Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

55ryoipjfdr.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.640880445990648
Filename:	55ryoipjfdr.exe
Filesize:	396288
MD5:	f0b9f50c6a247ac5ca9cc95135b83dcf
SHA1:	c1b276883da10fa2bf1c37a3851781e5c702a601
SHA256:	068af8016c36fce5cf1e1a4722c1dc0d6e02cb6ed58b61c2ba99a54d294cc274
SHA512:	f02fcb14ffd9415281c4e2f916fb8a38e80bcd885a1ec6e07b73698c9878a8318e60092da859818cdf49de263f99f768684da5ecea669a9a2623a03a5d6db1bb
SSDEEP:	6144:89FHululululululu4uOjzzUDjTgfH1okjroGWr2:89FHKKKKKKFzjzQJ5
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O.U.....................F....................@..........................@......h......................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Process Injection
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Contains functionality to call native functions	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging
Contains functionality to read the PEB	Anti Debugging
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Drops PE files	Persistence and Installation Behavior
Uses 32bit PE files	Compliance, System Summary	Masquerading
Contains functionality to load and extract PE file embedded resources	System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file contains a debug data directory	System Summary

C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe
Category:	dropped
Dump:	44qxnhoiecq.exe.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\55ryoipjfdr.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.640880445990648
Encrypted:	false
Ssdeep:	6144:89FHululululululu4uOjzzUDjTgfH1okjroGWr2:89FHKKKKKKFzjzQJ5
Size:	396288
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Hijacks the control flow in another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for dropped file	AV Detection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Sigma detected: Uncommon Svchost Parent Process	System Summary
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe:Zone.Identifier

ASCII text, with CRLF line terminators

modified

Details

File:	C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe:Zone.Identifier
Category:	modified
Dump:	44qxnhoiecq.exe_Zone.Identifier.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\55ryoipjfdr.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Hijacks the control flow in another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for dropped file	AV Detection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Roaming\winapp\client_id

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\winapp\client_id
Category:	dropped
Dump:	client_id.8.dr
ID:	dr_3
Target ID:	8
Process:	C:\Windows\System32\svchost.exe
Type:	data
Entropy:	2.9436287058372557
Encrypted:	false
Ssdeep:	3:jlkvoOPPlllMH/KUnYR8H3TRlg4fn:jevoO10HLY61lgOn
Size:	100
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Roaming\winapp\group_tag

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\winapp\group_tag
Category:	dropped
Dump:	group_tag.8.dr
ID:	dr_2
Target ID:	8
Process:	C:\Windows\System32\svchost.exe
Type:	data
Entropy:	1.7709505944546688
Encrypted:	false
Ssdeep:	3:zl/:zl/
Size:	10
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\55ryoipjfdr.exe

"C:\Users\user\Desktop\55ryoipjfdr.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7708
Target ID:	0
Parent PID:	4084
Name:	55ryoipjfdr.exe
Path:	C:\Users\user\Desktop\55ryoipjfdr.exe
Commandline:	"C:\Users\user\Desktop\55ryoipjfdr.exe"
Size:	396288
MD5:	F0B9F50C6A247AC5CA9CC95135B83DCF
Time:	03:09:09
Date:	16/01/2025
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	409600
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a debug data directory	System Summary

C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe

Details

Is windows:	false
Is dropped:	true
PID:	8020
Target ID:	3
Parent PID:	7708
Name:	44qxnhoiecq.exe
Path:	C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe
Commandline:	C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe
Size:	396288
MD5:	F0B9F50C6A247AC5CA9CC95135B83DCF
Time:	03:09:46
Date:	16/01/2025
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	409600
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Drops PE files	Persistence and Installation Behavior
Sigma detected: Uncommon Svchost Parent Process	System Summary
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\svchost.exe

svchost.exe -k netsvcs

Details

Is windows:	true
Is dropped:	false
PID:	1984
Target ID:	6
Parent PID:	8020
Name:	svchost.exe
Path:	C:\Windows\System32\svchost.exe
Commandline:	svchost.exe -k netsvcs
Size:	55320
MD5:	B7F884C1B74A263F746EE12A5F7C9F6A
Time:	03:10:18
Date:	16/01/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff67e6d0000
Modulesize:	65536
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected Trickbot	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected PersistenceViaHiddenTask	Persistence and Installation Behavior, Boot Survival
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Uncommon Svchost Parent Process	System Summary
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe

Details

Is windows:	false
Is dropped:	true
PID:	7308
Target ID:	7
Parent PID:	660
Name:	44qxnhoiecq.exe
Path:	C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe
Commandline:	C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe
Size:	396288
MD5:	F0B9F50C6A247AC5CA9CC95135B83DCF
Time:	03:10:21
Date:	16/01/2025
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	409600
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Drops PE files	Persistence and Installation Behavior
Sigma detected: Uncommon Svchost Parent Process	System Summary
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\svchost.exe

svchost.exe -k netsvcs

Details

Is windows:	true
Is dropped:	false
PID:	5496
Target ID:	8
Parent PID:	7308
Name:	svchost.exe
Path:	C:\Windows\System32\svchost.exe
Commandline:	svchost.exe -k netsvcs
Size:	55320
MD5:	B7F884C1B74A263F746EE12A5F7C9F6A
Time:	03:10:52
Date:	16/01/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff67e6d0000
Modulesize:	65536
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected Trickbot	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected PersistenceViaHiddenTask	Persistence and Installation Behavior, Boot Survival
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Uncommon Svchost Parent Process	System Summary
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://194.87.99.210/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/

194.87.99.210

Details

Name:	https://194.87.99.210/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/
IP:	194.87.99.210
TargetID:	8
From Memory:	false
Current Path:	C:\Windows\System32\svchost.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Detected Trickbot e-Banking trojan config	E-Banking Fraud
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://194.87.95.122/

unknown

https://194.87.95.122:443/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/

unknown

https://194.87.99.210/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/u

unknown

https://194.87.99.210:443/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/

unknown

https://194.87.95.122/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/

unknown

Details

Name:	https://194.87.95.122/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/
TargetID:	8
From Memory:	true
Current Path:	C:\Windows\System32\svchost.exe
Source:	svchost.exe, 00000008.00000002.2670748747.00000159F2A84000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2671363412.00000159F3716000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://194.87.99.210/

unknown

https://194.87.95.122/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/H

unknown

https://194.87.99.210:443/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/pD

unknown

Domains

Name

Malicious

api.ipify.org

104.26.12.205

Details

Name:	api.ipify.org
IP:	104.26.12.205
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

178.156.202.97

unknown

Romania

194.87.99.62

unknown

Russian Federation

194.87.146.180

unknown

Russian Federation

194.87.111.6

unknown

Russian Federation

194.87.95.122

unknown

Russian Federation

147.135.196.128

unknown

France

195.133.147.135

unknown

Russian Federation

195.133.197.187

unknown

Russian Federation

194.87.99.210

unknown

Russian Federation

185.15.245.102

unknown

Germany

185.15.245.103

unknown

Germany

194.87.95.120

unknown

Russian Federation

185.158.113.62

unknown

Russian Federation

194.87.239.114

unknown

Russian Federation

195.133.48.80

unknown

Russian Federation

194.87.99.220

unknown

Russian Federation

169.239.129.42

unknown

Seychelles

193.19.118.207

unknown

Russian Federation

91.83.88.51

unknown

Hungary

199.48.160.60

unknown

United States

94.242.224.218

unknown

Luxembourg

104.26.12.205

api.ipify.org

United States

There are 12 hidden IPs, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

159F2A13000

heap

page read and write

1DD0F013000

heap

page read and write

3330177000

stack

page read and write

8F1000

heap

page read and write

8F5000

heap

page read and write

7D0000

direct allocation

page read and write

159F3410000

heap

page read and write

861000

heap

page read and write

951000

heap

page read and write

1DD0F031000

heap

page read and write

140000000

remote allocation

page readonly

6AF000

stack

page read and write

951000

heap

page read and write

159F2A92000

heap

page read and write

10001000

direct allocation

page execute read

8F1000

heap

page read and write

401000

unkown

page execute read

159F2A2F000

heap

page read and write

8F1000

heap

page read and write

951000

heap

page read and write

159F3440000

heap

page read and write

4C0000

direct allocation

page execute and read and write

10005000

direct allocation

page read and write

861000

heap

page read and write

58E000

heap

page read and write

405000

unkown

page readonly

159F371E000

heap

page read and write

400000

unkown

page readonly

861000

heap

page read and write

540000

heap

page read and write

951000

heap

page read and write

1DD0EE20000

remote allocation

page execute and read and write

861000

heap

page read and write

19B000

stack

page read and write

400000

unkown

page readonly

861000

heap

page read and write

159F3600000

heap

page read and write

140019000

remote allocation

page readonly

544000

heap

page read and write

140001000

remote allocation

page execute read

951000

heap

page read and write

7C0000

direct allocation

page execute and read and write

1F0000

heap

page read and write

8F1000

heap

page read and write

401000

unkown

page execute read

951000

heap

page read and write

861000

heap

page read and write

19B000

stack

page read and write

33307FF000

stack

page read and write

159F3460000

heap

page read and write

8F1000

heap

page read and write

8F1000

heap

page read and write

400000

unkown

page readonly

159F2A57000

heap

page read and write

8F1000

heap

page read and write

8F1000

heap

page read and write

951000

heap

page read and write

10006000

direct allocation

page readonly

861000

heap

page read and write

951000

heap

page read and write

861000

heap

page read and write

6D0000

direct allocation

page read and write

8F1000

heap

page read and write

580000

heap

page read and write

10005000

direct allocation

page read and write

8F2000

heap

page read and write

159F2AA0000

heap

page read and write

861000

heap

page read and write

8F1000

heap

page read and write

159F3800000

trusted library allocation

page read and write

33304FB000

stack

page read and write

861000

heap

page read and write

951000

heap

page read and write

159F2AEA000

heap

page read and write

8F1000

heap

page read and write

861000

heap

page read and write

8F1000

heap

page read and write

951000

heap

page read and write

861000

heap

page read and write

159F2A90000

heap

page read and write

862000

heap

page read and write

10000000

direct allocation

page readonly

159F2A6A000

heap

page read and write

8F0000

heap

page read and write

8F1000

heap

page read and write

232F000

stack

page read and write

41A000

unkown

page readonly

9C000

stack

page read and write

10001000

direct allocation

page execute read

870000

heap

page read and write

1F0000

heap

page read and write

10004000

direct allocation

page readonly

500000

heap

page read and write

140021000

remote allocation

page readonly

10004000

direct allocation

page readonly

951000

heap

page read and write

159F3430000

heap

page read and write

7B0000

direct allocation

page execute and read and write

951000

heap

page read and write

401000

unkown

page execute read

159F2A00000

heap

page read and write

861000

heap

page read and write

23A0000

heap

page read and write

159F2AB9000

heap

page read and write

1F0000

heap

page read and write

861000

heap

page read and write

1050000

heap

page read and write

159F2A77000

heap

page read and write

861000

heap

page read and write

159F2A84000

heap

page read and write

8F1000

heap

page read and write

952000

heap

page read and write

1DD0F002000

heap

page read and write

861000

heap

page read and write

1DD0EE40000

heap

page read and write

951000

heap

page read and write

400000

unkown

page readonly

8F1000

heap

page read and write

580000

heap

page read and write

861000

heap

page read and write

159F30B0000

remote allocation

page read and write

861000

heap

page read and write

403000

unkown

page readonly

861000

heap

page read and write

159F3450000

heap

page read and write

159F30B0000

remote allocation

page read and write

159F2AFA000

heap

page read and write

8F1000

heap

page read and write

4D0000

direct allocation

page execute and read and write

412000

unkown

page write copy

861000

heap

page read and write

951000

heap

page read and write

8F1000

heap

page read and write

951000

heap

page read and write

5A0000

heap

page read and write

861000

heap

page read and write

1DD0F102000

heap

page read and write

7AF000

stack

page read and write

862000

heap

page read and write

8F1000

heap

page read and write

33301FE000

stack

page read and write

9C000

stack

page read and write

33305FC000

stack

page read and write

951000

heap

page read and write

58A000

heap

page read and write

951000

heap

page read and write

1DD0EE60000

heap

page read and write

140001000

remote allocation

page execute read

861000

heap

page read and write

5A4000

heap

page read and write

860000

heap

page read and write

861000

heap

page read and write

412000

unkown

page write copy

952000

heap

page read and write

470000

heap

page read and write

8F1000

heap

page read and write

159F2A71000

heap

page read and write

951000

heap

page read and write

41A000

unkown

page readonly

861000

heap

page read and write

951000

heap

page read and write

159F2A40000

heap

page read and write

159F3706000

heap

page read and write

40E000

unkown

page readonly

404000

unkown

page read and write

8F1000

heap

page read and write

951000

heap

page read and write

6AE000

stack

page read and write

862000

heap

page read and write

74E000

stack

page read and write

861000

heap

page read and write

400000

unkown

page readonly

950000

heap

page read and write

8F1000

heap

page read and write

768000

heap

page read and write

951000

heap

page read and write

865000

heap

page read and write

8F1000

heap

page read and write

8F5000

heap

page read and write

861000

heap

page read and write

951000

heap

page read and write

1DD0F000000

heap

page read and write

1DD0EF60000

heap

page read and write

861000

heap

page read and write

400000

unkown

page readonly

159F2A46000

heap

page read and write

40E000

unkown

page readonly

159F28A0000

remote allocation

page execute and read and write

861000

heap

page read and write

84F000

stack

page read and write

B25F727000

stack

page read and write

A90000

heap

page read and write

951000

heap

page read and write

B25F72D000

stack

page read and write

57E000

heap

page read and write

140020000

remote allocation

page read and write

8F1000

heap

page read and write

404000

unkown

page read and write

951000

heap

page read and write

861000

heap

page read and write

8F1000

heap

page read and write

8F1000

heap

page read and write

159F30B0000

remote allocation

page read and write

159F3470000

heap

page read and write

9C000

stack

page read and write

8F1000

heap

page read and write

140021000

remote allocation

page readonly

8F1000

heap

page read and write

861000

heap

page read and write

8F1000

heap

page read and write

8F1000

heap

page read and write

159F3700000

heap

page read and write

861000

heap

page read and write

861000

heap

page read and write

8F2000

heap

page read and write

140020000

remote allocation

page read and write

861000

heap

page read and write

405000

unkown

page readonly

159F2AA7000

heap

page read and write

951000

heap

page read and write

861000

heap

page read and write

8F1000

heap

page read and write

40E000

unkown

page readonly

159F3420000

heap

page read and write

8F1000

heap

page read and write

4BE000

stack

page read and write

159F2ADB000

heap

page read and write

403000

unkown

page readonly

B0F000

stack

page read and write

401000

unkown

page execute read

951000

heap

page read and write

861000

heap

page read and write

520000

direct allocation

page read and write

951000

heap

page read and write

B25FA7F000

stack

page read and write

951000

heap

page read and write

333047E000

stack

page read and write

951000

heap

page read and write

861000

heap

page read and write

159F2A0B000

heap

page read and write

861000

heap

page read and write

951000

heap

page read and write

10005000

direct allocation

page read and write

233F000

stack

page read and write

861000

heap

page read and write

159F3716000

heap

page read and write

8F1000

heap

page read and write

861000

heap

page read and write

159F3602000

heap

page read and write

6B0000

direct allocation

page execute and read and write

861000

heap

page read and write

861000

heap

page read and write

159F28E0000

heap

page read and write

1DD0F033000

heap

page read and write

951000

heap

page read and write

8F1000

heap

page read and write

861000

heap

page read and write

57E000

stack

page read and write

861000

heap

page read and write

412000

unkown

page write copy

8F1000

heap

page read and write

8F2000

heap

page read and write

8F1000

heap

page read and write

159F2AC0000

heap

page read and write

951000

heap

page read and write

951000

heap

page read and write

403000

unkown

page readonly

951000

heap

page read and write

1DD0F02F000

heap

page read and write

57A000

heap

page read and write

159F2A3A000

heap

page read and write

88E000

unkown

page read and write

33306FF000

stack

page read and write

333057D000

stack

page read and write

951000

heap

page read and write

159F35D4000

trusted library allocation

page read and write

865000

heap

page read and write

8F1000

heap

page read and write

570000

heap

page read and write

951000

heap

page read and write

861000

heap

page read and write

951000

heap

page read and write

41A000

unkown

page readonly

B25F7AE000

stack

page read and write

951000

heap

page read and write

10001000

direct allocation

page execute read

159F2B02000

heap

page read and write

504000

heap

page read and write

970000

heap

page read and write

10001000

direct allocation

page execute read

10004000

direct allocation

page readonly

5A7000

heap

page read and write

159F29E0000

heap

page read and write

951000

heap

page read and write

8F1000

heap

page read and write

140019000

remote allocation

page readonly

85E000

stack

page read and write

19B000

stack

page read and write

10004000

direct allocation

page readonly

861000

heap

page read and write

760000

heap

page read and write

2420000

heap

page read and write

401000

unkown

page execute read

159F28C0000

heap

page read and write

405000

unkown

page readonly

A80000

heap

page read and write

140000000

remote allocation

page readonly

10005000

direct allocation

page read and write

404000

unkown

page read and write

951000

heap

page read and write

10006000

direct allocation

page readonly

951000

heap

page read and write

8F1000

heap

page read and write

10000000

direct allocation

page readonly

6C0000

direct allocation

page execute and read and write

951000

heap

page read and write

401000

unkown

page execute read

951000

heap

page read and write

550000

heap

page read and write

951000

heap

page read and write

861000

heap

page read and write

A00000

heap

page read and write

159F3702000

heap

page read and write

There are 313 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
55ryoipjfdr.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report55ryoipjfdr.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
55ryoipjfdr.exe