Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

R4WCgDAfHB.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.761976958626553
Filename:	R4WCgDAfHB.exe
Filesize:	422352
MD5:	8595a9cecbac3bd363c30c7ab2bec849
SHA1:	5a154a7472cc4afa18f414a3edf8f3ff7a2a51e2
SHA256:	df2b80bb68e829de13051a9781e096b095a90b676ab1f974284bad8609775040
SHA512:	2d2d34ce590af7bb1902a5b355452efa9b9c6f947e7c288d7d575b0aa117a2870e99ddf11f4c9c4b936a889852726fd28f99973a5559e34b86af2940198eacec
SSDEEP:	6144:098TSnLDuZvOx31RZG15VoZppGJyCNDri5sfJXn+oAy:nZvO7RQaZOJyEDj0Ly
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>.E.PSE.PSE.PS...SD.PSbk=SB.PSbk+SP.PSE.QS..PS[..S_.PS[..S..PS[..S..PS[..SF.PS[..SD.PS[..SD.PSRichE.PS.......................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Drops executables to the windows directory (C:\Windows) and starts them	Persistence and Installation Behavior	Security Software Discovery
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Creates files inside the system directory	System Summary
Creates or modifies windows services	Boot Survival
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
Enables debug privileges	Anti Debugging
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion	Security Software Discovery
PE / OLE file has an invalid certificate	System Summary
PE file contains an invalid checksum	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation Security Software Discovery
Uses 32bit PE files	Compliance, System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Sample reads its own file content	System Summary	Access Token Manipulation Security Software Discovery
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary	Security Software Discovery

C:\Program Files (x86)\Microsoft Network\HelpSystem.exe

PE32 executable (console) Intel 80386, for MS Windows, UPX compressed

dropped

Details

File:	C:\Program Files (x86)\Microsoft Network\HelpSystem.exe
Category:	dropped
Dump:	HelpSystem.exe.2.dr
ID:	dr_1
Target ID:	2
Process:	C:\Windows\SystemNvwmiShell\NvwmiShell.exe
Type:	PE32 executable (console) Intel 80386, for MS Windows, UPX compressed
Entropy:	5.314244260726842
Encrypted:	false
Ssdeep:	6144:E7Ii4Pqe6UxYX914eN4Us7P3BOcbpUt7V7V0s:lJ6sYkeNE7P3E+C7V7V0
Size:	89349120
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Drops HTML or HTM files to system directories	Persistence and Installation Behavior
Machine Learning detection for dropped file	AV Detection
Sigma detected: Suspicious Epmap Connection	System Summary
Contains functionality to query network adapater information	Malware Analysis System Evasion	System Network Configuration Discovery
Creates files inside the system directory	System Summary	Masquerading
Deletes files inside the Windows folder	System Summary	File Deletion
Drops PE files	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found decision node followed by non-executed suspicious APIs	Malware Analysis System Evasion
Found evasive API chain (may stop execution after checking a module file name)	Malware Analysis System Evasion	Native API
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Might use command line arguments	System Summary	Command and Scripting Interpreter
Program exit points	Malware Analysis System Evasion
Spawns processes	System Summary	Process Injection

C:\Program Files (x86)\Microsoft Network\Network64.exe

PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows

dropped

Details

File:	C:\Program Files (x86)\Microsoft Network\Network64.exe
Category:	dropped
Dump:	Network64.exe.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Windows\SystemNvwmiShell\NvwmiShell.exe
Type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Entropy:	5.69859973949719
Encrypted:	false
Ssdeep:	98304:UNVKOOGzixfBKmLyntNUNUUkGxdQQj4FTSVhDALt/W73/ev/ev/egixgixmgRZQR:UPKOOG3duITaFBkkB7Egsp16ziwy0
Size:	97341952
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Query firmware table information (likely to detect VMs)	Malware Analysis System Evasion	Security Software Discovery Virtualization/Sandbox Evasion
Abnormal high CPU Usage	System Summary
Drops PE files	Persistence and Installation Behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection

C:\Program Files (x86)\Microsoft Network\WinRing0x64.sys

PE32+ executable (native) x86-64, for MS Windows

dropped

Details

File:	C:\Program Files (x86)\Microsoft Network\WinRing0x64.sys
Category:	dropped
Dump:	WinRing0x64.sys.2.dr
ID:	dr_4
Target ID:	2
Process:	C:\Windows\SystemNvwmiShell\NvwmiShell.exe
Type:	PE32+ executable (native) x86-64, for MS Windows
Entropy:	6.2660301556221185
Encrypted:	false
Ssdeep:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
Size:	14544
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Sample is not signed and drops a device driver	Persistence and Installation Behavior
Creates driver files	System Summary	Windows Service
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\checkip[1].htm

ASCII text, with no line terminators

dropped

Details

File:	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\checkip[1].htm
Category:	dropped
Dump:	checkip[1].htm.10.dr
ID:	dr_6
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft Network\HelpSystem.exe
Type:	ASCII text, with no line terminators
Entropy:	4.147114052043201
Encrypted:	false
Ssdeep:	3:ORy0WtJBUXMRn:+PoJiXG
Size:	31
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops HTML or HTM files to system directories	Persistence and Installation Behavior
Creates files inside the system directory	System Summary	Masquerading
Deletes files inside the Windows folder	System Summary	File Deletion

C:\Windows\SystemNvwmiShell\NvwmiShell.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Windows\SystemNvwmiShell\NvwmiShell.exe
Category:	dropped
Dump:	NvwmiShell.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\R4WCgDAfHB.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	5.670612439091091
Encrypted:	false
Ssdeep:	6144:098TSnLDuZvOx31RZG15VoZppGJyCNDri5sfJXn+oAyu:nZvO7RQaZOJyEDj0Lyu
Size:	79073664
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Deletes itself after installation	Hooking and other Techniques for Hiding and Protection	File Deletion
Drops executables to the windows directory (C:\Windows) and starts them	Persistence and Installation Behavior	Masquerading
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Sample is not signed and drops a device driver	Persistence and Installation Behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Application Window Discovery
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates driver files	System Summary	Windows Service
Creates files inside the system directory	System Summary	Masquerading
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
Enables debug privileges	Anti Debugging
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Found evasive API chain (may stop execution after checking a module file name)	Malware Analysis System Evasion	Native API
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Modifies existing windows services	Boot Survival	Windows Service
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to create services	System Summary	Windows Service
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to modify services (start/stop/modify)	System Summary	Windows Service Service Execution
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Information Discovery System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to register a service control handler (likely the sample is a service DLL)	System Summary	Windows Service
Contains functionality to register its own exception handler	Anti Debugging
Contains functionality to start windows services	Boot Survival	Service Execution
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the program directory	System Summary	Masquerading
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Program exit points	Malware Analysis System Evasion
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Windows\SystemNvwmiShell\NvwmiShell.dll

data

dropped

Details

File:	C:\Windows\SystemNvwmiShell\NvwmiShell.dll
Category:	dropped
Dump:	NvwmiShell.dll.2.dr
ID:	dr_3
Target ID:	2
Process:	C:\Windows\SystemNvwmiShell\NvwmiShell.exe
Type:	data
Entropy:	7.999981027200894
Encrypted:	true
Ssdeep:	196608:wCQLJWjMlhDB3dRvBbYiqZBkBQBzTciO1nfniCrmNKYO:wC9YlhDBtezkOBki2nvlrmNKv
Size:	8629952
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the system directory	System Summary	Masquerading

\Device\ConDrv

ASCII text, with CR line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.10.dr
ID:	dr_7
Target ID:	10
Process:	C:\Program Files (x86)\Microsoft Network\HelpSystem.exe
Type:	ASCII text, with CR line terminators
Entropy:	3.5127837084076443
Encrypted:	false
Size:	59823
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\R4WCgDAfHB.exe

"C:\Users\user\Desktop\R4WCgDAfHB.exe"

C:\Windows\SystemNvwmiShell\NvwmiShell.exe

"C:\Windows\SystemNvwmiShell\NvwmiShell.exe"

C:\Windows\SystemNvwmiShell\NvwmiShell.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall add rule dir=in action=block protocol=tcp localport=445 name="CloseSMB"

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule dir=in action=block protocol=tcp localport=445 name="CloseSMB"

C:\Program Files (x86)\Microsoft Network\HelpSystem.exe

"C:\Program Files (x86)\Microsoft Network\HelpSystem.exe" 1

C:\Program Files (x86)\Microsoft Network\Network64.exe

"C:\Program Files (x86)\Microsoft Network\Network64.exe" Yde5fFJFjShqKS+u9okdyvP/pj9kg/bQNXV+USrRGaecQs8AdtikoR9wVLreBlqoPAFr/LRRDydtLzX5YzQgQ1GCivTcd3opL1Xfv4SzrZQOBZVgTwOiPgknymhzPAuX3kaHX0i00NQybzCyaJaj7nJOK0DHJVp09YDF1A==

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

URLs

Name

Malicious

http://ddns.oray.com/checkip

114.215.199.192

http://ddns.oray.com/checkipl

unknown

http://ddns.oray.com/checkip(

unknown

http://ocsp.global

unknown

http://ddns.oray.com/checkip7

unknown

http://www.360.cn

unknown

http://www.symauth.com/cps0(

unknown

http://www.symauth.com/rpa00

unknown

http://appbols.vivoios.com:8587/smb.exeX

unknown

http://appbols.vivoios.com:8587/smb.exe

unknown

http://ddns.oray.com/checkipSystem32

unknown

There are 1 hidden URLs, click here to show them.

Domains

Name

Malicious

ddns.oray.com

114.215.199.192

Details

Name:	ddns.oray.com
IP:	114.215.199.192
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses dynamic DNS services	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

contr.netmows.com

45.137.222.18

Details

Name:	contr.netmows.com
IP:	45.137.222.18
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

pool.autocoreb.com

116.202.251.6

IPs

Domain

Country

Malicious

192.168.2.148

unknown

192.168.4.67

unknown

192.168.2.149

unknown

192.168.4.68

unknown

192.168.2.146

unknown

192.168.4.65

unknown

192.168.2.147

unknown

192.168.4.66

unknown

192.168.12.127

unknown

192.168.12.128

unknown

192.168.4.69

unknown

192.168.12.129

unknown

192.168.2.140

unknown

192.168.12.123

unknown

192.168.2.141

unknown

192.168.4.60

unknown

192.168.12.124

unknown

192.168.12.125

unknown

192.168.12.126

unknown

192.168.2.144

unknown

192.168.4.63

unknown

192.168.2.145

unknown

192.168.4.64

unknown

192.168.12.120

unknown

192.168.2.142

unknown

192.168.4.61

unknown

192.168.12.121

unknown

192.168.2.143

unknown

192.168.4.62

unknown

192.168.12.122

unknown

192.168.2.159

unknown

192.168.4.56

unknown

192.168.4.57

unknown

192.168.2.157

unknown

192.168.4.54

unknown

192.168.2.158

unknown

192.168.4.55

unknown

192.168.12.116

unknown

192.168.12.117

unknown

192.168.4.58

unknown

192.168.12.118

unknown

192.168.4.59

unknown

192.168.12.119

unknown

192.168.2.151

unknown

192.168.12.112

unknown

192.168.2.152

unknown

192.168.12.113

unknown

192.168.12.114

unknown

192.168.2.150

unknown

192.168.12.115

unknown

192.168.2.155

unknown

192.168.4.52

unknown

192.168.2.156

unknown

192.168.4.53

unknown

192.168.2.153

unknown

192.168.4.50

unknown

192.168.12.110

unknown

192.168.2.154

unknown

192.168.4.51

unknown

192.168.12.111

unknown

192.168.2.126

unknown

192.168.4.45

unknown

192.168.12.109

unknown

192.168.2.127

unknown

192.168.4.46

unknown

192.168.2.124

unknown

192.168.4.43

unknown

192.168.2.125

unknown

192.168.4.44

unknown

192.168.4.49

unknown

192.168.12.105

unknown

192.168.12.106

unknown

192.168.2.128

unknown

192.168.4.47

unknown

192.168.12.107

unknown

192.168.2.129

unknown

192.168.4.48

unknown

192.168.12.108

unknown

192.168.12.101

unknown

192.168.12.102

unknown

192.168.12.103

unknown

192.168.12.104

unknown

192.168.2.122

unknown

192.168.4.41

unknown

192.168.2.123

unknown

192.168.4.42

unknown

192.168.2.120

unknown

192.168.2.121

unknown

192.168.4.40

unknown

192.168.12.100

unknown

192.168.4.29

unknown

192.168.2.137

unknown

192.168.4.34

unknown

192.168.2.138

unknown

192.168.4.35

unknown

192.168.2.135

unknown

192.168.4.32

unknown

192.168.2.136

unknown

192.168.4.33

unknown

192.168.4.38

unknown

There are 90 hidden IPs, click here to show them.

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NetCellcore NvwmiShells

DeleteFiles

Details

TargetID:	0
Path:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NetCellcore NvwmiShells
Value name:	DeleteFiles
Value data:	C:\Users\user\Desktop\R4WCgDAfHB.exe

Signature Hits	Behavior Group	Mitre Attack
Creates or modifies windows services	Boot Survival	Windows Service
Modifies existing windows services	Boot Survival	Windows Service

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NetCellcore NvwmiShells

KsysnctGroup

Details

TargetID:	1
Path:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NetCellcore NvwmiShells
Value name:	KsysnctGroup
Value data:	T2410122238-0F8BFBFF000806F8

Signature Hits	Behavior Group	Mitre Attack
Creates or modifies windows services	Boot Survival	Windows Service
Modifies existing windows services	Boot Survival	Windows Service

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NetCellcore NvwmiShells

Description

Details

TargetID:	1
Path:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NetCellcore NvwmiShells
Value name:	Description
Value data:	NetCellcore NvwmiShells Provider net.msmq and msmq

Signature Hits	Behavior Group	Mitre Attack
Creates or modifies windows services	Boot Survival	Windows Service
Modifies existing windows services	Boot Survival	Windows Service

Memdumps

Base Address

Regiontype

Protect

Malicious

9EA000

unkown

page readonly

275E000

heap

page read and write

9EA000

unkown

page readonly

F68000

heap

page read and write

58F000

stack

page read and write

2DCF000

stack

page read and write

290E000

stack

page read and write

19FE000

stack

page read and write

1D15000

heap

page read and write

1D17000

heap

page read and write

1D5E000

heap

page read and write

2A0F000

stack

page read and write

1C8A000

heap

page read and write

1C8A000

heap

page read and write

8A8000

unkown

page write copy

9BD9000

heap

page read and write

1D75000

heap

page read and write

341F000

stack

page read and write

27CE000

stack

page read and write

1D3E000

heap

page read and write

13FB000

stack

page read and write

8200000

direct allocation

page read and write

253E000

stack

page read and write

1C83000

heap

page read and write

3A9E000

stack

page read and write

2E0E000

stack

page read and write

E7B000

stack

page read and write

1DAF000

heap

page read and write

2DBD000

stack

page read and write

329E000

stack

page read and write

1D56000

heap

page read and write

1C8A000

heap

page read and write

1C89000

heap

page read and write

1E16000

heap

page read and write

7DD9000

heap

page read and write

3EC000

unkown

page readonly

1B81000

heap

page read and write

2A4E000

stack

page read and write

881000

unkown

page execute read

31FF000

heap

page read and write

32F1000

heap

page read and write

19BF000

stack

page read and write

1D36000

heap

page read and write

18EE000

heap

page read and write

401000

unkown

page execute read

28A0000

heap

page read and write

96E000

stack

page read and write

8BC000

unkown

page readonly

E3F000

stack

page read and write

1C8F000

heap

page read and write

1E5D000

heap

page read and write

1D63000

heap

page read and write

1002B000

direct allocation

page execute and read and write

1E34000

heap

page read and write

35CF000

stack

page read and write

1C8C000

heap

page read and write

188D000

heap

page read and write

1C81000

heap

page read and write

2C8F000

stack

page read and write

D3F000

stack

page read and write

359E000

stack

page read and write

41C000

unkown

page execute and write copy

400000

unkown

page readonly

C44000

unkown

page read and write

595000

heap

page read and write

1E1F000

heap

page read and write

1D64000

heap

page read and write

F1A0000

trusted library allocation

page read and write

1C81000

heap

page read and write

421E000

stack

page read and write

C99000

heap

page read and write

1D6F000

heap

page read and write

3B1000

unkown

page execute read

3CDF000

stack

page read and write

40C000

unkown

page execute and read and write

1E09000

heap

page read and write

8A0000

unkown

page readonly

1C84000

heap

page read and write

1D3C000

heap

page read and write

1D21000

heap

page read and write

1625000

heap

page read and write

90000

heap

page read and write

8C00000

direct allocation

page read and write

1C8E000

heap

page read and write

46DF000

stack

page read and write

6E2000

heap

page read and write

1D37000

heap

page read and write

6400000

direct allocation

page read and write

206C000

stack

page read and write

43E000

unkown

page read and write

880000

unkown

page readonly

1C83000

heap

page read and write

18D1000

heap

page read and write

1EBF000

stack

page read and write

355F000

stack

page read and write

1D65000

heap

page read and write

216F000

heap

page read and write

5A62000

heap

page read and write

28CF000

stack

page read and write

1D4F000

heap

page read and write

1C84000

heap

page read and write

BAD000

unkown

page read and write

1C87000

heap

page read and write

1C81000

heap

page read and write

F60000

heap

page read and write

1C84000

heap

page read and write

91D9000

heap

page read and write

43E000

unkown

page write copy

1C83000

heap

page read and write

8AA000

unkown

page write copy

1D31000

heap

page read and write

5062000

heap

page read and write

880000

unkown

page readonly

1D71000

heap

page read and write

1C87000

heap

page read and write

1D1A000

heap

page read and write

1C8B000

heap

page read and write

1D4B000

heap

page read and write

1AFF000

stack

page read and write

381E000

stack

page read and write

1D16000

heap

page read and write

2780000

heap

page read and write

431F000

stack

page read and write

1D21000

heap

page read and write

1C82000

heap

page read and write

C9E000

heap

page read and write

1891000

heap

page read and write

10000000

direct allocation

page read and write

9DA000

unkown

page read and write

2995000

heap

page read and write

1C84000

heap

page read and write

459F000

stack

page read and write

227F000

stack

page read and write

590000

heap

page read and write

9600000

direct allocation

page read and write

23BF000

stack

page read and write

163E000

stack

page read and write

10001000

direct allocation

page execute and read and write

14FF000

stack

page read and write

740000

heap

page read and write

1026000

heap

page read and write

1C8F000

heap

page read and write

3B0000

unkown

page readonly

1D4E000

heap

page read and write

34CF000

unkown

page read and write

C4D000

unkown

page write copy

700000

heap

page read and write

9C000

stack

page read and write

3200000

direct allocation

page read and write

105F000

stack

page read and write

8B7000

unkown

page read and write

1891000

heap

page read and write

F9F000

heap

page read and write

1889000

heap

page read and write

409F000

stack

page read and write

1D24000

heap

page read and write

170000

heap

page read and write

880000

unkown

page readonly

445F000

stack

page read and write

43C000

unkown

page execute and read and write

331E000

stack

page read and write

1D76000

heap

page read and write

18F6000

heap

page read and write

266F000

stack

page read and write

305F000

stack

page read and write

316E000

unkown

page read and write

32F4000

heap

page read and write

226F000

stack

page read and write

7800000

direct allocation

page read and write

2F5E000

stack

page read and write

1D5E000

heap

page read and write

26C1000

direct allocation

page execute and read and write

391F000

stack

page read and write

187C000

heap

page read and write

1C88000

heap

page read and write

5000000

direct allocation

page read and write

970000

heap

page read and write

1C8C000

heap

page read and write

18D1000

heap

page read and write

3180000

heap

page read and write

2F10000

heap

page read and write

840000

heap

page read and write

94B0000

trusted library allocation

page read and write

5A00000

direct allocation

page read and write

A5D9000

heap

page read and write

177E000

stack

page read and write

3E71000

heap

page read and write

481F000

stack

page read and write

246F000

stack

page read and write

C90000

heap

page read and write

1D73000

heap

page read and write

400000

unkown

page readonly

40DE000

stack

page read and write

3F70000

trusted library allocation

page read and write

277F000

stack

page read and write

345E000

stack

page read and write

10001000

direct allocation

page execute and read and write

1D47000

heap

page read and write

1C84000

heap

page read and write

23FE000

stack

page read and write

87D9000

heap

page read and write

1D54000

heap

page read and write

2B90000

heap

page read and write

190E000

heap

page read and write

1B2D000

stack

page read and write

41DF000

stack

page read and write

3F5F000

stack

page read and write

8A8000

unkown

page write copy

5EA0000

heap

page read and write

1C3F000

stack

page read and write

217E000

stack

page read and write

173E000

stack

page read and write

3BDE000

stack

page read and write

1D44000

heap

page read and write

1D2F000

heap

page read and write

AFD9000

heap

page read and write

5DE000

stack

page read and write

8A0000

unkown

page readonly

43D000

unkown

page execute and write copy

1DF8000

heap

page read and write

540000

heap

page read and write

203E000

stack

page read and write

8B9000

unkown

page read and write

1002D000

direct allocation

page read and write

1C80000

heap

page read and write

1DBE000

stack

page read and write

1C86000

heap

page read and write

D87000

heap

page read and write

3F70000

heap

page read and write

1C86000

heap

page read and write

1D59000

heap

page read and write

10020000

direct allocation

page execute and read and write

8F0000

heap

page read and write

69A000

heap

page read and write

1C83000

heap

page read and write

1C8B000

heap

page read and write

435E000

stack

page read and write

2940000

heap

page read and write

485E000

stack

page read and write

186E000

heap

page read and write

881000

unkown

page execute read

1E3C000

heap

page read and write

1C0000

direct allocation

page execute read

495F000

stack

page read and write

19C000

stack

page read and write

8A0000

unkown

page readonly

C46000

unkown

page write copy

6C5000

heap

page read and write

1D36000

heap

page read and write

471E000

stack

page read and write

401000

unkown

page execute read

1D7F000

stack

page read and write

3D8000

unkown

page write copy

213F000

stack

page read and write

D87000

heap

page read and write

3C00000

direct allocation

page read and write

68D000

stack

page read and write

1DB8000

heap

page read and write

10013000

direct allocation

page execute and read and write

1C89000

heap

page read and write

690000

heap

page read and write

449E000

stack

page read and write

32D0000

heap

page read and write

1C83000

heap

page read and write

401000

unkown

page execute and read and write

32DC000

heap

page read and write

100E000

stack

page read and write

1FFF000

stack

page read and write

1DCF000

heap

page read and write

3D1E000

stack

page read and write

C48000

unkown

page write copy

3262000

heap

page read and write

4600000

direct allocation

page read and write

369F000

stack

page read and write

1EFE000

stack

page read and write

726000

heap

page read and write

3E1F000

stack

page read and write

2B4F000

stack

page read and write

319F000

stack

page read and write

15FF000

stack

page read and write

32DF000

stack

page read and write

1D78000

heap

page read and write

45DE000

stack

page read and write

1916000

heap

page read and write

2F0F000

stack

page read and write

2999000

direct allocation

page read and write

1600000

direct allocation

page execute and read and write

2CCE000

stack

page read and write

2800000

direct allocation

page read and write

29B1000

heap

page read and write

4662000

heap

page read and write

1D49000

heap

page read and write

1B3E000

stack

page read and write

10000000

direct allocation

page read and write

1D3A000

heap

page read and write

1C8A000

heap

page read and write

1C81000

heap

page read and write

190000

heap

page read and write

9DA000

unkown

page write copy

8CE000

stack

page read and write

6462000

heap

page read and write

267E000

stack

page read and write

730000

heap

page read and write

C4D000

unkown

page write copy

1020000

heap

page read and write

850000

heap

page read and write

8A8000

unkown

page read and write

8BC000

unkown

page readonly

184B000

heap

page read and write

1D43000

heap

page read and write

401000

unkown

page execute read

8BC000

unkown

page readonly

7862000

heap

page read and write

2B8E000

stack

page read and write

2163000

heap

page read and write

7DC000

stack

page read and write

1906000

heap

page read and write

1C81000

heap

page read and write

9DB000

unkown

page write copy

2950000

heap

page read and write

F5F000

stack

page read and write

460000

heap

page read and write

1D50000

heap

page read and write

D87000

heap

page read and write

1842000

heap

page read and write

24FF000

stack

page read and write

3E71000

heap

page read and write

3170000

heap

page read and write

1C86000

heap

page read and write

3E71000

heap

page read and write

1D50000

heap

page read and write

4970000

heap

page read and write

1889000

heap

page read and write

9E7000

unkown

page write copy

188D000

heap

page read and write

3D0000

unkown

page readonly

1C83000

heap

page read and write

10016000

direct allocation

page execute and read and write

36C0000

heap

page read and write

5D70000

heap

page read and write

1C83000

heap

page read and write

3A5F000

stack

page read and write

790000

heap

page read and write

1D27000

heap

page read and write

409000

unkown

page execute and read and write

400000

unkown

page readonly

1891000

heap

page read and write

18FE000

heap

page read and write

3F9E000

stack

page read and write

1C88000

heap

page read and write

2670000

direct allocation

page execute and read and write

1D48000

heap

page read and write

9DF000

unkown

page read and write

703000

heap

page read and write

92E000

stack

page read and write

1C86000

heap

page read and write

31DE000

stack

page read and write

188D000

heap

page read and write

309E000

stack

page read and write

298D000

heap

page read and write

5370000

heap

page read and write

647000

heap

page read and write

6DB000

stack

page read and write

1889000

heap

page read and write

36DE000

stack

page read and write

1D1B000

heap

page read and write

18D1000

heap

page read and write

1C89000

heap

page read and write

18BE000

stack

page read and write

881000

unkown

page execute read

30FD000

stack

page read and write

3C62000

heap

page read and write

37DF000

stack

page read and write

5E0000

heap

page read and write

7D76000

heap

page read and write

3120000

heap

page read and write

395E000

stack

page read and write

1DCE000

heap

page read and write

1DCE000

heap

page read and write

1C85000

heap

page read and write

1D25000

heap

page read and write

6E00000

direct allocation

page read and write

6E62000

heap

page read and write

1C88000

heap

page read and write

3E5E000

stack

page read and write

1C7E000

stack

page read and write

1C89000

heap

page read and write

1D4C000

heap

page read and write

1620000

heap

page read and write

32F3000

heap

page read and write

22BE000

stack

page read and write

187F000

stack

page read and write

1E3D000

heap

page read and write

400000

unkown

page readonly

15F0000

direct allocation

page execute and read and write

185B000

heap

page read and write

640000

heap

page read and write

BBF000

unkown

page read and write

26B1000

direct allocation

page execute and read and write

1B8E000

heap

page read and write

3B9F000

stack

page read and write

263F000

stack

page read and write

2AB0000

heap

page read and write

There are 393 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
R4WCgDAfHB.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportR4WCgDAfHB.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
R4WCgDAfHB.exe