Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

oHchwlxMNG.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.356695880348912
Filename:	oHchwlxMNG.exe
Filesize:	533504
MD5:	cb45d49e68b2c594f6c9bcf7edd6481a
SHA1:	fa05b81dc9b816e4e8dd51349271e8af273b799b
SHA256:	771049ea28dc7d93076d1019ff573d8ad9a8c47ca8dec2a8c64be18aec259d03
SHA512:	8538a493ead6c65d2aac98c9b56b53b152e0c1699b88b239597ca16173a6980cc862bdba596807d36075befce7a7e6cf8d3baf2218ecd3a0c95e072f594af695
SSDEEP:	6144:cTVFZInd6Xcfg9UVFuVqsLSccPNJcnkhcYlEHNLpKJjPh2Lu2GyfyRUoXHO8cZlJ:c5kndm7/L2Pd2WyfyFXH5sJQniP
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............~8... ...@....@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code references suspicious native API functions	HIPS / PFW / Operating System Protection Evasion	Native API
Machine Learning detection for sample	AV Detection
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	File Deletion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Software Packing
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
.NET source code contains long base64-encoded strings	System Summary	Disable or Modify Tools Obfuscated Files or Information
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oHchwlxMNG.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oHchwlxMNG.exe.log
Category:	dropped
Dump:	oHchwlxMNG.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\oHchwlxMNG.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\oHchwlxMNG.exe

"C:\Users\user\Desktop\oHchwlxMNG.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6632
Target ID:	0
Parent PID:	1028
Name:	oHchwlxMNG.exe
Path:	C:\Users\user\Desktop\oHchwlxMNG.exe
Commandline:	"C:\Users\user\Desktop\oHchwlxMNG.exe"
Size:	533504
MD5:	CB45D49E68B2C594F6C9BCF7EDD6481A
Time:	08:47:59
Date:	01/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xf00000
Modulesize:	557056
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	File Deletion
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\oHchwlxMNG.exe

"C:\Users\user\Desktop\oHchwlxMNG.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6644
Target ID:	1
Parent PID:	6632
Name:	oHchwlxMNG.exe
Path:	C:\Users\user\Desktop\oHchwlxMNG.exe
Commandline:	"C:\Users\user\Desktop\oHchwlxMNG.exe"
Size:	533504
MD5:	CB45D49E68B2C594F6C9BCF7EDD6481A
Time:	08:48:00
Date:	01/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x3f0000
Modulesize:	557056
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	File Deletion
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\oHchwlxMNG.exe"

Details

Is windows:	true
Is dropped:	false
PID:	5852
Target ID:	4
Parent PID:	6644
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\oHchwlxMNG.exe"
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	08:48:11
Date:	01/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x790000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	File Deletion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	5504
Target ID:	5
Parent PID:	5852
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	08:48:11
Date:	01/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

Details

Is windows:	true
Is dropped:	false
PID:	1868
Target ID:	6
Parent PID:	5852
Name:	choice.exe
Path:	C:\Windows\SysWOW64\choice.exe
Commandline:	choice /C Y /N /D Y /T 3
Size:	28160
MD5:	FCE0E41C87DC4ABBE976998AD26C27E4
Time:	08:48:11
Date:	01/07/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xd10000
Modulesize:	40960
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://reallyfreegeoip.org

unknown

http://checkip.dyndns.org

unknown

http://checkip.dyndns.org/

132.226.247.73

http://checkip.dyndns.com

unknown

https://reallyfreegeoip.org/xml/8.46.123.33

188.114.97.3

https://reallyfreegeoip.org/xml/8.46.123.33$

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://checkip.dyndns.org/q

unknown

http://reallyfreegeoip.org

unknown

https://reallyfreegeoip.org/xml/

unknown

Domains

Name

Malicious

reallyfreegeoip.org

188.114.97.3

Details

Name:	reallyfreegeoip.org
IP:	188.114.97.3
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Tries to detect the country of the analysis system (by using the IP)	Location Tracking
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.com

132.226.247.73

IPs

Domain

Country

Malicious

188.114.97.3

reallyfreegeoip.org

European Union

Details

IP:	188.114.97.3
TargetID:	1
Current Path:	C:\Users\user\Desktop\oHchwlxMNG.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	reallyfreegeoip.org

Signature Hits	Behavior Group	Mitre Attack
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

132.226.247.73

checkip.dyndns.com

United States

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\oHchwlxMNG_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\oHchwlxMNG_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\oHchwlxMNG_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\oHchwlxMNG_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\oHchwlxMNG_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\oHchwlxMNG_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\oHchwlxMNG_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\oHchwlxMNG_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\oHchwlxMNG_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\oHchwlxMNG_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\oHchwlxMNG_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\oHchwlxMNG_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\oHchwlxMNG_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\oHchwlxMNG_RASMANCS

FileDirectory

There are 4 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

4489000

trusted library allocation

page read and write

28C1000

trusted library allocation

page read and write

542000

remote allocation

page execute and read and write

3340000

heap

page read and write

61DE000

stack

page read and write

1780000

trusted library allocation

page execute and read and write

1600000

heap

page read and write

66BB000

stack

page read and write

593A000

trusted library allocation

page read and write

17C0000

trusted library allocation

page read and write

3363000

heap

page read and write

2F90000

heap

page read and write

AB6000

trusted library allocation

page execute and read and write

2A21000

trusted library allocation

page read and write

79CE000

heap

page read and write

325F000

unkown

page read and write

29AF000

trusted library allocation

page read and write

1790000

trusted library allocation

page read and write

611E000

stack

page read and write

7CFE000

stack

page read and write

593F000

trusted library allocation

page read and write

7BBE000

stack

page read and write

5DDE000

stack

page read and write

26F0000

heap

page read and write

2F70000

heap

page read and write

1636000

heap

page read and write

1649000

heap

page read and write

1583000

trusted library allocation

page execute and read and write

5B5F000

stack

page read and write

593C000

trusted library allocation

page read and write

160A000

heap

page read and write

13DE000

stack

page read and write

158D000

trusted library allocation

page execute and read and write

58CB000

trusted library allocation

page read and write

6660000

trusted library allocation

page read and write

1580000

trusted library allocation

page read and write

26A9000

trusted library allocation

page read and write

6710000

heap

page read and write

9B5000

heap

page read and write

5D80000

trusted library allocation

page read and write

268E000

trusted library allocation

page read and write

173E000

stack

page read and write

58C4000

trusted library allocation

page read and write

19EE000

stack

page read and write

4E40000

heap

page read and write

B96000

heap

page read and write

353F000

stack

page read and write

2ECC000

stack

page read and write

160E000

heap

page read and write

2A4A000

trusted library allocation

page read and write

123A000

stack

page read and write

1AF0000

heap

page read and write

38C1000

trusted library allocation

page read and write

C56000

heap

page read and write

2E3D000

stack

page read and write

631E000

stack

page read and write

334C000

heap

page read and write

523E000

stack

page read and write

28BE000

stack

page read and write

33B8000

heap

page read and write

5940000

heap

page read and write

2A14000

trusted library allocation

page read and write

595E000

stack

page read and write

B30000

trusted library allocation

page execute and read and write

58DE000

trusted library allocation

page read and write

3362000

heap

page read and write

2964000

trusted library allocation

page read and write

5920000

heap

page read and write

5EDE000

stack

page read and write

5C40000

heap

page execute and read and write

38E9000

trusted library allocation

page read and write

5C37000

trusted library allocation

page read and write

E9C000

stack

page read and write

BC6000

heap

page read and write

540000

remote allocation

page execute and read and write

C1C000

heap

page read and write

1AF7000

heap

page read and write

AB2000

trusted library allocation

page read and write

50B000

stack

page read and write

2A0C000

trusted library allocation

page read and write

58E1000

trusted library allocation

page read and write

141E000

stack

page read and write

AB0000

trusted library allocation

page read and write

58ED000

trusted library allocation

page read and write

527E000

stack

page read and write

ABA000

trusted library allocation

page execute and read and write

9B0000

heap

page read and write

5D40000

trusted library allocation

page read and write

5A0000

heap

page read and write

A9D000

trusted library allocation

page execute and read and write

30FE000

stack

page read and write

649E000

stack

page read and write

26A1000

trusted library allocation

page read and write

5DB0000

heap

page read and write

334E000

stack

page read and write

A94000

trusted library allocation

page read and write

15B2000

trusted library allocation

page read and write

3340000

trusted library allocation

page read and write

3481000

trusted library allocation

page read and write

5F15000

heap

page read and write

68BE000

stack

page read and write

68F5000

heap

page read and write

51FD000

stack

page read and write

296C000

trusted library allocation

page read and write

F00000

unkown

page readonly

5BCE000

stack

page read and write

5950000

heap

page read and write

17D0000

trusted library allocation

page read and write

2999000

trusted library allocation

page read and write

7E3E000

stack

page read and write

1570000

trusted library allocation

page read and write

5EE0000

heap

page read and write

5C5E000

stack

page read and write

A93000

trusted library allocation

page execute and read and write

F02000

unkown

page readonly

5C30000

trusted library allocation

page read and write

E5E000

stack

page read and write

30B0000

heap

page read and write

685E000

stack

page read and write

15BB000

trusted library allocation

page execute and read and write

ED0000

heap

page read and write

ED7000

heap

page read and write

BC8000

heap

page read and write

26A6000

trusted library allocation

page read and write

4481000

trusted library allocation

page read and write

68C0000

heap

page read and write

5D9E000

stack

page read and write

2A66000

trusted library allocation

page read and write

17B0000

trusted library allocation

page read and write

990000

trusted library allocation

page read and write

1380000

heap

page read and write

15D0000

trusted library allocation

page read and write

2F3D000

stack

page read and write

EA0000

trusted library allocation

page read and write

29C0000

trusted library allocation

page read and write

15AA000

trusted library allocation

page execute and read and write

1590000

trusted library allocation

page read and write

51BD000

stack

page read and write

29FC000

trusted library allocation

page read and write

2A00000

trusted library allocation

page read and write

8F7000

stack

page read and write

26C0000

heap

page read and write

635E000

stack

page read and write

2A04000

trusted library allocation

page read and write

1584000

trusted library allocation

page read and write

5C9E000

stack

page read and write

49BC000

stack

page read and write

677E000

stack

page read and write

2A6A000

trusted library allocation

page read and write

2A2F000

trusted library allocation

page read and write

5EDF000

stack

page read and write

2A08000

trusted library allocation

page read and write

639E000

stack

page read and write

15B0000

trusted library allocation

page read and write

4D70000

heap

page execute and read and write

2F80000

heap

page read and write

58E6000

trusted library allocation

page read and write

3365000

heap

page read and write

1AEF000

stack

page read and write

1629000

heap

page read and write

AC2000

trusted library allocation

page read and write

AC7000

trusted library allocation

page execute and read and write

6790000

trusted library allocation

page read and write

177B000

stack

page read and write

675E000

stack

page read and write

2684000

trusted library allocation

page read and write

29C4000

trusted library allocation

page read and write

5AC0000

trusted library allocation

page execute and read and write

6650000

trusted library allocation

page execute and read and write

557C000

stack

page read and write

330E000

stack

page read and write

17A0000

heap

page read and write

5DD0000

heap

page read and write

15B7000

trusted library allocation

page execute and read and write

15A0000

trusted library allocation

page read and write

615D000

stack

page read and write

B40000

trusted library allocation

page read and write

EC0000

trusted library allocation

page read and write

B56000

trusted library allocation

page read and write

66FD000

stack

page read and write

93E000

stack

page read and write

5F45000

heap

page read and write

5930000

trusted library allocation

page read and write

7BFE000

stack

page read and write

338F000

stack

page read and write

619E000

stack

page read and write

38C7000

trusted library allocation

page read and write

5F30000

heap

page read and write

B68000

heap

page read and write

517F000

stack

page read and write

5C3E000

trusted library allocation

page read and write

79C0000

heap

page read and write

156E000

stack

page read and write

15A6000

trusted library allocation

page execute and read and write

62DF000

stack

page read and write

ACB000

trusted library allocation

page execute and read and write

5EF8000

heap

page read and write

5DA0000

trusted library section

page readonly

B2E000

stack

page read and write

1390000

heap

page read and write

33B0000

heap

page read and write

2975000

trusted library allocation

page read and write

3150000

heap

page read and write

5968000

heap

page read and write

2694000

trusted library allocation

page read and write

6670000

trusted library allocation

page execute and read and write

A90000

trusted library allocation

page read and write

29B8000

trusted library allocation

page read and write

2A10000

trusted library allocation

page read and write

17E0000

heap

page read and write

3360000

trusted library allocation

page read and write

2A78000

trusted library allocation

page read and write

35D0000

heap

page read and write

5F47000

heap

page read and write

5C20000

trusted library allocation

page read and write

AA0000

trusted library allocation

page read and write

30AE000

unkown

page read and write

B54000

trusted library allocation

page read and write

2FDE000

stack

page read and write

1337000

stack

page read and write

5D51000

trusted library allocation

page read and write

5BD0000

trusted library section

page read and write

65FC000

stack

page read and write

5D56000

trusted library allocation

page read and write

5D53000

trusted library allocation

page read and write

2F90000

heap

page read and write

1455000

heap

page read and write

18EE000

stack

page read and write

3530000

heap

page read and write

5F0000

heap

page read and write

5D70000

trusted library allocation

page read and write

17D5000

trusted library allocation

page read and write

5943000

heap

page read and write

5EE000

stack

page read and write

1450000

heap

page read and write

15A2000

trusted library allocation

page read and write

5D60000

trusted library section

page read and write

960000

heap

page read and write

67B5000

heap

page read and write

15E0000

heap

page read and write

297E000

trusted library allocation

page read and write

B7E000

heap

page read and write

27B0000

heap

page execute and read and write

159D000

trusted library allocation

page execute and read and write

AE0000

trusted library allocation

page read and write

4D3D000

stack

page read and write

26B5000

trusted library allocation

page read and write

67B0000

heap

page read and write

7D3E000

stack

page read and write

5C3C000

trusted library allocation

page read and write

4D50000

trusted library allocation

page read and write

5EE8000

heap

page read and write

29BC000

trusted library allocation

page read and write

80C2000

trusted library allocation

page read and write

29F8000

trusted library allocation

page read and write

17CF000

trusted library allocation

page read and write

9A0000

heap

page read and write

5A5E000

stack

page read and write

5EE0000

heap

page read and write

3590000

trusted library allocation

page read and write

B50000

trusted library allocation

page read and write

2A86000

trusted library allocation

page read and write

3370000

heap

page execute and read and write

347E000

stack

page read and write

1645000

heap

page read and write

B60000

heap

page read and write

5DC0000

heap

page read and write

BD5000

heap

page read and write

2A3C000

trusted library allocation

page read and write

D5F000

stack

page read and write

601E000

stack

page read and write

2F0C000

stack

page read and write

2967000

trusted library allocation

page read and write

58C0000

trusted library allocation

page read and write

68D0000

heap

page read and write

2981000

trusted library allocation

page read and write

There are 266 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
oHchwlxMNG.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportoHchwlxMNG.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
oHchwlxMNG.exe