Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

7vwfhMuUQg.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.304137350958184
Filename:	7vwfhMuUQg.exe
Filesize:	532992
MD5:	87c41e117d5bf575fc5bd9dd9386e2aa
SHA1:	1ab94afc06ca89c564f43141281051aae9494086
SHA256:	e2b79e37d4a34bcab883b0de55809ab1be398fee99cde2fcb0058bac413192f7
SHA512:	16c43e53f8d613d18bea8470917f023618d86bde991d175434fd2171f025dfea33901faca8e2667379e81a318cc1db29637bd9880192607d5fea860e3afa29a3
SSDEEP:	6144:sTVFZInd6Xcfg9UZndhc7KFCEBbDlRPBUYLvyvvRFBZrrfXB0JaTc0ApziCbI:s5kndmHuxV/JUJDBZrSJaTopzi8I
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............~6... ...@....@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code references suspicious native API functions	HIPS / PFW / Operating System Protection Evasion	Native API
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	File Deletion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Encrypted Channel
Enables debug privileges	Anti Debugging
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Software Packing
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
.NET source code contains long base64-encoded strings	System Summary	Disable or Modify Tools Obfuscated Files or Information
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7vwfhMuUQg.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7vwfhMuUQg.exe.log
Category:	dropped
Dump:	7vwfhMuUQg.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\7vwfhMuUQg.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\7vwfhMuUQg.exe

"C:\Users\user\Desktop\7vwfhMuUQg.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5824
Target ID:	0
Parent PID:	4004
Name:	7vwfhMuUQg.exe
Path:	C:\Users\user\Desktop\7vwfhMuUQg.exe
Commandline:	"C:\Users\user\Desktop\7vwfhMuUQg.exe"
Size:	532992
MD5:	87C41E117D5BF575FC5BD9DD9386E2AA
Time:	10:31:30
Date:	03/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x470000
Modulesize:	557056
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	File Deletion
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\7vwfhMuUQg.exe

"C:\Users\user\Desktop\7vwfhMuUQg.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6600
Target ID:	2
Parent PID:	5824
Name:	7vwfhMuUQg.exe
Path:	C:\Users\user\Desktop\7vwfhMuUQg.exe
Commandline:	"C:\Users\user\Desktop\7vwfhMuUQg.exe"
Size:	532992
MD5:	87C41E117D5BF575FC5BD9DD9386E2AA
Time:	10:31:31
Date:	03/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xe0000
Modulesize:	557056
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	File Deletion
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\7vwfhMuUQg.exe"

Details

Is windows:	true
Is dropped:	false
PID:	2740
Target ID:	4
Parent PID:	6600
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\7vwfhMuUQg.exe"
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	10:31:39
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x1c0000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Self deletion via cmd or bat file	Hooking and other Techniques for Hiding and Protection	File Deletion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	1472
Target ID:	5
Parent PID:	2740
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	10:31:39
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff66e660000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

Details

Is windows:	true
Is dropped:	false
PID:	5020
Target ID:	6
Parent PID:	2740
Name:	choice.exe
Path:	C:\Windows\SysWOW64\choice.exe
Commandline:	choice /C Y /N /D Y /T 3
Size:	28160
MD5:	FCE0E41C87DC4ABBE976998AD26C27E4
Time:	10:31:39
Date:	03/07/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x830000
Modulesize:	40960
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://reallyfreegeoip.org

unknown

http://checkip.dyndns.org

unknown

http://checkip.dyndns.org/

132.226.247.73

http://checkip.dyndns.com

unknown

https://reallyfreegeoip.org/xml/8.46.123.33

188.114.96.3

https://reallyfreegeoip.org/xml/8.46.123.33$

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://103.130.147.85

unknown

http://checkip.dyndns.org/q

unknown

http://reallyfreegeoip.org

unknown

https://reallyfreegeoip.org/xml/

unknown

There are 1 hidden URLs, click here to show them.

Domains

Name

Malicious

reallyfreegeoip.org

188.114.96.3

Details

Name:	reallyfreegeoip.org
IP:	188.114.96.3
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Tries to detect the country of the analysis system (by using the IP)	Location Tracking
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.com

132.226.247.73

IPs

Domain

Country

Malicious

188.114.96.3

reallyfreegeoip.org

European Union

Details

IP:	188.114.96.3
TargetID:	2
Current Path:	C:\Users\user\Desktop\7vwfhMuUQg.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	reallyfreegeoip.org

Signature Hits	Behavior Group	Mitre Attack
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

132.226.247.73

checkip.dyndns.com

United States

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\7vwfhMuUQg_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\7vwfhMuUQg_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\7vwfhMuUQg_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\7vwfhMuUQg_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\7vwfhMuUQg_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\7vwfhMuUQg_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\7vwfhMuUQg_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\7vwfhMuUQg_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\7vwfhMuUQg_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\7vwfhMuUQg_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\7vwfhMuUQg_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\7vwfhMuUQg_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\7vwfhMuUQg_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\7vwfhMuUQg_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

532000

remote allocation

page execute and read and write

3889000

trusted library allocation

page read and write

2591000

trusted library allocation

page read and write

23A0000

heap

page read and write

2416000

trusted library allocation

page read and write

CF2000

trusted library allocation

page read and write

900000

heap

page read and write

6CB0000

heap

page read and write

71AE000

stack

page read and write

CDD000

trusted library allocation

page execute and read and write

2D4F000

unkown

page read and write

263B000

trusted library allocation

page read and write

4D90000

trusted library allocation

page execute and read and write

B3F000

stack

page read and write

5B00000

trusted library allocation

page read and write

A90000

heap

page read and write

28F0000

heap

page read and write

49D000

stack

page read and write

2480000

heap

page execute and read and write

2643000

trusted library allocation

page read and write

4CE1000

trusted library allocation

page read and write

87E000

stack

page read and write

5AEE000

stack

page read and write

5B64000

heap

page read and write

81F000

stack

page read and write

72AE000

stack

page read and write

4D50000

heap

page read and write

886000

trusted library allocation

page execute and read and write

51E3000

heap

page read and write

5430000

trusted library allocation

page read and write

531C000

stack

page read and write

E80000

trusted library allocation

page execute and read and write

2B74000

heap

page read and write

A08000

heap

page read and write

81D000

trusted library allocation

page execute and read and write

5A6F000

stack

page read and write

E7E000

stack

page read and write

23F4000

trusted library allocation

page read and write

26CC000

trusted library allocation

page read and write

4F7000

stack

page read and write

E30000

trusted library allocation

page read and write

2396000

trusted library allocation

page read and write

57EE000

stack

page read and write

2A00000

heap

page read and write

2690000

trusted library allocation

page read and write

470000

unkown

page readonly

26D8000

trusted library allocation

page read and write

5B25000

heap

page read and write

5293000

trusted library allocation

page read and write

2760000

trusted library allocation

page read and write

2694000

trusted library allocation

page read and write

45C000

stack

page read and write

5180000

heap

page read and write

4E7E000

trusted library allocation

page read and write

4CCB000

trusted library allocation

page read and write

26D0000

trusted library allocation

page read and write

2750000

trusted library allocation

page read and write

26E0000

trusted library allocation

page read and write

4E77000

trusted library allocation

page read and write

612D000

stack

page read and write

530000

remote allocation

page execute and read and write

2B5C000

heap

page read and write

510000

heap

page read and write

5B30000

heap

page read and write

4D60000

heap

page read and write

52B0000

trusted library allocation

page read and write

6F2E000

stack

page read and write

2770000

heap

page read and write

5CEE000

stack

page read and write

26F4000

trusted library allocation

page read and write

A4E000

stack

page read and write

800000

trusted library allocation

page read and write

3597000

trusted library allocation

page read and write

53F0000

trusted library allocation

page execute and read and write

4CDE000

trusted library allocation

page read and write

6CBE000

heap

page read and write

4D8C000

trusted library allocation

page read and write

2425000

trusted library allocation

page read and write

4E60000

trusted library allocation

page read and write

6F0000

heap

page read and write

5E6F000

stack

page read and write

29BE000

unkown

page read and write

4DAD000

stack

page read and write

CED000

trusted library allocation

page execute and read and write

5E2D000

stack

page read and write

283D000

stack

page read and write

5FDC000

stack

page read and write

CFA000

trusted library allocation

page execute and read and write

51EC000

heap

page read and write

91A000

heap

page read and write

5280000

trusted library allocation

page read and write

9B4000

heap

page read and write

E90000

heap

page read and write

CF6000

trusted library allocation

page execute and read and write

5340000

heap

page read and write

5330000

heap

page read and write

94A000

heap

page read and write

CC0000

trusted library allocation

page read and write

56EE000

stack

page read and write

6DEE000

stack

page read and write

2656000

trusted library allocation

page read and write

26F0000

heap

page execute and read and write

6EEE000

stack

page read and write

5320000

trusted library section

page readonly

4A0D000

stack

page read and write

2990000

trusted library allocation

page read and write

C6F000

stack

page read and write

A37000

heap

page read and write

4D8A000

trusted library allocation

page read and write

5291000

trusted library allocation

page read and write

98D000

heap

page read and write

A60000

heap

page read and write

CE0000

trusted library allocation

page read and write

2394000

trusted library allocation

page read and write

898000

heap

page read and write

2430000

trusted library allocation

page read and write

2715000

trusted library allocation

page read and write

4CED000

trusted library allocation

page read and write

2970000

heap

page read and write

2390000

trusted library allocation

page read and write

4E80000

heap

page read and write

5F0000

heap

page read and write

CD0000

trusted library allocation

page read and write

E2E000

stack

page read and write

9FE000

stack

page read and write

CAE000

stack

page read and write

5420000

trusted library allocation

page execute and read and write

D02000

trusted library allocation

page read and write

620000

heap

page read and write

26E8000

trusted library allocation

page read and write

5CF0000

heap

page read and write

5BAE000

stack

page read and write

7DE000

stack

page read and write

992000

heap

page read and write

275F000

trusted library allocation

page read and write

272C000

trusted library allocation

page read and write

268C000

trusted library allocation

page read and write

79F000

stack

page read and write

702F000

stack

page read and write

2671000

trusted library allocation

page read and write

997000

trusted library allocation

page execute and read and write

CD3000

trusted library allocation

page execute and read and write

952000

heap

page read and write

88A000

trusted library allocation

page execute and read and write

5B40000

heap

page read and write

5F0000

heap

page read and write

4B30000

heap

page read and write

2EB0000

heap

page read and write

813000

trusted library allocation

page execute and read and write

5BEE000

stack

page read and write

D0B000

trusted library allocation

page execute and read and write

582E000

stack

page read and write

287F000

stack

page read and write

A10000

heap

page read and write

4CE6000

trusted library allocation

page read and write

60E0000

heap

page read and write

890000

heap

page read and write

A30000

heap

page read and write

1FB000

stack

page read and write

2683000

trusted library allocation

page read and write

5B20000

heap

page read and write

2EC0000

heap

page read and write

2765000

trusted library allocation

page read and write

51EA000

heap

page read and write

CD4000

trusted library allocation

page read and write

97C000

heap

page read and write

26FF000

trusted library allocation

page read and write

716E000

stack

page read and write

29FE000

stack

page read and write

4CF2000

trusted library allocation

page read and write

2450000

trusted library allocation

page read and write

8F7000

stack

page read and write

6B0000

heap

page read and write

880000

trusted library allocation

page read and write

2404000

trusted library allocation

page read and write

2B73000

heap

page read and write

502E000

stack

page read and write

4A4E000

stack

page read and write

4DD0000

heap

page execute and read and write

706E000

stack

page read and write

73B2000

trusted library allocation

page read and write

992000

trusted library allocation

page read and write

596D000

stack

page read and write

4D20000

trusted library allocation

page read and write

52A0000

trusted library section

page read and write

4E70000

trusted library allocation

page read and write

75E000

stack

page read and write

2636000

trusted library allocation

page read and write

592E000

stack

page read and write

258F000

stack

page read and write

5D3E000

heap

page read and write

E97000

heap

page read and write

512E000

stack

page read and write

26E0000

trusted library allocation

page read and write

4E83000

heap

page read and write

2380000

trusted library allocation

page read and write

3591000

trusted library allocation

page read and write

882000

trusted library allocation

page read and write

4FDE000

stack

page read and write

628000

heap

page read and write

590000

heap

page read and write

810000

trusted library allocation

page read and write

A00000

trusted library allocation

page execute and read and write

23EC000

stack

page read and write

A95000

heap

page read and write

910000

heap

page read and write

23FE000

trusted library allocation

page read and write

4E0000

heap

page read and write

6AE000

stack

page read and write

5130000

trusted library section

page read and write

4CC0000

trusted library allocation

page read and write

501E000

stack

page read and write

4A80000

heap

page read and write

5296000

trusted library allocation

page read and write

4A60000

trusted library allocation

page read and write

98B000

heap

page read and write

35B9000

trusted library allocation

page read and write

52C0000

trusted library allocation

page read and write

60DC000

stack

page read and write

7FE000

stack

page read and write

2B50000

heap

page read and write

273C000

stack

page read and write

4D8F000

trusted library allocation

page read and write

9D2000

heap

page read and write

2740000

trusted library allocation

page read and write

4D80000

trusted library allocation

page read and write

58A000

stack

page read and write

820000

trusted library allocation

page read and write

3881000

trusted library allocation

page read and write

CF0000

trusted library allocation

page read and write

958000

heap

page read and write

8BA000

heap

page read and write

4D00000

trusted library allocation

page read and write

270A000

trusted library allocation

page read and write

91E000

heap

page read and write

2411000

trusted library allocation

page read and write

472000

unkown

page readonly

2A20000

heap

page read and write

497D000

stack

page read and write

814000

trusted library allocation

page read and write

8C7000

heap

page read and write

D07000

trusted library allocation

page execute and read and write

830000

heap

page read and write

4EDE000

stack

page read and write

4D70000

heap

page execute and read and write

4E7C000

trusted library allocation

page read and write

26E4000

trusted library allocation

page read and write

D20000

heap

page read and write

293D000

stack

page read and write

99B000

trusted library allocation

page execute and read and write

6F5000

heap

page read and write

2E4F000

stack

page read and write

26DC000

trusted library allocation

page read and write

9B0000

trusted library allocation

page read and write

2419000

trusted library allocation

page read and write

51E8000

heap

page read and write

622F000

stack

page read and write

26D4000

trusted library allocation

page read and write

5AAE000

stack

page read and write

468C000

stack

page read and write

918000

heap

page read and write

2881000

trusted library allocation

page read and write

There are 252 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
7vwfhMuUQg.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report7vwfhMuUQg.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
7vwfhMuUQg.exe