trusted library allocation

page read and write

1A02000

heap

page read and write

22C2000

trusted library allocation

page read and write

1BF4000

heap

page read and write

2210000

trusted library allocation

page read and write

89D000

heap

page read and write

43B0000

direct allocation

page read and write

5C30000

heap

page read and write

1BE6000

heap

page read and write

182E000

stack

page read and write

4BFE000

stack

page read and write

5060000

trusted library allocation

page execute and read and write

5720000

heap

page read and write

1C2B000

heap

page read and write

1C05000

heap

page read and write

837000

heap

page read and write

4BBC000

stack

page read and write

1239000

stack

page read and write

454E000

direct allocation

page read and write

5B5E000

stack

page read and write

8F2000

trusted library allocation

page read and write

19D9000

heap

page read and write

3474000

trusted library allocation

page read and write

15FC000

stack

page read and write

1C05000

heap

page read and write

889000

heap

page read and write

163D000

stack

page read and write

44DD000

direct allocation

page read and write

1780000

heap

page read and write

771000

unkown

page execute and read and write

3EC0000

heap

page read and write

8D4000

trusted library allocation

page read and write

4418000

trusted library allocation

page read and write

24EB000

trusted library allocation

page read and write

7BE000

heap

page read and write

1C05000

heap

page read and write

1C05000

heap

page read and write

1BE6000

heap

page read and write

1C3A000

heap

page read and write

199A000

heap

page read and write

1C05000

heap

page read and write

251B000

trusted library allocation

page read and write

4AB3000

heap

page read and write

88E000

unkown

page execute and read and write

4FFE000

stack

page read and write

43B0000

direct allocation

page read and write

1A90000

heap

page read and write

19F8000

heap

page read and write

1BE8000

heap

page read and write

16A0000

heap

page read and write

573D000

heap

page read and write

1C05000

heap

page read and write

22D1000

trusted library allocation

page read and write

2300000

heap

page execute and read and write

43B0000

direct allocation

page read and write

4333000

direct allocation

page read and write

1C05000

heap

page read and write

43B0000

direct allocation

page read and write

19D7000

heap

page read and write

4E3E000

stack

page read and write

454E000

direct allocation

page read and write

4210000

direct allocation

page read and write

8FA000

trusted library allocation

page execute and read and write

454E000

direct allocation

page read and write

813000

heap

page read and write

44D9000

direct allocation

page read and write

8D3000

trusted library allocation

page execute and read and write

44D9000

direct allocation

page read and write

1BE2000

heap

page read and write

22CA000

trusted library allocation

page read and write

7D7000

heap

page read and write

1BE6000

heap

page read and write

4E7D000

stack

page read and write

1BE6000

heap

page read and write

82A000

unkown

page execute and read and write

5050000

heap

page read and write

218E000

stack

page read and write

22CE000

trusted library allocation

page read and write

1BE2000

heap

page read and write

2200000

trusted library allocation

page read and write

44DD000

direct allocation

page read and write

17CE000

stack

page read and write

24FA000

trusted library allocation

page read and write

4333000

direct allocation

page read and write

44DD000

direct allocation

page read and write

24CA000

trusted library allocation

page read and write

7A0000

heap

page read and write

454E000

direct allocation

page read and write

5A5F000

stack

page read and write

8F0000

trusted library allocation

page read and write

199E000

heap

page read and write

44D9000

direct allocation

page read and write

21E0000

trusted library allocation

page read and write

24E4000

trusted library allocation

page read and write

44D9000

direct allocation

page read and write

21F0000

trusted library allocation

page execute and read and write

43B0000

direct allocation

page read and write

4333000

direct allocation

page read and write

44DD000

direct allocation

page read and write

454E000

direct allocation

page read and write

8C0000

trusted library allocation

page read and write

1C2A000

heap

page read and write

3411000

trusted library allocation

page read and write

4980000

heap

page read and write

81E000

unkown

page execute and read and write

24D0000

trusted library allocation

page read and write

1A7D000

heap

page read and write

44DD000

direct allocation

page read and write

4D3E000

stack

page read and write

610000

heap

page read and write

240E000

stack

page read and write

1900000

heap

page read and write

4210000

direct allocation

page read and write

494C000

stack

page read and write

44DD000

direct allocation

page read and write

7F0D0000

trusted library allocation

page execute and read and write

250D000

trusted library allocation

page read and write

1BE1000

heap

page execute and read and write

1AE000

system

page execute and read and write

4210000

direct allocation

page read and write

48F0000

trusted library allocation

page read and write

869000

heap

page read and write

1BEB000

heap

page read and write

258E000

stack

page read and write

7D9000

heap

page read and write

1BE6000

heap

page read and write

19CD000

heap

page read and write

1C05000

heap

page read and write

13A000

stack

page read and write

896000

unkown

page write copy

4333000

direct allocation

page read and write

2220000

heap

page read and write

22DD000

trusted library allocation

page read and write

2445000

trusted library allocation

page read and write

4F7E000

stack

page read and write

900000

heap

page read and write

4333000

direct allocation

page read and write

5040000

trusted library allocation

page read and write

1C05000

heap

page read and write

1C05000

heap

page read and write

84B000

unkown

page execute and read and write

4CFE000

stack

page read and write

4AB0000

heap

page read and write

19D9000

heap

page read and write

44D9000

direct allocation

page read and write

503E000

stack

page read and write

22D6000

trusted library allocation

page read and write

655000

heap

page read and write

5BA0000

trusted library allocation

page execute and read and write

1980000

heap

page read and write

5B90000

trusted library allocation

page read and write

5749000

heap

page read and write

1C05000

heap

page read and write

A1B000

trusted library allocation

page execute and read and write

1BE6000

heap

page read and write

19D9000

heap

page read and write

5B70000

trusted library allocation

page read and write

17E0000

heap

page read and write

3419000

trusted library allocation

page read and write

8DD000

trusted library allocation

page execute and read and write

43B0000

direct allocation

page read and write

22BE000

trusted library allocation

page read and write

4210000

direct allocation

page read and write

160F000

stack

page read and write

2411000

trusted library allocation

page read and write

887000

heap

page read and write

3439000

trusted library allocation

page read and write

896000

unkown

page read and write

894000

unkown

page execute and write copy

8ED000

trusted library allocation

page execute and read and write

5C40000

trusted library allocation

page read and write

1990000

heap

page read and write

1BE2000

heap

page read and write

650000

heap

page read and write

770000

unkown

page readonly

630000

heap

page read and write

1C05000

heap

page read and write

44DD000

direct allocation

page read and write

44D9000

direct allocation

page read and write

1B66000

heap

page read and write

22AC000

stack

page read and write

1BE6000

heap

page read and write

5B67000

trusted library allocation

page read and write

86F000

heap

page read and write

4333000

direct allocation

page read and write

2521000

trusted library allocation

page read and write

4333000

direct allocation

page read and write

There are 229 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
OC. 4515924646.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportOC. 4515924646.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
OC. 4515924646.exe