Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

r8gcHFIf3x.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.468570783071018
Filename:	r8gcHFIf3x.exe
Filesize:	334336
MD5:	71e459322fc143c6f54fa4075bbea27f
SHA1:	91926031ae3212e02ac61236d89fc5e7cdb82655
SHA256:	0515dceafb2ac3a01d779111aabc07e0876b573b67df42af4e183243e7c506ff
SHA512:	d9cc7475086ba0e9818a49a2cd45d93d6e310a1c22d0c274a409b4124de982b5722ae5627aab49c8b47ff81d5b352e456ca8e7ce18a3e07d225f491e74963b9d
SSDEEP:	3072:iL30wxqS8+kb5g8InQO6J2l4mJe7UmuLchHPHo4bqRH33qGCNxxO7:40Klmbc/l4miUdLchvo4OlnqR
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....."g.....................(......^.... ... ....@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary	Security Software Discovery
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains method to dynamically call methods (often used by packers)	Data Obfuscation	Software Packing Security Software Discovery
.NET source code contains potential unpacker	Data Obfuscation
Drops PE files with benign system names	Persistence and Installation Behavior	Masquerading Security Software Discovery
Machine Learning detection for sample	AV Detection
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)	Malware Analysis System Evasion
Sample uses string decryption to hide its real strings	AV Detection
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings	Security Software Discovery
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings	Windows Management Instrumentation
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a start menu entry (Start Menu\Programs\Startup)	Boot Survival	Security Software Discovery
Detected potential crypto function	System Summary	Security Software Discovery Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion Security Software Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Security Software Discovery
Sample file is different than original file name gathered from version info	System Summary	Security Software Discovery
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder Security Software Discovery
Uses 32bit PE files	Compliance, System Summary
Yara signature match	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Checks the free space of harddrives	Malware Analysis System Evasion	System Information Discovery
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates an autostart registry key	Boot Survival	Security Software Discovery
Creates files inside the user directory	System Summary
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Security Software Discovery
Drops files with a known system name (to hide its detection)
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking	Security Software Discovery
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Roaming\svchost.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\svchost.exe
Category:	dropped
Dump:	svchost.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\r8gcHFIf3x.exe
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.468570783071018
Encrypted:	false
Ssdeep:	3072:iL30wxqS8+kb5g8InQO6J2l4mJe7UmuLchHPHo4bqRH33qGCNxxO7:40Klmbc/l4miUdLchvo4OlnqR
Size:	334336
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Drops PE files with benign system names	Persistence and Installation Behavior	Masquerading
Machine Learning detection for dropped file	AV Detection
Sigma detected: Files With System Process Name In Unsuspected Locations	System Summary
Sigma detected: System File Execution Location Anomaly	System Summary
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Checks the free space of harddrives	Malware Analysis System Evasion	System Information Discovery
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Drops files with a known system name (to hide its detection)
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log
Category:	dropped
Dump:	svchost.exe.log.1.dr
ID:	dr_2
Target ID:	1
Process:	C:\Users\user\AppData\Roaming\svchost.exe
Type:	CSV text
Entropy:	5.380476433908377
Encrypted:	false
Ssdeep:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
Size:	654
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Oct 31 18:08:58 2024, mtime=Thu Oct 31 18:08:58 2024, atime=Thu Oct 31 18:08:58 2024, length=334336, window=hide

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk
Category:	dropped
Dump:	svchost.lnk.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\r8gcHFIf3x.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Oct 31 18:08:58 2024, mtime=Thu Oct 31 18:08:58 2024, atime=Thu Oct 31 18:08:58 2024, length=334336, window=hide
Entropy:	5.04266228406803
Encrypted:	false
Ssdeep:	12:8Btyt0124WIhWCJgdY//DIIJLyt5kBWjAsMrHknkvIBmV:8BtytmBgcg+UeI3AsMIn3Bm
Size:	764
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates a start menu entry (Start Menu\Programs\Startup)	Boot Survival	Registry Run Keys / Startup Folder
Sigma detected: Startup Folder File Write	System Summary
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\r8gcHFIf3x.exe

"C:\Users\user\Desktop\r8gcHFIf3x.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6200
Target ID:	0
Parent PID:	2580
Name:	r8gcHFIf3x.exe
Path:	C:\Users\user\Desktop\r8gcHFIf3x.exe
Commandline:	"C:\Users\user\Desktop\r8gcHFIf3x.exe"
Size:	334336
MD5:	71E459322FC143C6F54FA4075BBEA27F
Time:	15:08:53
Date:	31/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xf20000
Modulesize:	360448
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Sample uses string decryption to hide its real strings	AV Detection
Sigma detected: Files With System Process Name In Unsuspected Locations	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sigma detected: Startup Folder File Write	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Roaming\svchost.exe

"C:\Users\user\AppData\Roaming\svchost.exe"

Details

Is windows:	false
Is dropped:	true
PID:	5040
Target ID:	1
Parent PID:	2580
Name:	svchost.exe
Path:	C:\Users\user\AppData\Roaming\svchost.exe
Commandline:	"C:\Users\user\AppData\Roaming\svchost.exe"
Size:	334336
MD5:	71E459322FC143C6F54FA4075BBEA27F
Time:	15:09:08
Date:	31/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x560000
Modulesize:	360448
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Drops PE files with benign system names	Persistence and Installation Behavior	Masquerading
Sample uses string decryption to hide its real strings	AV Detection
Sigma detected: Files With System Process Name In Unsuspected Locations	System Summary
Sigma detected: System File Execution Location Anomaly	System Summary
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates files inside the user directory	System Summary	Masquerading
Drops files with a known system name (to hide its detection)
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary
Spawns processes	System Summary	Process Injection
Windows shortcut file (LNK) contains relative path	System Summary

C:\Users\user\AppData\Roaming\svchost.exe

"C:\Users\user\AppData\Roaming\svchost.exe"

Details

Is windows:	false
Is dropped:	true
PID:	5956
Target ID:	3
Parent PID:	2580
Name:	svchost.exe
Path:	C:\Users\user\AppData\Roaming\svchost.exe
Commandline:	"C:\Users\user\AppData\Roaming\svchost.exe"
Size:	334336
MD5:	71E459322FC143C6F54FA4075BBEA27F
Time:	15:09:16
Date:	31/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x730000
Modulesize:	360448
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Drops PE files with benign system names	Persistence and Installation Behavior	Masquerading
Sample uses string decryption to hide its real strings	AV Detection
Sigma detected: Files With System Process Name In Unsuspected Locations	System Summary
Sigma detected: System File Execution Location Anomaly	System Summary
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates files inside the user directory	System Summary	Masquerading
Drops files with a known system name (to hide its detection)
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary
Spawns processes	System Summary	Process Injection
Windows shortcut file (LNK) contains relative path	System Summary

URLs

Name

Malicious

23.ip.gl.ply.gg

Details

Name:	23.ip.gl.ply.gg
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\r8gcHFIf3x.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

127.0.0.1

Details

Name:	127.0.0.1
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\r8gcHFIf3x.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Domains

Name

Malicious

23.ip.gl.ply.gg

147.185.221.23

Details

Name:	23.ip.gl.ply.gg
IP:	147.185.221.23
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

147.185.221.23

23.ip.gl.ply.gg

United States

Details

IP:	147.185.221.23
TargetID:	0
Current Path:	C:\Users\user\Desktop\r8gcHFIf3x.exe
Country:	United States
Countrycode:	USA
ASN number:	12087
ASN name:	SALSGIVERUS
Private:	false
Domain:	23.ip.gl.ply.gg

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

127.0.0.1

unknown

Details

IP:	127.0.0.1
TargetID:	0
Current Path:	C:\Users\user\Desktop\r8gcHFIf3x.exe
Private:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

svchost

Details

TargetID:	0
Path:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value name:	svchost
Value data:	C:\Users\user\AppData\Roaming\svchost.exe

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder

Memdumps

Base Address

Regiontype

Protect

Malicious

13251000

trusted library allocation

page read and write

F22000

unkown

page readonly

2BAC000

trusted library allocation

page read and write

13241000

trusted library allocation

page read and write

12FF000

stack

page read and write

1610000

heap

page read and write

1326000

heap

page read and write

138E000

heap

page read and write

17BE000

stack

page read and write

160E000

stack

page read and write

9B0000

trusted library allocation

page read and write

14F0000

heap

page read and write

7FFD9B820000

trusted library allocation

page read and write

FD0000

heap

page execute and read and write

1102000

heap

page read and write

E00000

heap

page read and write

1BC00000

heap

page execute and read and write

1C1AE000

stack

page read and write

1C7FF000

stack

page read and write

7FFD9B794000

trusted library allocation

page read and write

AF4000

stack

page read and write

A41000

heap

page read and write

1329A000

trusted library allocation

page read and write

C2D000

heap

page read and write

A2D000

heap

page read and write

970000

heap

page read and write

C3F000

heap

page read and write

9F0000

heap

page execute and read and write

1C2B0000

heap

page read and write

7FFD9B932000

trusted library allocation

page read and write

7FFD9B794000

trusted library allocation

page read and write

3444000

trusted library allocation

page read and write

3130000

heap

page read and write

12BA8000

trusted library allocation

page read and write

7FFD9B7A4000

trusted library allocation

page read and write

3241000

trusted library allocation

page read and write

AC6000

heap

page read and write

F0F000

stack

page read and write

F74000

unkown

page readonly

2BB1000

trusted library allocation

page read and write

1CB9A000

stack

page read and write

7FFD9B850000

trusted library allocation

page execute and read and write

7FFD9B876000

trusted library allocation

page execute and read and write

7FFD9B793000

trusted library allocation

page execute and read and write

1C790000

heap

page read and write

3063000

trusted library allocation

page read and write

12BA1000

trusted library allocation

page read and write

B02000

heap

page read and write

1B5C6000

heap

page read and write

1360000

heap

page read and write

1CAFE000

stack

page read and write

7FFD9B7A0000

trusted library allocation

page read and write

1BEAE000

stack

page read and write

1002000

heap

page read and write

C41000

heap

page read and write

A0B000

heap

page read and write

F80000

heap

page read and write

1C6FF000

stack

page read and write

7FF414870000

trusted library allocation

page execute and read and write

129A8000

trusted library allocation

page read and write

7FFD9B8B0000

trusted library allocation

page execute and read and write

1880000

heap

page read and write

1CA9C000

stack

page read and write

A4B000

heap

page read and write

7FFD9B793000

trusted library allocation

page execute and read and write

A13000

heap

page read and write

FCE000

stack

page read and write

1C72E000

stack

page read and write

138C000

heap

page read and write

29AC000

trusted library allocation

page read and write

1102000

heap

page read and write

7FFD9B82C000

trusted library allocation

page execute and read and write

C24000

heap

page read and write

1B270000

trusted library allocation

page read and write

3030000

trusted library allocation

page read and write

1300000

heap

page read and write

9D0000

trusted library allocation

page read and write

7FFD9B876000

trusted library allocation

page execute and read and write

A28000

heap

page read and write

7FFD9B783000

trusted library allocation

page read and write

7FFD9B912000

trusted library allocation

page read and write

1C53F000

stack

page read and write

1C9FE000

stack

page read and write

3060000

trusted library allocation

page read and write

7FFD9B773000

trusted library allocation

page execute and read and write

7FFD9B7B0000

trusted library allocation

page read and write

1AE1D000

stack

page read and write

1352000

heap

page read and write

7FFD9B790000

trusted library allocation

page read and write

7FFD9B7AD000

trusted library allocation

page execute and read and write

1350000

heap

page read and write

7FFD9B8B0000

trusted library allocation

page execute and read and write

A26000

heap

page read and write

C13000

heap

page read and write

12BA3000

trusted library allocation

page read and write

7FFD9B7EC000

trusted library allocation

page execute and read and write

3050000

trusted library allocation

page read and write

7FFD9B830000

trusted library allocation

page execute and read and write

CC3000

heap

page read and write

B00000

heap

page read and write

A46000

heap

page read and write

F10000

heap

page read and write

A38000

heap

page read and write

7FFD9B774000

trusted library allocation

page read and write

F50000

trusted library allocation

page read and write

1C5A4000

stack

page read and write

930000

heap

page read and write

1C8FE000

stack

page read and write

AD3000

heap

page read and write

2B9E000

stack

page read and write

560000

unkown

page readonly

A00000

heap

page read and write

3120000

heap

page execute and read and write

B20000

heap

page read and write

1BC10000

heap

page read and write

1320000

heap

page read and write

1885000

heap

page read and write

ECE000

stack

page read and write

2BA1000

trusted library allocation

page read and write

13E3000

heap

page read and write

2BAF000

trusted library allocation

page read and write

1C602000

heap

page read and write

7FFD9B826000

trusted library allocation

page read and write

7FFD9B79D000

trusted library allocation

page execute and read and write

1AF2E000

stack

page read and write

C77000

heap

page read and write

960000

heap

page read and write

1C0FD000

stack

page read and write

13E1000

heap

page read and write

7FFD9B78D000

trusted library allocation

page execute and read and write

323E000

stack

page read and write

7FFD9B920000

trusted library allocation

page execute and read and write

AAC000

heap

page read and write

AA2000

heap

page read and write

950000

heap

page read and write

132C000

heap

page read and write

7FFD9B770000

trusted library allocation

page read and write

7FFD9B840000

trusted library allocation

page read and write

1C362000

heap

page read and write

7FFD9B780000

trusted library allocation

page read and write

C43000

heap

page read and write

C00000

heap

page read and write

9E0000

heap

page read and write

CC0000

heap

page read and write

C9A000

heap

page read and write

1C402000

heap

page read and write

7FFD9B79D000

trusted library allocation

page execute and read and write

1C0AE000

stack

page read and write

C38000

heap

page read and write

FD0000

heap

page read and write

1BFAE000

stack

page read and write

DCE000

stack

page read and write

7FFD9B932000

trusted library allocation

page read and write

1BC63000

heap

page read and write

A88000

heap

page read and write

F32000

unkown

page readonly

F70000

trusted library allocation

page read and write

7FFD9B7A4000

trusted library allocation

page read and write

C51000

heap

page read and write

F90000

heap

page execute and read and write

1AE20000

heap

page execute and read and write

129A3000

trusted library allocation

page read and write

A51000

heap

page read and write

7FFD9B7CC000

trusted library allocation

page execute and read and write

C11000

heap

page read and write

1393000

heap

page read and write

CB8000

heap

page read and write

FA0000

heap

page read and write

134B000

heap

page read and write

177C000

stack

page read and write

7FFD9B7EC000

trusted library allocation

page execute and read and write

29A1000

trusted library allocation

page read and write

7FFD9B890000

trusted library allocation

page execute and read and write

1C8FE000

stack

page read and write

13248000

trusted library allocation

page read and write

7FFD9B79D000

trusted library allocation

page execute and read and write

F20000

unkown

page readonly

1340000

heap

page read and write

1C99C000

stack

page read and write

C22000

heap

page read and write

1363000

heap

page read and write

C46000

heap

page read and write

C3C000

heap

page read and write

1BC60000

heap

page read and write

7FFD9B77D000

trusted library allocation

page execute and read and write

1002000

heap

page read and write

129A1000

trusted library allocation

page read and write

D02000

heap

page read and write

1665000

heap

page read and write

8F4000

stack

page read and write

1630000

heap

page read and write

1660000

heap

page read and write

1B7CD000

stack

page read and write

7FFD9B7AD000

trusted library allocation

page execute and read and write

1C2DF000

heap

page read and write

7FFD9B856000

trusted library allocation

page execute and read and write

12F4000

stack

page read and write

1C4AA000

stack

page read and write

A3E000

heap

page read and write

There are 189 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
r8gcHFIf3x.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportr8gcHFIf3x.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
r8gcHFIf3x.exe