Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Download

ur3RqLz9DB.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.1788854442900005
Filename:	ur3RqLz9DB.exe
Filesize:	1197056
MD5:	d444a977328b0f1b5e792a794ccd9fd0
SHA1:	32a67b71ebb303ee25928a1eb76c548d384589b8
SHA256:	07610c4fda6b5d6e8920d8da44a58213ef6c4309c794978477e81ed50f885150
SHA512:	d71d6e38ab5a6b0bfead3f288f4202550a46991b02fda710c026248de66fe8b4d5ae7767018671413deee3d3a92a3a5934be1a95ff1e3909fecdb9b7cb0ec9e7
SSDEEP:	24576:ru6J33O0c+JY5UZ+XC0kGso6FajYuNaeNAymutbrfYJfIcWY:Fu0c++OCvkGs9FajYulNZvJUfiY
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection	Disable or Modify Tools
Binary is likely a compiled AutoIt script file	System Summary	Virtualization/Sandbox Evasion
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Switches to a custom stack to bypass stack traces	Malware Analysis System Evasion	Access Token Manipulation
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging	Disable or Modify Tools
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Application Window Discovery
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Valid Accounts Disable or Modify Tools
Contains functionality to launch a process as a different user	System Summary
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation Access Token Manipulation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Access Token Manipulation
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	Disable or Modify Tools
Contains functionality to read the PEB	Anti Debugging	Access Token Manipulation
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Disable or Modify Tools
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Detected potential crypto function	System Summary	Access Token Manipulation System Time Discovery Archive Collected Data Encrypted Channel
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found evasive API chain (date check)	Malware Analysis System Evasion	Native API Access Token Manipulation
Found large amount of non-executed APIs	Malware Analysis System Evasion	Access Token Manipulation System Time Discovery
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information	Access Token Manipulation Disable or Modify Tools System Shutdown/Reboot
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Disable or Modify Tools
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary	Disable or Modify Tools
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality for error logging	System Summary	Access Token Manipulation Disable or Modify Tools
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to check free disk space	System Summary
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion	Access Token Manipulation
Contains functionality to download additional files from the internet	Networking
Contains functionality to enum processes or threads	System Summary	Access Token Manipulation
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Contains functionality to instantiate COM classes	System Summary	Access Token Manipulation
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation
Contains functionality to query system information	Malware Analysis System Evasion	System Information Discovery
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Disable or Modify Tools
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Discovery
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation Disable or Modify Tools
Tries to load missing DLLs	System Summary	DLL Side-Loading Disable or Modify Tools
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary	Disable or Modify Tools

C:\Users\user\AppData\Local\Temp\79T-I8k4c

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 9, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 9

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\79T-I8k4c
Category:	dropped
Dump:	79T-I8k4c.11.dr
ID:	dr_2
Target ID:	11
Process:	C:\Windows\SysWOW64\AtBroker.exe
Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 9, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 9
Entropy:	1.124003908482409
Encrypted:	false
Ssdeep:	384:KUM2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:Kkq+n0E91LyKOMq+8iP5GLP/0
Size:	196608
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Local\Temp\aut9976.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut9976.tmp
Category:	dropped
Dump:	aut9976.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\ur3RqLz9DB.exe
Type:	data
Entropy:	7.992587556130815
Encrypted:	true
Ssdeep:	6144:4ef0ZugssXBt3Do/KJSjxeQE7wXpWSGSLsK:ZI3BVWNkwZWSGlK
Size:	289280
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\vaccinators

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\vaccinators
Category:	dropped
Dump:	vaccinators.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\ur3RqLz9DB.exe
Type:	data
Entropy:	7.992587556130815
Encrypted:	true
Ssdeep:	6144:4ef0ZugssXBt3Do/KJSjxeQE7wXpWSGSLsK:ZI3BVWNkwZWSGlK
Size:	289280
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\ur3RqLz9DB.exe

"C:\Users\user\Desktop\ur3RqLz9DB.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7584
Target ID:	0
Parent PID:	496
Name:	ur3RqLz9DB.exe
Path:	C:\Users\user\Desktop\ur3RqLz9DB.exe
Commandline:	"C:\Users\user\Desktop\ur3RqLz9DB.exe"
Size:	1197056
MD5:	D444A977328B0F1B5E792A794CCD9FD0
Time:	11:45:05
Date:	26/03/2025
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xd70000
Modulesize:	1224704
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Binary is likely a compiled AutoIt script file	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Uncommon Svchost Parent Process	System Summary
Uses 32bit PE files	Compliance, System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\svchost.exe

"C:\Users\user\Desktop\ur3RqLz9DB.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7636
Target ID:	2
Parent PID:	7584
Name:	svchost.exe
Path:	C:\Windows\SysWOW64\svchost.exe
Commandline:	"C:\Users\user\Desktop\ur3RqLz9DB.exe"
Size:	46504
MD5:	1ED18311E3DA35942DB37D15FA40CC5B
Time:	11:45:06
Date:	26/03/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x3a0000
Modulesize:	53248
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected FormBook	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Uncommon Svchost Parent Process	System Summary
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Program Files (x86)\RirgXuyeGEsHGIzwHSBrhSJlrADTONVxdjBNxVQBiXdNQjsXyavsWYhyqRByszQUsKcpLyspVDX\H7Vvr2xxn9Re.exe

"C:\Program Files (x86)\RirgXuyeGEsHGIzwHSBrhSJlrADTONVxdjBNxVQBiXdNQjsXyavsWYhyqRByszQUsKcpLyspVDX\sM45qOwMrfjy.exe"

Details

Is windows:	true
Is dropped:	false
PID:	4468
Target ID:	9
Parent PID:	7636
Name:	H7Vvr2xxn9Re.exe
Path:	C:\Program Files (x86)\RirgXuyeGEsHGIzwHSBrhSJlrADTONVxdjBNxVQBiXdNQjsXyavsWYhyqRByszQUsKcpLyspVDX\H7Vvr2xxn9Re.exe
Commandline:	"C:\Program Files (x86)\RirgXuyeGEsHGIzwHSBrhSJlrADTONVxdjBNxVQBiXdNQjsXyavsWYhyqRByszQUsKcpLyspVDX\sM45qOwMrfjy.exe"
Size:	143872
MD5:	9C98D1A23EFAF1B156A130CEA7D2EE3A
Time:	11:45:21
Date:	26/03/2025
Reason:	existingprocessinject
Reputation:	moderate
Is admin:	false
Is elevated:	false
Modulebase:	0x5c0000
Modulesize:	163840
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queues an APC in another process (thread injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\SysWOW64\AtBroker.exe

"C:\Windows\SysWOW64\AtBroker.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7312
Target ID:	11
Parent PID:	4468
Name:	AtBroker.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\AtBroker.exe
Commandline:	"C:\Windows\SysWOW64\AtBroker.exe"
Size:	68608
MD5:	D5B61959A509BDA85300781F5A829610
Time:	11:45:22
Date:	26/03/2025
Reason:	newprocess
Reputation:	moderate
Is admin:	false
Is elevated:	false
Modulebase:	0x480000
Modulesize:	86016
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Program Files (x86)\RirgXuyeGEsHGIzwHSBrhSJlrADTONVxdjBNxVQBiXdNQjsXyavsWYhyqRByszQUsKcpLyspVDX\H7Vvr2xxn9Re.exe

"C:\Program Files (x86)\RirgXuyeGEsHGIzwHSBrhSJlrADTONVxdjBNxVQBiXdNQjsXyavsWYhyqRByszQUsKcpLyspVDX\S9AepP7hGFK.exe"

Details

Is windows:	true
Is dropped:	false
PID:	1200
Target ID:	12
Parent PID:	7312
Name:	H7Vvr2xxn9Re.exe
Path:	C:\Program Files (x86)\RirgXuyeGEsHGIzwHSBrhSJlrADTONVxdjBNxVQBiXdNQjsXyavsWYhyqRByszQUsKcpLyspVDX\H7Vvr2xxn9Re.exe
Commandline:	"C:\Program Files (x86)\RirgXuyeGEsHGIzwHSBrhSJlrADTONVxdjBNxVQBiXdNQjsXyavsWYhyqRByszQUsKcpLyspVDX\S9AepP7hGFK.exe"
Size:	143872
MD5:	9C98D1A23EFAF1B156A130CEA7D2EE3A
Time:	11:45:35
Date:	26/03/2025
Reason:	existingprocessinject
Reputation:	moderate
Is admin:	false
Is elevated:	false
Modulebase:	0x5c0000
Modulesize:	163840
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queues an APC in another process (thread injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\Firefox.exe"

Details

Is windows:	true
Is dropped:	false
PID:	2548
Target ID:	13
Parent PID:	7312
Name:	firefox.exe
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Size:	676768
MD5:	C86B1BE9ED6496FE0E0CBE73F81D8045
Time:	11:45:47
Date:	26/03/2025
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff6b7570000
Modulesize:	708608
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://www.blackhat.chat/04r3/?ozr468=n6ptdLvBCapBX+1eOVrY57v3fry5rNe0wfWRjljnFiAjsKOl5dK99Lywx+Nqo77d2RcdyHveJO2lBX31lOnFwP4DiaLEptsC1XkRtKVSKvMDZubQIvkodV1VkZmdBzb+FDEJdsk=&cDdD=stP4ZplpaL

52.223.13.41

http://www.855696a.xyz/q86a/

45.119.52.125

http://www.vczuahand.xyz/lvz4/?cDdD=stP4ZplpaL&ozr468=Xs1PCb/MaYPIPAxDxxaHIqF2/A8U3qhMCQOIGo7Nl8rFa4QZz+K5GgFtLYl71/JRpNHUa5jW6jDEqn+5iMTLSNLkc8YJlW5E2D1BSRT+HZ6nP/WGftokHNP7u6RzqEi71eoyHuI=

76.223.54.146

http://www.headset2.online/pl23/?cDdD=stP4ZplpaL&ozr468=pwQm/8Nry++CWhwRO+ejyUFgfXoh51ib9cWiDzs/wKG7gU2SU1fIaah3O92QYMu9f5MkpzQiI887Voc7ljrK/R3yynuYM58fVphvPJKYT3CABWaKCWuFCzEUpSJ0ILCgd/ynwhk=

156.237.132.252

http://www.futureedge.website/q4wg/

159.198.64.72

http://www.anyang-590303492.click/6npl/?cDdD=stP4ZplpaL&ozr468=/JYiv5NhO0tELAK9kKXvJIbNp1Br4DUvi5BuLmngF2OWbpzZErtHeLuo5nDg79GzI2QTdod40q0r+J2P58yW98aolaIPcHKB8C+VtOL9beJx1TxkdNAFgpzfmMcKyLG5UVY24PM=

199.59.243.160

http://www.meshki-co-uk.shop/b8n0/

104.21.32.1

http://www.anyang-590303492.click/6npl/

199.59.243.160

http://www.soportemx-findmy.click/ma0g/

45.56.79.23

http://www.futureedge.website/q4wg/?ozr468=WxORhD4RgEO5uNW054qboO521K/0wGPJQFKGj9LBFcZ0l1e50YnvQ+dx8Uckd3rx1A/7IdNYVLsTEbVWPiDE8n0pQ78tBy34YYRsbULys/fjLZWWaxsBK8nxhK81YtojfvhT+HM=&cDdD=stP4ZplpaL

159.198.64.72

http://www.worrr37.yachts/1imc/

149.104.1.185

http://www.forjoyi.live/c25v/

52.223.13.41

http://www.thykingdomwear.store/d4kl/?cDdD=stP4ZplpaL&ozr468=6y/7tod/VF/KHUQqfM/wfVXibkdmZeeslXhDnWhvAY/z/yk3pdRRAQekYBjFWPUzPUKr4nIOcHvctiu99XDhRThC3drFG1AKyOu1/GM/3foXIXDjLpVuiIMe4xDFitXr6UESTD8=

75.2.103.23

http://www.worrr37.yachts/1imc/?ozr468=GkZ+7lZN5ZbT6rZBuZ+pskfJL+6uT56R2eAXidPe90Y9rybDHdv8GRqVb6FfMfkpXSVDgNv2zaXT/X0CpEMH0N+STTXuzFNw3Wjf+jehbJrVtlfd/HcDvzHP8gjPYHuSisWP2uY=&cDdD=stP4ZplpaL

149.104.1.185

http://www.blackhat.chat/04r3/

52.223.13.41

http://www.headset2.online/pl23/

156.237.132.252

http://www.forjoyi.live/c25v/?ozr468=cYQQc4YiFu4DU/POoXdW37/GhYioUbtBJdcMk5WX7gXoSnlFiQLvf2mm8gqHlRakhV+z//0r9RcnPHcD6pi3sDYiTEcusg55GsFJIP0GJUvkZSoStgEPqqD4HSdKtL3zEIrHQIE=&cDdD=stP4ZplpaL

52.223.13.41

http://www.855696a.xyz/q86a/?ozr468=1RS/DLESjC/mKKX9C/bcN2l/5Bt+ZmCCo7MGFq+OZJ2Pg2HsdXdlDjVOv2U28y6Xqr87siUnw8FG4MQCr+RpC7pac3hRrF1oQLqjSje52VN+B6b6adpmSyob2sUKv/kGLVH3Cqc=&cDdD=stP4ZplpaL

45.119.52.125

http://www.vczuahand.xyz/lvz4/

76.223.54.146

http://www.soportemx-findmy.click/ma0g/?cDdD=stP4ZplpaL&ozr468=H2S90RmziCMvLCuL5yTkJF203ndQbU/T+UjWuF5QkK5TSoHa4lhKP7xjBIvwYHsxlglzK0GWG6GIcHietPpq3u1xo8xOmDzYv29+zWu49xgJoIdTnmgsG6PvYBy+sv7ZAol6cbU=

45.56.79.23

https://duckduckgo.com/ac/?q=

unknown

https://duckduckgo.com/chrome_newtabv20-

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

https://ac.ecosia.org?q=

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

https://www.google.com

unknown

https://www.google.com/images/branding/product/ico/googleg_alldp.ico

unknown

https://www.ecosia.org/newtab/v20

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

http://www.anyang-590303492.click

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

https://gemini.google.com/app?q=

unknown

There are 22 hidden URLs, click here to show them.

Domains

Name

Malicious

www.headset2.online

156.237.132.252

ns195.l4y.cn

45.119.52.125

www.futureedge.website

159.198.64.72

www.meshki-co-uk.shop

104.21.32.1

www.soportemx-findmy.click

45.56.79.23

www.855696a.xyz

unknown

www.worrr37.yachts

149.104.1.185

www.anyang-590303492.click

199.59.243.160

www.vczuahand.xyz

76.223.54.146

www.forjoyi.live

52.223.13.41

www.blackhat.chat

52.223.13.41

www.thykingdomwear.store

75.2.103.23

There are 2 hidden domains, click here to show them.

IPs

Domain

Country

Malicious

156.237.132.252

www.headset2.online

Seychelles

104.21.32.1

www.meshki-co-uk.shop

United States

159.198.64.72

www.futureedge.website

United States

45.119.52.125

ns195.l4y.cn

China

45.56.79.23

www.soportemx-findmy.click

United States

75.2.103.23

www.thykingdomwear.store

United States

149.104.1.185

www.worrr37.yachts

United States

199.59.243.160

www.anyang-590303492.click

United States

76.223.54.146

www.vczuahand.xyz

United States

52.223.13.41

www.forjoyi.live

United States

Memdumps

Base Address

Regiontype

Protect

Malicious

Download

5710000

system

page execute and read and write

3F50000

unclassified section

page execute and read and write

4F10000

trusted library allocation

page read and write

400000

system

page execute and read and write

4EC0000

trusted library allocation

page read and write

3FA0000

unclassified section

page execute and read and write

25D0000

unkown

page execute and read and write

3220000

system

page execute and read and write

57D7000

system

page execute and read and write

13A0000

heap

page read and write

4DC1000

heap

page read and write

956000

heap

page read and write

3D2D000

direct allocation

page execute and read and write

3338000

heap

page read and write

8595000

heap

page read and write

3B9E000

heap

page read and write

16191E72000

heap

page read and write

16191E40000

heap

page read and write

FF0000

unkown

page readonly

4DC1000

heap

page read and write

33AE000

heap

page read and write

16191CCD000

system

page execute and read and write

3669000

direct allocation

page read and write

8521000

heap

page read and write

16191E76000

heap

page read and write

4DC1000

heap

page read and write

4DC1000

heap

page read and write

67E2000

unclassified section

page read and write

36A000

stack

page read and write

334E000

heap

page read and write

4B0000

unkown

page readonly

2FF0000

heap

page read and write

4DC1000

heap

page read and write

4DC1000

heap

page read and write

4DC1000

heap

page read and write

1951000

unkown

page readonly

5C1000

unkown

page execute read

942000

heap

page read and write

4DC1000

heap

page read and write

512A000

heap

page read and write

37A0000

heap

page read and write

4DC1000

heap

page read and write

3350000

direct allocation

page read and write

3213000

heap

page read and write

4DC1000

heap

page read and write

3349000

heap

page read and write

33A0000

direct allocation

page read and write

4DC1000

heap

page read and write

36C4000

unkown

page read and write

34C3000

direct allocation

page read and write

E40000

unkown

page readonly

16191E47000

heap

page read and write

3213000

heap

page read and write

16193AC4000

trusted library allocation

page read and write

2374000

heap

page read and write

4DC1000

heap

page read and write

2F10000

unkown

page readonly

50D0000

trusted library allocation

page read and write

60C09FE000

stack

page read and write

341B000

heap

page read and write

3F42000

direct allocation

page execute and read and write

52C8000

heap

page read and write

4DC1000

heap

page read and write

2370000

heap

page read and write

42A7000

unclassified section

page execute and read and write

856B000

heap

page read and write

5D9000

unkown

page readonly

33CE000

heap

page read and write

3B2D000

heap

page read and write

3473000

direct allocation

page read and write

8513000

heap

page read and write

4DC1000

heap

page read and write

2EA0000

unkown

page read and write

4DC1000

heap

page read and write

4DC1000

heap

page read and write

4DC1000

heap

page read and write

5CF000

unkown

page readonly

30C2000

unkown

page read and write

15C0000

unkown

page readonly

85A4000

heap

page read and write

384F000

stack

page read and write

33A1000

heap

page read and write

942000

heap

page read and write

8B0000

unkown

page readonly

DFF000

unkown

page readonly

5CF000

unkown

page readonly

4DC1000

heap

page read and write

3F50000

direct allocation

page read and write

8D0000

unkown

page read and write

16193903000

trusted library allocation

page read and write

4DC1000

heap

page read and write

4D0000

unkown

page readonly

4DC1000

heap

page read and write

33FF000

heap

page read and write

3501000

heap

page read and write

4DC1000

heap

page read and write

3800000

heap

page read and write

3347000

heap

page read and write

4DC1000

heap

page read and write

16191E80000

heap

page read and write

361D000

direct allocation

page read and write

4DC1000

heap

page read and write

9A9000

heap

page read and write

11C32000

system

page read and write

33C2000

heap

page read and write

1390000

unkown

page readonly

16193900000

trusted library allocation

page read and write

4DC1000

heap

page read and write

4DC1000

heap

page read and write

3E9E000

unkown

page read and write

7FC000

stack

page read and write

3300000

heap

page read and write

1200000

unkown

page readonly

942000

heap

page read and write

3213000

heap

page read and write

D20000

heap

page read and write

300000

unkown

page readonly

5D6000

unkown

page read and write

5C0000

unkown

page readonly

6008000

unclassified section

page read and write

4DC1000

heap

page read and write

A2E000

heap

page read and write

16193921000

trusted library allocation

page read and write

13A4000

heap

page read and write

853D000

heap

page read and write

3710000

direct allocation

page read and write

3352000

heap

page read and write

4DC1000

heap

page read and write

4DC1000

heap

page read and write

D70000

unkown

page readonly

966000

heap

page read and write

8544000

heap

page read and write

8569000

heap

page read and write

3A00000

heap

page read and write

2E9F000

stack

page read and write

E2E000

unkown

page read and write

3213000

heap

page read and write

E30000

unkown

page readonly

EBA000

stack

page read and write

1CE000

stack

page read and write

841000

unkown

page readonly

A09000

heap

page read and write

D71000

unkown

page execute read

4DC1000

heap

page read and write

64BE000

unclassified section

page read and write

4DC1000

heap

page read and write

EBA000

stack

page read and write

2D9E000

stack

page read and write

91C000

heap

page read and write

5F0000

unkown

page read and write

3213000

heap

page read and write

3213000

heap

page read and write

53FD000

direct allocation

page execute and read and write

4DC1000

heap

page read and write

366D000

direct allocation

page read and write

4DC1000

heap

page read and write

3330000

heap

page read and write

3213000

heap

page read and write

3417000

heap

page read and write

1210000

unkown

page readonly

E37000

unkown

page readonly

DFF000

unkown

page readonly

2EC4000

heap

page read and write

6B06000

unclassified section

page read and write

3213000

heap

page read and write

E32000

unkown

page write copy

33AA000

heap

page read and write

1200000

unkown

page readonly

E40000

unkown

page readonly

33D3000

heap

page read and write

16191D60000

heap

page read and write

13E9000

heap

page read and write

4C0000

heap

page read and write

361D000

direct allocation

page read and write

4DC1000

heap

page read and write

5CF000

unkown

page readonly

28D7000

unkown

page execute and read and write

D30000

heap

page read and write

FBC000

stack

page read and write

16193680000

trusted library allocation

page read and write

3352000

heap

page read and write

4DC1000

heap

page read and write

4D0000

unkown

page readonly

23D0000

heap

page read and write

3669000

direct allocation

page read and write

8B8E000

stack

page read and write

1619390F000

trusted library allocation

page read and write

1230000

unkown

page read and write

4DC1000

heap

page read and write

4DC1000

heap

page read and write

4DC1000

heap

page read and write

34F0000

direct allocation

page read and write

4DC1000

heap

page read and write

4DC0000

heap

page read and write

2EA0000

unkown

page read and write

4DC1000

heap

page read and write

4DC1000

heap

page read and write

4DC1000

heap

page read and write

559D000

direct allocation

page execute and read and write

3540000

direct allocation

page read and write

859B000

heap

page read and write

4DC1000

heap

page read and write

4A0000

unkown

page readonly

1220000

heap

page read and write

3404000

heap

page read and write

4DC1000

heap

page read and write

581C000

unkown

page read and write

39E8000

unkown

page read and write

1361000

unkown

page readonly

4DC1000

heap

page read and write

3213000

heap

page read and write

8520000

heap

page read and write

33F9000

heap

page read and write

E81000

unkown

page readonly

3850000

direct allocation

page read and write

4DC1000

heap

page read and write

366D000

direct allocation

page read and write

4DC1000

heap

page read and write

5783000

system

page execute and read and write

2F0000

unkown

page readonly

4DC1000

heap

page read and write

114B000

unkown

page read and write

E30000

unkown

page readonly

4678000

unkown

page read and write

32F4000

heap

page read and write

4DC1000

heap

page read and write

4DC1000

heap

page read and write

3473000

direct allocation

page read and write

5622000

unclassified section

page read and write

4DC1000

heap

page read and write

18E000

stack

page read and write

E24000

unkown

page readonly

3352000

heap

page read and write

1370000

unkown

page read and write

16193680000

trusted library allocation

page read and write

3002000

unkown

page read and write

AF0000

unkown

page readonly

E2E000

unkown

page write copy

4DC1000

heap

page read and write

16191CCA000

system

page execute and read and write

8530000

heap

page read and write

4DC1000

heap

page read and write

4DC1000

heap

page read and write

340A000

heap

page read and write

4DC1000

heap

page read and write

44E6000

unkown

page read and write

4DC1000

heap

page read and write

5D6000

unkown

page read and write

4DC1000

heap

page read and write

32F4000

heap

page read and write

8FE000

heap

page read and write

4DC1000

heap

page read and write

4DC1000

heap

page read and write

16191E60000

heap

page read and write

4DC1000

heap

page read and write

4DC1000

heap

page read and write

8538000

heap

page read and write

4DC1000

heap

page read and write

4DC1000

heap

page read and write

3213000

heap

page read and write

591C000

unkown

page read and write

3620000

heap

page read and write

4DC1000

heap

page read and write

8AE000

stack

page read and write

38EE000

stack

page read and write

AEF000

stack

page read and write

16193AA6000

trusted library allocation

page read and write

518E000

stack

page read and write

4DC1000

heap

page read and write

33D1000

heap

page read and write

5CF000

unkown

page readonly

33DB000

heap

page read and write

3349000

heap

page read and write

16193916000

trusted library allocation

page read and write

E81000

unkown

page readonly

33B8000

heap

page read and write

3358000

heap

page read and write

5C1000

unkown

page execute read

90F000

heap

page read and write

16193912000

trusted library allocation

page read and write

3213000

heap

page read and write

3619000

direct allocation

page read and write

5F0000

unkown

page read and write

90F000

heap

page read and write

4DC1000

heap

page read and write

56E2000

unclassified section

page read and write

5E76000

unclassified section

page read and write

4DC1000

heap

page read and write

3391000

heap

page read and write

341A000

heap

page read and write

3213000

heap

page read and write

4DC1000

heap

page read and write

989000

heap

page read and write

13CA000

heap

page read and write

13A4000

heap

page read and write

4DC1000

heap

page read and write

3300000

direct allocation

page read and write

4DC1000

heap

page read and write

2EC0000

heap

page read and write

4DC1000

heap

page read and write

916000

heap

page read and write

4DC1000

heap

page read and write

4DC1000

heap

page read and write

4DC1000

heap

page read and write

3213000

heap

page read and write

5020000

trusted library allocation

page execute and read and write

3213000

heap

page read and write

343E000

heap

page read and write

4F70000

trusted library allocation

page read and write

2F00000

heap

page read and write

3396000

heap

page read and write

4DC1000

heap

page read and write

423F000

unclassified section

page execute and read and write

2FF8000

stack

page read and write

8F0000

heap

page read and write

16193800000

trusted library allocation

page read and write

4DC1000

heap

page read and write

632C000

unclassified section

page read and write

4DC1000

heap

page read and write

3700000

heap

page read and write

8290000

trusted library allocation

page read and write

966000

heap

page read and write

4DC1000

heap

page read and write

841000

unkown

page readonly

4DC1000

heap

page read and write

4DC1000

heap

page read and write

50D0000

trusted library allocation

page read and write

24E0000

unkown

page readonly

853A000

heap

page read and write

368E000

direct allocation

page read and write

942000

heap

page read and write

4DC1000

heap

page read and write

3358000

heap

page read and write

33AA000

heap

page read and write

15BF000

stack

page read and write

2370000

heap

page read and write

4DC1000

heap

page read and write

8592000

heap

page read and write

8FA000

heap

page read and write

3405000

heap

page read and write

509A000

heap

page read and write

4DC1000

heap

page read and write

1210000

unkown

page readonly

D9000

stack

page read and write

3619000

direct allocation

page read and write

3540000

direct allocation

page read and write

4DC1000

heap

page read and write

53F9000

direct allocation

page execute and read and write

300000

unkown

page readonly

4DC1000

heap

page read and write

2EC0000

unkown

page read and write

4DC1000

heap

page read and write

33A0000

direct allocation

page read and write

4DC1000

heap

page read and write

374E000

stack

page read and write

34C3000

direct allocation

page read and write

514E000

stack

page read and write

3213000

heap

page read and write

2F5C000

stack

page read and write

4DC1000

heap

page read and write

4DC1000

heap

page read and write

34F0000

direct allocation

page read and write

4DC1000

heap

page read and write

135E000

stack

page read and write

334D000

heap

page read and write

11D4C000

system

page read and write

33BD000

heap

page read and write

2F00000

heap

page read and write

4DC1000

heap

page read and write

1246000

heap

page read and write

3352000

heap

page read and write

5D6000

unkown

page read and write

83E000

stack

page read and write

4DC1000

heap

page read and write

8535000

heap

page read and write

36DE000

direct allocation

page read and write

23D0000

heap

page read and write

16193680000

trusted library allocation

page read and write

3D9E000

direct allocation

page execute and read and write

13CE000

heap

page read and write

4DC1000

heap

page read and write

966000

heap

page read and write

4DC1000

heap

page read and write

2F10000

unkown

page readonly

916000

heap

page read and write

4DC1000

heap

page read and write

4DC1000

heap

page read and write

4DC1000

heap

page read and write

4DC1000

heap

page read and write

2374000

heap

page read and write

366D000

direct allocation

page read and write

3002000

unkown

page read and write

4DC1000

heap

page read and write

4DC1000

heap

page read and write

8588000

heap

page read and write

4DC1000

heap

page read and write

852B000

heap

page read and write

90A000

heap

page read and write

3923000

heap

page read and write

4DC1000

heap

page read and write

24E0000

unkown

page readonly

4F60000

heap

page read and write

3F50000

direct allocation

page read and write

850000

unkown

page read and write

4DC1000

heap

page read and write

33C8000

heap

page read and write

13A0000

heap

page read and write

4DC1000

heap

page read and write

3213000

heap

page read and write

3213000

heap

page read and write

8B0000

unkown

page readonly

4DC1000

heap

page read and write

2E0000

unkown

page readonly

3ECD000

direct allocation

page execute and read and write

16193ACE000

trusted library allocation

page read and write

903000

heap

page read and write

4DC1000

heap

page read and write

4F77000

heap

page read and write

3C00000

direct allocation

page execute and read and write

129F000

stack

page read and write

60C01FE000

stack

page read and write

855A000

heap

page read and write

3F50000

direct allocation

page read and write

4DC1000

heap

page read and write

4DC1000

heap

page read and write

1220000

heap

page read and write

3390000

heap

page read and write

5774000

system

page execute and read and write

4DC1000

heap

page read and write

857F000

heap

page read and write

34F0000

direct allocation

page read and write

938000

heap

page read and write

4DC1000

heap

page read and write

989000

heap

page read and write

4DC1000

heap

page read and write

4B0000

unkown

page readonly

3412000

heap

page read and write

3D0C000

unkown

page read and write

4DC1000

heap

page read and write

1230000

unkown

page read and write

4DC1000

heap

page read and write

3202000

heap

page read and write

33A4000

heap

page read and write

4DC1000

heap

page read and write

8F3000

heap

page read and write

36DE000

direct allocation

page read and write

5D9000

unkown

page readonly

334D000

heap

page read and write

50D0000

trusted library allocation

page read and write

1D0000

heap

page read and write

4DC1000

heap

page read and write

5780000

system

page execute and read and write

3619000

direct allocation

page read and write

98A000

heap

page read and write

3358000

heap

page read and write

4DC1000

heap

page read and write

34C3000

direct allocation

page read and write

4DC1000

heap

page read and write

3400000

heap

page read and write

1619390A000

trusted library allocation

page read and write

4DC1000

heap

page read and write

24DF000

stack

page read and write

343E000

heap

page read and write

3750000

trusted library allocation

page read and write

6650000

unclassified section

page read and write

4DC1000

heap

page read and write

1951000

unkown

page readonly

5612000

direct allocation

page execute and read and write

4DC1000

heap

page read and write

3213000

heap

page read and write

361D000

direct allocation

page read and write

169E000

stack

page read and write

3352000

heap

page read and write

3417000

heap

page read and write

5C0000

unkown

page readonly

8D0000

heap

page read and write

32F0000

heap

page read and write

3669000

direct allocation

page read and write

573C000

unclassified section

page read and write

546E000

direct allocation

page execute and read and write

32F4000

heap

page read and write

1390000

unkown

page readonly

5C1000

unkown

page execute read

4DC1000

heap

page read and write

4DC1000

heap

page read and write

3D29000

direct allocation

page execute and read and write

368E000

direct allocation

page read and write

3350000

direct allocation

page read and write

16193660000

heap

page read and write

368E000

direct allocation

page read and write

4DC1000

heap

page read and write

E37000

unkown

page readonly

3856000

unkown

page read and write

3540000

direct allocation

page read and write

3213000

heap

page read and write

4C0000

heap

page read and write

5D9000

unkown

page readonly

4DC1000

heap

page read and write

4DC1000

heap

page read and write

4DC1000

heap

page read and write

5D9000

unkown

page readonly

4DC1000

heap

page read and write

E50000

unkown

page readonly

4DC1000

heap

page read and write

3213000

heap

page read and write

36A000

stack

page read and write

3352000

heap

page read and write

5257000

heap

page read and write

4DC1000

heap

page read and write

3473000

direct allocation

page read and write

902000

heap

page read and write

3ED1000

direct allocation

page execute and read and write

5764000

system

page execute and read and write

4DC1000

heap

page read and write

4DC1000

heap

page read and write

3750000

heap

page read and write

33F0000

heap

page read and write

4DC1000

heap

page read and write

4DC1000

heap

page read and write

3408000

heap

page read and write

8532000

heap

page read and write

4DC1000

heap

page read and write

4DC1000

heap

page read and write

4030000

unkown

page read and write

5C1000

unkown

page execute read

5253000

heap

page read and write

7CE000

stack

page read and write

311C000

unkown

page read and write

E50000

unkown

page readonly

55A1000

direct allocation

page execute and read and write

4A0000

unkown

page readonly

3390000

heap

page read and write

4DC1000

heap

page read and write

2E0000

unkown

page readonly

D71000

unkown

page execute read

16193790000

heap

page read and write

1361000

unkown

page readonly

902000

heap

page read and write

4DC1000

heap

page read and write

33B8000

heap

page read and write

33A4000

heap

page read and write

4DC1000

heap

page read and write

D70000

unkown

page readonly

4DC1000

heap

page read and write

90E000

heap

page execute and read and write

7BE000

stack

page read and write

13C0000

heap

page read and write

13CA000

heap

page read and write

33E4000

heap

page read and write

2FBB000

stack

page read and write

3405000

heap

page read and write

5C0000

unkown

page readonly

4DC1000

heap

page read and write

3B7A000

unkown

page read and write

16191CA0000

system

page execute and read and write

4DC1000

heap

page read and write

11CF2000

system

page read and write

619A000

unclassified section

page read and write

140000

heap

page read and write

4DC1000

heap

page read and write

4DC1000

heap

page read and write

122F4000

system

page read and write

342B000

heap

page read and write

6974000

unclassified section

page read and write

FBC000

stack

page read and write

4DC1000

heap

page read and write

4DC1000

heap

page read and write

85B2000

heap

page read and write

FF0000

unkown

page readonly

4DC1000

heap

page read and write

1240000

heap

page read and write

33AE000

heap

page read and write

6C98000

unclassified section

page read and write

36DE000

direct allocation

page read and write

E24000

unkown

page readonly

4DC1000

heap

page read and write

16191E79000

heap

page read and write

33A1000

heap

page read and write

1F0000

heap

page read and write

858F000

heap

page read and write

1240000

heap

page read and write

4DC1000

heap

page read and write

8510000

trusted library allocation

page read and write

4E0000

heap

page read and write

4DC1000

heap

page read and write

5CE4000

unclassified section

page read and write

966000

heap

page read and write

5C0000

unkown

page readonly

4DC1000

heap

page read and write

33A0000

direct allocation

page read and write

92A000

heap

page read and write

8526000

heap

page read and write

60BF1FB000

stack

page read and write

4DC1000

heap

page read and write

4354000

unkown

page read and write

4DC1000

heap

page read and write

968000

heap

page read and write

4E0000

heap

page read and write

AF0000

unkown

page readonly

4DC1000

heap

page read and write

4DC1000

heap

page read and write

13CE000

heap

page read and write

32A0000

heap

page read and write

2FD0000

heap

page read and write

4DC1000

heap

page read and write

8D7000

heap

page read and write

3B29000

heap

page read and write

2F9A000

stack

page read and write

4DC1000

heap

page read and write

8D0000

unkown

page read and write

4DC1000

heap

page read and write

2F0000

unkown

page readonly

341E000

heap

page read and write

4DC1000

heap

page read and write

8620000

trusted library allocation

page read and write

575B000

system

page execute and read and write

3350000

direct allocation

page read and write

4DC1000

heap

page read and write

5D6000

unkown

page read and write

4DC1000

heap

page read and write

46C000

stack

page read and write

60BF9FD000

stack

page read and write

16193ABE000

trusted library allocation

page read and write

4DC1000

heap

page read and write

2EB0000

unkown

page read and write

3A01000

heap

page read and write

15C0000

unkown

page readonly

850000

unkown

page read and write

8560000

heap

page read and write

3347000

heap

page read and write

13C0000

heap

page read and write

8FA000

heap

page read and write

4DC1000

heap

page read and write

8565000

heap

page read and write

286F000

unkown

page execute and read and write

16193A01000

trusted library allocation

page read and write

1370000

unkown

page read and write

4DC1000

heap

page read and write

39EF000

stack

page read and write

7DB000

stack

page read and write

3200000

heap

page read and write

85A2000

heap

page read and write

46C000

stack

page read and write

4DC1000

heap

page read and write

52D0000

direct allocation

page execute and read and write

4DC1000

heap

page read and write

8BCF000

stack

page read and write

33D8000

heap

page read and write

8F0000

heap

page read and write

4DC1000

heap

page read and write

4DC1000

heap

page read and write

8FE000

heap

page read and write

4DC1000

heap

page read and write

41C2000

unkown

page read and write

There are 644 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
ur3RqLz9DB.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportur3RqLz9DB.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
ur3RqLz9DB.exe