Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

H3fwQALXDX.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.918620080272236
Filename:	H3fwQALXDX.exe
Filesize:	218112
MD5:	27af175b8006ce6c2376748b21748412
SHA1:	ec6b0f34dbe9294a82dcc379b3de2b744f5d65ea
SHA256:	ce8d8f5b2708fb0a26ac9ce32c303779179ff58297279c834fd8220b77154680
SHA512:	fa9692944fadd680c07bcfb6627f561f809e97142b41d98605c2d4034abf576ec87becd47eb4ad385d7c6d180a5d6264fe979446f4c152e4eb1fedd6e6fd69d4
SSDEEP:	3072:lhgaMehpuSXYIdP/1pnVLjIvwHyV9YOsUw2hIE3JoN8EheTgc33FgO:FBLrXzn1pnV/gse9yvbE5ovh3
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T.%...............0..J..........>h... ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation	Software Packing
Machine Learning detection for sample	AV Detection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a raw input device (often for capturing keystrokes)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Binary may include packed or encrypted code	Data Obfuscation
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging	Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\H3fwQALXDX.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\H3fwQALXDX.exe.log
Category:	dropped
Dump:	H3fwQALXDX.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\H3fwQALXDX.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.345080863654519
Encrypted:	false
Ssdeep:	24:ML9E4KlKDE4KhKiKhIE4Kx1qE4qXKIE4oKNzKoZAE4Kze0E4j:MxHKlYHKh3oIHKx1qHitHo6hAHKze0Hj
Size:	1119
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
Category:	dropped
Dump:	RegAsm.exe.log.2.dr
ID:	dr_1
Target ID:	2
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.353332853270839
Encrypted:	false
Ssdeep:	24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
Size:	1039
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\H3fwQALXDX.exe

"C:\Users\user\Desktop\H3fwQALXDX.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4540
Target ID:	0
Parent PID:	4004
Name:	H3fwQALXDX.exe
Path:	C:\Users\user\Desktop\H3fwQALXDX.exe
Commandline:	"C:\Users\user\Desktop\H3fwQALXDX.exe"
Size:	218112
MD5:	27AF175B8006CE6C2376748B21748412
Time:	09:59:26
Date:	01/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x520000
Modulesize:	245760
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	5076
Target ID:	2
Parent PID:	4540
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	09:59:26
Date:	01/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xe20000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	2688
Target ID:	4
Parent PID:	5076
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	09:59:38
Date:	01/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x1c0000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	4852
Target ID:	5
Parent PID:	2688
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	09:59:38
Date:	01/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff66e660000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

Details

Is windows:	true
Is dropped:	false
PID:	2524
Target ID:	6
Parent PID:	2688
Name:	choice.exe
Path:	C:\Windows\SysWOW64\choice.exe
Commandline:	choice /C Y /N /D Y /T 3
Size:	28160
MD5:	FCE0E41C87DC4ABBE976998AD26C27E4
Time:	09:59:38
Date:	01/07/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x950000
Modulesize:	40960
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://reallyfreegeoip.org

unknown

http://checkip.dyndns.org

unknown

http://checkip.dyndns.org/

193.122.6.168

http://checkip.dyndns.com

unknown

https://reallyfreegeoip.org/xml/8.46.123.33

188.114.97.3

https://reallyfreegeoip.org/xml/8.46.123.33$

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://checkip.dyndns.org/q

unknown

http://reallyfreegeoip.org

unknown

https://reallyfreegeoip.org/xml/

unknown

Domains

Name

Malicious

reallyfreegeoip.org

188.114.97.3

Details

Name:	reallyfreegeoip.org
IP:	188.114.97.3
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Tries to detect the country of the analysis system (by using the IP)	Location Tracking
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.com

193.122.6.168

IPs

Domain

Country

Malicious

188.114.97.3

reallyfreegeoip.org

European Union

Details

IP:	188.114.97.3
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	reallyfreegeoip.org

Signature Hits	Behavior Group	Mitre Attack
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

193.122.6.168

checkip.dyndns.com

United States

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

FileDirectory

There are 4 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

3141000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

32FF000

trusted library allocation

page read and write

3819000

trusted library allocation

page read and write

2FAF000

unkown

page read and write

57D0000

heap

page read and write

156D000

heap

page read and write

151F000

heap

page read and write

1770000

heap

page read and write

3283000

trusted library allocation

page read and write

4147000

trusted library allocation

page read and write

647E000

stack

page read and write

986000

heap

page read and write

51E0000

heap

page read and write

49BB000

stack

page read and write

3235000

trusted library allocation

page read and write

7800000

heap

page read and write

5BE000

stack

page read and write

68BE000

stack

page read and write

6B20000

heap

page read and write

E1E000

stack

page read and write

6D9E000

stack

page read and write

66FE000

stack

page read and write

E2D000

trusted library allocation

page execute and read and write

480000

heap

page read and write

C8E000

stack

page read and write

637E000

stack

page read and write

32EC000

trusted library allocation

page read and write

31ED000

trusted library allocation

page read and write

31F5000

trusted library allocation

page read and write

7808000

heap

page read and write

E23000

trusted library allocation

page execute and read and write

490000

heap

page read and write

A46000

heap

page read and write

522000

unkown

page readonly

558000

unkown

page readonly

30AF000

stack

page read and write

4DD5000

trusted library allocation

page read and write

2FF0000

trusted library allocation

page read and write

12B0000

heap

page read and write

4E70000

trusted library allocation

page read and write

69FE000

stack

page read and write

48BB000

stack

page read and write

5C8000

heap

page read and write

5200000

heap

page read and write

5EA000

stack

page read and write

E5B000

trusted library allocation

page execute and read and write

32D1000

trusted library allocation

page read and write

1440000

trusted library allocation

page read and write

FC7000

stack

page read and write

A60000

heap

page read and write

3293000

trusted library allocation

page read and write

661A000

heap

page read and write

6B2E000

heap

page read and write

2FE6000

trusted library allocation

page read and write

2680000

trusted library allocation

page read and write

310E000

stack

page read and write

32A8000

trusted library allocation

page read and write

4DA0000

trusted library allocation

page read and write

5641000

trusted library allocation

page read and write

3208000

trusted library allocation

page read and write

2660000

trusted library allocation

page execute and read and write

37E1000

trusted library allocation

page read and write

562E000

trusted library allocation

page read and write

2A8D000

stack

page read and write

3242000

trusted library allocation

page read and write

4E3E000

stack

page read and write

1447000

trusted library allocation

page execute and read and write

27E1000

trusted library allocation

page read and write

A75000

heap

page read and write

4D96000

trusted library allocation

page read and write

7642000

heap

page read and write

E24000

trusted library allocation

page read and write

65FF000

heap

page read and write

5150000

heap

page read and write

5624000

trusted library allocation

page read and write

328B000

trusted library allocation

page read and write

14E8000

heap

page read and write

ECB000

stack

page read and write

328F000

trusted library allocation

page read and write

6FF000

stack

page read and write

1442000

trusted library allocation

page read and write

D00000

trusted library allocation

page read and write

31F2000

trusted library allocation

page read and write

6D5E000

stack

page read and write

141D000

trusted library allocation

page execute and read and write

4E40000

trusted library section

page read and write

3130000

heap

page read and write

E20000

trusted library allocation

page read and write

2BF0000

heap

page read and write

56BD000

stack

page read and write

285C000

trusted library allocation

page read and write

30B0000

heap

page read and write

8F8000

stack

page read and write

6C5E000

stack

page read and write

7806000

heap

page read and write

2B8D000

stack

page read and write

520000

unkown

page readonly

18D000

stack

page read and write

5270000

heap

page read and write

2C00000

heap

page read and write

3220000

heap

page read and write

31EA000

trusted library allocation

page read and write

683E000

stack

page read and write

1436000

trusted library allocation

page execute and read and write

E40000

trusted library allocation

page read and write

5634000

trusted library allocation

page read and write

5BBE000

stack

page read and write

7804000

heap

page read and write

5A30000

heap

page read and write

1432000

trusted library allocation

page read and write

6E9F000

stack

page read and write

E52000

trusted library allocation

page read and write

CCE000

stack

page read and write

E67000

heap

page read and write

2D03000

heap

page read and write

12B5000

heap

page read and write

5275000

heap

page read and write

27DE000

stack

page read and write

6D1B000

stack

page read and write

143A000

trusted library allocation

page execute and read and write

2620000

trusted library allocation

page read and write

2C10000

heap

page read and write

4DC0000

heap

page execute and read and write

51D0000

trusted library section

page readonly

543E000

stack

page read and write

1740000

heap

page read and write

2D04000

heap

page read and write

13F0000

trusted library allocation

page read and write

7222000

trusted library allocation

page read and write

2F8E000

stack

page read and write

1410000

trusted library allocation

page read and write

2FE0000

trusted library allocation

page read and write

1460000

trusted library allocation

page read and write

323E000

trusted library allocation

page read and write

14BB000

heap

page read and write

77FE000

stack

page read and write

51A0000

trusted library allocation

page read and write

6E6E000

stack

page read and write

52DC000

stack

page read and write

14B0000

heap

page read and write

1413000

trusted library allocation

page execute and read and write

4DBF000

trusted library allocation

page read and write

6A3F000

stack

page read and write

E30000

trusted library allocation

page read and write

69BE000

stack

page read and write

3297000

trusted library allocation

page read and write

5649000

trusted library allocation

page read and write

12AE000

stack

page read and write

51B0000

trusted library allocation

page execute and read and write

5655000

trusted library allocation

page read and write

4EB0000

heap

page read and write

5AB0000

heap

page execute and read and write

13CE000

stack

page read and write

5A54000

heap

page read and write

5250000

trusted library allocation

page read and write

2E8E000

stack

page read and write

2670000

trusted library allocation

page read and write

2CEC000

heap

page read and write

E3D000

trusted library allocation

page execute and read and write

5A3D000

stack

page read and write

4D8E000

trusted library allocation

page read and write

14AE000

stack

page read and write

1414000

trusted library allocation

page read and write

4D91000

trusted library allocation

page read and write

1544000

heap

page read and write

64BE000

stack

page read and write

4D7B000

trusted library allocation

page read and write

47F000

stack

page read and write

3000000

heap

page execute and read and write

1420000

trusted library allocation

page read and write

327F000

trusted library allocation

page read and write

E4A000

trusted library allocation

page execute and read and write

2C9E000

stack

page read and write

51F0000

heap

page read and write

2FCC000

stack

page read and write

A50000

heap

page read and write

4169000

trusted library allocation

page read and write

4D7E000

trusted library allocation

page read and write

5170000

trusted library allocation

page execute and read and write

4D74000

trusted library allocation

page read and write

1230000

heap

page read and write

5A20000

heap

page read and write

2FE4000

trusted library allocation

page read and write

E60000

heap

page read and write

32F0000

trusted library allocation

page read and write

14E5000

heap

page read and write

660A000

heap

page read and write

15AB000

heap

page read and write

14C000

stack

page read and write

4DD0000

trusted library allocation

page read and write

26DE000

stack

page read and write

4DB0000

trusted library allocation

page read and write

5A7E000

stack

page read and write

4D70000

trusted library allocation

page read and write

65BE000

stack

page read and write

6E1C000

stack

page read and write

57C0000

heap

page read and write

14F5000

heap

page read and write

5C0000

heap

page read and write

6B7E000

stack

page read and write

2C5E000

unkown

page read and write

5646000

trusted library allocation

page read and write

E46000

trusted library allocation

page execute and read and write

400000

remote allocation

page execute and read and write

1240000

heap

page read and write

687F000

stack

page read and write

993000

heap

page read and write

505E000

stack

page read and write

3287000

trusted library allocation

page read and write

A70000

heap

page read and write

6A7E000

stack

page read and write

2CE0000

heap

page read and write

4DE0000

trusted library allocation

page read and write

9B0000

heap

page read and write

5A90000

trusted library allocation

page read and write

D10000

heap

page read and write

4EB3000

heap

page read and write

4DA2000

trusted library allocation

page read and write

1F0000

heap

page read and write

4141000

trusted library allocation

page read and write

1777000

heap

page read and write

5710000

heap

page read and write

537D000

stack

page read and write

67FF000

stack

page read and write

B8E000

stack

page read and write

950000

heap

page read and write

6CA0000

heap

page read and write

32C3000

trusted library allocation

page read and write

56FD000

stack

page read and write

5CBE000

stack

page read and write

65C0000

heap

page read and write

1430000

trusted library allocation

page read and write

2FD0000

trusted library allocation

page read and write

4D9D000

trusted library allocation

page read and write

730000

heap

page read and write

2650000

heap

page read and write

329B000

trusted library allocation

page read and write

2630000

heap

page read and write

3220000

trusted library allocation

page read and write

2690000

heap

page execute and read and write

6F6E000

stack

page read and write

95E000

heap

page read and write

524B000

stack

page read and write

7600000

heap

page read and write

5160000

trusted library allocation

page read and write

43E000

stack

page read and write

5180000

trusted library section

page read and write

3246000

trusted library allocation

page read and write

1400000

heap

page read and write

E57000

trusted library allocation

page execute and read and write

3120000

trusted library allocation

page read and write

1760000

trusted library allocation

page execute and read and write

144B000

trusted library allocation

page execute and read and write

There are 244 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
H3fwQALXDX.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportH3fwQALXDX.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
H3fwQALXDX.exe