Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

JgRVqrgNs4.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.149905623090227
Filename:	JgRVqrgNs4.exe
Filesize:	550400
MD5:	119685d67c747bc9fe473e98d4f37f48
SHA1:	12523edc262cf3c0e37be13a2aa2e49db7043439
SHA256:	e80d50169fc57630d4b0c5c53a321ccd86797779bababefff31268224f1a4163
SHA512:	bcf5fd9f4eb4d62529f16afea7315197e1779493646b0c2db9ee4bda7cb965122fa77d80476f07af4b52afe48f18e0b8a1a8f8ea67b6e55b17ccdd2fdd080723
SSDEEP:	12288:fn3Kpgo/C7vHH2cJ1JkRA4R06mgJuqsJv/v+MLuSn:vnvHXJkRFRzJ4v/BLB
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...qM................0..\...........{... ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code references suspicious native API functions	HIPS / PFW / Operating System Protection Evasion	Native API
Machine Learning detection for sample	AV Detection
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	File Deletion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Software Packing
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
.NET source code contains long base64-encoded strings	System Summary	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JgRVqrgNs4.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JgRVqrgNs4.exe.log
Category:	dropped
Dump:	JgRVqrgNs4.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\JgRVqrgNs4.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\JgRVqrgNs4.exe

"C:\Users\user\Desktop\JgRVqrgNs4.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5256
Target ID:	0
Parent PID:	4056
Name:	JgRVqrgNs4.exe
Path:	C:\Users\user\Desktop\JgRVqrgNs4.exe
Commandline:	"C:\Users\user\Desktop\JgRVqrgNs4.exe"
Size:	550400
MD5:	119685D67C747BC9FE473E98D4F37F48
Time:	10:27:15
Date:	01/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xef0000
Modulesize:	573440
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	File Deletion
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\JgRVqrgNs4.exe

"C:\Users\user\Desktop\JgRVqrgNs4.exe"

Details

Is windows:	false
Is dropped:	false
PID:	820
Target ID:	2
Parent PID:	5256
Name:	JgRVqrgNs4.exe
Path:	C:\Users\user\Desktop\JgRVqrgNs4.exe
Commandline:	"C:\Users\user\Desktop\JgRVqrgNs4.exe"
Size:	550400
MD5:	119685D67C747BC9FE473E98D4F37F48
Time:	10:27:16
Date:	01/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xc50000
Modulesize:	573440
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	File Deletion
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\JgRVqrgNs4.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6836
Target ID:	4
Parent PID:	820
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\JgRVqrgNs4.exe"
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	10:27:28
Date:	01/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x410000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	File Deletion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	1156
Target ID:	5
Parent PID:	6836
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	10:27:28
Date:	01/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff75da10000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

Details

Is windows:	true
Is dropped:	false
PID:	1588
Target ID:	6
Parent PID:	6836
Name:	choice.exe
Path:	C:\Windows\SysWOW64\choice.exe
Commandline:	choice /C Y /N /D Y /T 3
Size:	28160
MD5:	FCE0E41C87DC4ABBE976998AD26C27E4
Time:	10:27:29
Date:	01/07/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xdd0000
Modulesize:	40960
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://reallyfreegeoip.org

unknown

http://checkip.dyndns.org

unknown

http://checkip.dyndns.org/

193.122.6.168

http://checkip.dyndns.com

unknown

https://reallyfreegeoip.org/xml/8.46.123.33

188.114.96.3

https://reallyfreegeoip.org/xml/8.46.123.33$

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://103.130.147.85

unknown

http://checkip.dyndns.org/q

unknown

http://reallyfreegeoip.org

unknown

https://reallyfreegeoip.org/xml/

unknown

There are 1 hidden URLs, click here to show them.

Domains

Name

Malicious

reallyfreegeoip.org

188.114.96.3

Details

Name:	reallyfreegeoip.org
IP:	188.114.96.3
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Tries to detect the country of the analysis system (by using the IP)	Location Tracking
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.com

193.122.6.168

IPs

Domain

Country

Malicious

188.114.96.3

reallyfreegeoip.org

European Union

Details

IP:	188.114.96.3
TargetID:	2
Current Path:	C:\Users\user\Desktop\JgRVqrgNs4.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	reallyfreegeoip.org

Signature Hits	Behavior Group	Mitre Attack
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

193.122.6.168

checkip.dyndns.com

United States

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\JgRVqrgNs4_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\JgRVqrgNs4_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\JgRVqrgNs4_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\JgRVqrgNs4_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\JgRVqrgNs4_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\JgRVqrgNs4_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\JgRVqrgNs4_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\JgRVqrgNs4_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\JgRVqrgNs4_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\JgRVqrgNs4_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\JgRVqrgNs4_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\JgRVqrgNs4_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\JgRVqrgNs4_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\JgRVqrgNs4_RASMANCS

FileDirectory

There are 4 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

2FE1000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

42C9000

trusted library allocation

page read and write

5CB0000

trusted library section

page readonly

5790000

trusted library allocation

page read and write

6510000

trusted library allocation

page read and write

145A000

heap

page read and write

30E6000

trusted library allocation

page read and write

1A80000

heap

page execute and read and write

113E000

stack

page read and write

579D000

stack

page read and write

1680000

trusted library allocation

page read and write

64DE000

stack

page read and write

166B000

trusted library allocation

page execute and read and write

5950000

trusted library allocation

page read and write

54F0000

trusted library allocation

page read and write

312E000

trusted library allocation

page read and write

1643000

trusted library allocation

page read and write

59AE000

stack

page read and write

5D97000

heap

page read and write

5CC0000

heap

page read and write

163D000

trusted library allocation

page execute and read and write

1660000

trusted library allocation

page read and write

5DD1000

heap

page read and write

3147000

trusted library allocation

page read and write

64F0000

trusted library allocation

page read and write

57E0000

trusted library allocation

page read and write

1450000

trusted library allocation

page read and write

5810000

heap

page execute and read and write

53FD000

stack

page read and write

11A0000

heap

page read and write

5766000

trusted library allocation

page read and write

60DE000

stack

page read and write

13CE000

stack

page read and write

1A64000

trusted library allocation

page read and write

5910000

trusted library allocation

page read and write

6530000

heap

page read and write

54D0000

trusted library allocation

page read and write

1337000

stack

page read and write

5A1E000

stack

page read and write

5DDA000

heap

page read and write

2C9E000

unkown

page read and write

1650000

trusted library allocation

page read and write

DD0000

heap

page read and write

2DEE000

stack

page read and write

1537000

heap

page read and write

3094000

trusted library allocation

page read and write

144E000

stack

page read and write

599E000

stack

page read and write

663E000

stack

page read and write

2DA0000

trusted library allocation

page read and write

30EA000

trusted library allocation

page read and write

1370000

heap

page read and write

1630000

trusted library allocation

page read and write

5780000

trusted library allocation

page read and write

5A20000

heap

page execute and read and write

2D53000

heap

page read and write

5A10000

trusted library allocation

page read and write

AEC000

stack

page read and write

2C50000

heap

page read and write

1A90000

trusted library allocation

page read and write

2CE0000

heap

page read and write

511C000

stack

page read and write

5C1E000

stack

page read and write

308F000

trusted library allocation

page read and write

7C3E000

stack

page read and write

42C1000

trusted library allocation

page read and write

1662000

trusted library allocation

page read and write

59B0000

trusted library section

page read and write

155A000

heap

page read and write

686A000

heap

page read and write

32C1000

trusted library allocation

page read and write

165A000

trusted library allocation

page execute and read and write

58E0000

heap

page read and write

5620000

heap

page read and write

54C6000

trusted library allocation

page read and write

165A000

trusted library allocation

page execute and read and write

13AD000

heap

page read and write

774E000

heap

page read and write

57DE000

stack

page read and write

7D3E000

stack

page read and write

2FDE000

stack

page read and write

313A000

trusted library allocation

page read and write

699E000

stack

page read and write

7070000

heap

page read and write

61DE000

stack

page read and write

52FB000

stack

page read and write

318C000

trusted library allocation

page read and write

1677000

heap

page read and write

3190000

trusted library allocation

page read and write

58C0000

trusted library allocation

page read and write

6B5E000

stack

page read and write

311E000

trusted library allocation

page read and write

D5F000

stack

page read and write

3FE1000

trusted library allocation

page read and write

1405000

heap

page read and write

29ED000

stack

page read and write

14CD000

heap

page read and write

5960000

heap

page read and write

5CD0000

heap

page read and write

6F6E000

stack

page read and write

30BF000

trusted library allocation

page read and write

797E000

stack

page read and write

33D0000

trusted library allocation

page read and write

5C21000

trusted library allocation

page read and write

2EC0000

trusted library allocation

page read and write

575E000

stack

page read and write

64E0000

trusted library allocation

page execute and read and write

69DE000

stack

page read and write

5785000

trusted library allocation

page read and write

1633000

trusted library allocation

page execute and read and write

3098000

trusted library allocation

page read and write

548E000

trusted library allocation

page read and write

1667000

trusted library allocation

page execute and read and write

1630000

trusted library allocation

page read and write

1AB0000

heap

page read and write

2D8E000

stack

page read and write

D6B000

stack

page read and write

66DE000

stack

page read and write

62DE000

stack

page read and write

2CDE000

stack

page read and write

DF0000

heap

page read and write

1AAF000

trusted library allocation

page read and write

787D000

stack

page read and write

1A60000

trusted library allocation

page read and write

5A06000

trusted library allocation

page read and write

1634000

trusted library allocation

page read and write

591A000

trusted library allocation

page read and write

30A7000

trusted library allocation

page read and write

5A0C000

trusted library allocation

page read and write

13A4000

heap

page read and write

575E000

trusted library allocation

page read and write

63DE000

stack

page read and write

7740000

heap

page read and write

10F7000

stack

page read and write

28ED000

stack

page read and write

6EE06000

unkown

page readonly

574B000

trusted library allocation

page read and write

30E2000

trusted library allocation

page read and write

1380000

heap

page read and write

146E000

heap

page read and write

EF0000

unkown

page readonly

3136000

trusted library allocation

page read and write

689A000

heap

page read and write

2ED0000

heap

page read and write

65DE000

stack

page read and write

1634000

trusted library allocation

page read and write

309B000

trusted library allocation

page read and write

319F000

trusted library allocation

page read and write

14A2000

heap

page read and write

1667000

trusted library allocation

page execute and read and write

555D000

stack

page read and write

671E000

stack

page read and write

1239000

stack

page read and write

3155000

trusted library allocation

page read and write

695D000

stack

page read and write

5460000

heap

page read and write

1652000

trusted library allocation

page read and write

312A000

trusted library allocation

page read and write

5484000

trusted library allocation

page read and write

685D000

heap

page read and write

2EA0000

trusted library allocation

page execute and read and write

5C23000

trusted library allocation

page read and write

6F2C000

stack

page read and write

7BFE000

stack

page read and write

DE0000

heap

page read and write

4009000

trusted library allocation

page read and write

5772000

trusted library allocation

page read and write

501C000

stack

page read and write

308C000

trusted library allocation

page read and write

17BF000

stack

page read and write

5CAB000

stack

page read and write

6B9E000

stack

page read and write

5494000

trusted library allocation

page read and write

119D000

stack

page read and write

EF2000

unkown

page readonly

C30000

heap

page read and write

1620000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

5C50000

trusted library allocation

page read and write

3100000

heap

page read and write

6640000

heap

page read and write

6C9F000

stack

page read and write

1656000

trusted library allocation

page execute and read and write

681E000

stack

page read and write

30D4000

trusted library allocation

page read and write

79BE000

stack

page read and write

3163000

trusted library allocation

page read and write

6EDF0000

unkown

page readonly

5A0A000

trusted library allocation

page read and write

70BE000

stack

page read and write

54B5000

trusted library allocation

page read and write

14DB000

heap

page read and write

310E000

stack

page read and write

58E3000

heap

page read and write

1460000

heap

page read and write

166B000

trusted library allocation

page execute and read and write

164D000

trusted library allocation

page execute and read and write

2D20000

heap

page read and write

2D3C000

heap

page read and write

706F000

stack

page read and write

30DE000

trusted library allocation

page read and write

6820000

heap

page read and write

2D30000

heap

page read and write

32B0000

heap

page read and write

5900000

heap

page read and write

59DE000

stack

page read and write

2FFF000

unkown

page read and write

6E2C000

stack

page read and write

DC0000

heap

page read and write

B50000

heap

page read and write

3220000

heap

page read and write

11A5000

heap

page read and write

1650000

trusted library allocation

page read and write

54A6000

trusted library allocation

page read and write

6EDF1000

unkown

page execute read

31AC000

trusted library allocation

page read and write

CBF000

stack

page read and write

6851000

heap

page read and write

6EE0D000

unkown

page read and write

54C0000

trusted library allocation

page read and write

3126000

trusted library allocation

page read and write

71BE000

stack

page read and write

1652000

trusted library allocation

page read and write

31C8000

heap

page read and write

1670000

heap

page read and write

6859000

heap

page read and write

163D000

trusted library allocation

page execute and read and write

1A50000

trusted library allocation

page execute and read and write

137F000

stack

page read and write

1540000

heap

page read and write

6EE0F000

unkown

page readonly

1633000

trusted library allocation

page execute and read and write

CC0000

heap

page read and write

5A00000

trusted library allocation

page read and write

54A9000

trusted library allocation

page read and write

1400000

heap

page read and write

6B1E000

stack

page read and write

1690000

heap

page read and write

1662000

trusted library allocation

page read and write

1640000

trusted library allocation

page read and write

D1E000

stack

page read and write

576D000

trusted library allocation

page read and write

6885000

heap

page read and write

1660000

trusted library allocation

page read and write

320F000

stack

page read and write

5744000

trusted library allocation

page read and write

3087000

trusted library allocation

page read and write

5D80000

heap

page read and write

1AA0000

trusted library allocation

page read and write

3122000

trusted library allocation

page read and write

5C40000

trusted library allocation

page read and write

5761000

trusted library allocation

page read and write

16B0000

heap

page read and write

7AFE000

stack

page read and write

1398000

heap

page read and write

AAC000

stack

page read and write

18BE000

stack

page read and write

54C4000

trusted library allocation

page read and write

3FE7000

trusted library allocation

page read and write

5920000

trusted library allocation

page execute and read and write

1A70000

trusted library allocation

page read and write

7ABE000

stack

page read and write

30A4000

trusted library allocation

page read and write

6650000

heap

page read and write

14CF000

heap

page read and write

31C0000

heap

page read and write

1533000

heap

page read and write

5A0E000

trusted library allocation

page read and write

30FF000

stack

page read and write

13C7000

heap

page read and write

C7E000

stack

page read and write

2E90000

heap

page read and write

5C30000

trusted library section

page read and write

1AB7000

heap

page read and write

1390000

heap

page read and write

5740000

trusted library allocation

page read and write

147F000

heap

page read and write

5E80000

trusted library allocation

page execute and read and write

5C26000

trusted library allocation

page read and write

3132000

trusted library allocation

page read and write

591F000

trusted library allocation

page read and write

5DD5000

heap

page read and write

6ADE000

stack

page read and write

591C000

trusted library allocation

page read and write

2EB0000

heap

page execute and read and write

6535000

heap

page read and write

1656000

trusted library allocation

page execute and read and write

30D6000

trusted library allocation

page read and write

There are 279 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
JgRVqrgNs4.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportJgRVqrgNs4.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
JgRVqrgNs4.exe