Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

NK3SASJheq.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_NK3SASJheq.exe_935550bbe624d71162be5a7055a73ecdaddc33_a08b523a_8d219dea-c11a-43c0-aa3c-f4e967dd837d\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\BFHJECAAAFHIJKFIJEGC

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1

dropped

C:\ProgramData\CFBFCGIDAKECGCBGDBAFIDHCFB

SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2

dropped

C:\ProgramData\COUBMCBZDK.xlsx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\DHJDAFIEHIEGDHIDGDGHDHJJJD

SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7

dropped

C:\ProgramData\EBAAAFBGDBKKEBGCFCBF

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1

dropped

C:\ProgramData\FBAKEHIEBKJJJJJKKKEGHJEBAF

SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4

dropped

C:\ProgramData\GAOBCVIQIJ.docx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\GAOBCVIQIJ.xlsx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\HCAFIJDG

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3

dropped

C:\ProgramData\JEBFIIIE

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7

dropped

C:\ProgramData\KEHDBAEGIIIEBGCAAFHI

ASCII text, with very long lines (1765), with CRLF line terminators

dropped

C:\ProgramData\KJEHCGDBFCBAKECBKKEBKEBFCA

SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5536.tmp.dmp

Mini DuMP crash report, 14 streams, Thu Oct 24 06:38:46 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5779.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5799.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\NWCXBPIUYI.docx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\OVWVVIANZH.xlsx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\PIVFAGEAAV.xlsx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\PWCCAWLGRE.docx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\QCFWYSKMHA.docx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\QCFWYSKMHA.xlsx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\SQSJKEBWDT.docx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\SQSJKEBWDT.xlsx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\VWDFPKGDUF.xlsx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\WSHEJMDVQC.docx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\ZGGKNSUKOP.docx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\ZGGKNSUKOP.xlsx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\ZQIXMVQGAH.docx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\freebl3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\mozglue.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\msvcp140.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\ProgramData\nss3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\softokn3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\vcruntime140.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\freebl3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\mozglue[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\msvcp140[1].dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\nss3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\softokn3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\vcruntime140[1].dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-shm

data

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-shm

data

dropped

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

There are 35 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\NK3SASJheq.exe

"C:\Users\user\Desktop\NK3SASJheq.exe"

Details

Is windows:	false
Is dropped:	false
PID:	636
Target ID:	0
Parent PID:	4084
Name:	NK3SASJheq.exe
Path:	C:\Users\user\Desktop\NK3SASJheq.exe
Commandline:	"C:\Users\user\Desktop\NK3SASJheq.exe"
Size:	350720
MD5:	4EAA701F7C45F26C36FC162FA7C6FF85
Time:	02:38:13
Date:	24/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	2494464
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Yara detected Stealc	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information	Data from Local System
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 2336

Details

Is windows:	true
Is dropped:	false
PID:	4352
Target ID:	6
Parent PID:	636
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 2336
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	02:38:45
Date:	24/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xb20000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://62.204.41.176/db293a2c1b1c70c4/mozglue.dll

62.204.41.176

http://62.204.41.176

unknown

http://62.204.41.176/db293a2c1b1c70c4/nss3.dll

62.204.41.176

http://62.204.41.176/db293a2c1b1c70c4/softokn3.dll

62.204.41.176

http://62.204.41.176/db293a2c1b1c70c4/vcruntime140.dll

62.204.41.176

http://62.204.41.176/edd20096ecef326d.php

62.204.41.176

http://62.204.41.176/db293a2c1b1c70c4/sqlite3.dll

62.204.41.176

http://62.204.41.176/db293a2c1b1c70c4/freebl3.dll

62.204.41.176

http://62.204.41.176/db293a2c1b1c70c4/msvcp140.dll

62.204.41.176

http://62.204.41.176/

62.204.41.176

https://duckduckgo.com/chrome_newtab

unknown

http://62.204.41.176xlsxxlsxef326d.phpN4fDEwfDF8MXwwfERPQ3wlRE9DVU1FTlRTJVx8Ki50eHQsKi5kb2N4LCoueGxz

unknown

https://duckduckgo.com/ac/?q=

unknown

http://62.204.41.176/edd20096ecef326d.phpybK

unknown

http://62.204.41.176xlsxxlsxtent-Disposition:

unknown

http://62.204.41.176/edd20096ecef326d.phpowser

unknown

http://62.204.41.176/edd20096ecef326d.phpWindows

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

http://62.204.41.176/edd20096ecef326d.phpic

unknown

http://62.204.41.176/edd20096ecef326d.phpqcC

unknown

https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi

unknown

http://62.204.41.176/db293a2c1b1c70c4/sqlite3.dlll

unknown

http://62.204.41.176/db293a2c1b1c70c4/nss3.dllR

unknown

http://62.204.41.176/edd20096ecef326d.phpUb

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

http://62.204.41.176/y

unknown

http://62.204.41.176/db293a2c1b1c70c4/nss3.dllDaQ

unknown

http://62.204.41.176/edd20096ecef326d.phpG#

unknown

http://62.204.41.176/db293a2c1b1c70c4/nss3.dllu

unknown

http://62.204.41.176/edd20096ecef326d.php=b

unknown

http://www.sqlite.org/copyright.html.

unknown

http://62.204.41.176xlsx096ecef326d.phpition:

unknown

http://62.204.41.176/edd20096ecef326d.php5c

unknown

http://www.mozilla.com/en-US/blocklist/

unknown

https://mozilla.org0/

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

http://62.204.41.176/edd20096ecef326d.php-c

unknown

https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l

unknown

http://62.204.41.176/edd20096ecef326d.php1b

unknown

http://62.204.41.176/edd20096ecef326d.phpum-LTC

unknown

http://62.204.41.176/edd20096ecef326d.phpMbG

unknown

http://62.204.41.176xlsx

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

http://62.204.41.176/edd20096ecef326d.phpO

unknown

http://upx.sf.net

unknown

http://62.204.41.176/edd20096ecef326d.phpware

unknown

http://62.204.41.176FHIEB

unknown

https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.

unknown

http://62.204.41.176/edd20096ecef326d.phpN4fDEwfDF8MXwwfERPQ3wlRE9DVU1FTlRTJVx8Ki50eHQsKi5kb2N4LCoue

unknown

https://www.ecosia.org/newtab/

unknown

https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br

unknown

https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44

unknown

https://ac.ecosia.org/autocomplete?q=

unknown

http://62.204.41.176/edd20096ecef326d.phpition:

unknown

http://62.204.41.176CGIJE

unknown

https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg

unknown

http://62.204.41.176/edd20096ecef326d.phpe

unknown

http://62.204.41.176/edd20096ecef326d.phpoft

unknown

http://62.204.41.176/edd20096ecef326d.phprefox

unknown

https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u

unknown

https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta

unknown

https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg

unknown

https://support.mozilla.org

unknown

http://62.204.41.176/edd20096ecef326d.phpents

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

http://62.204.41.176/edd20096ecef326d.phpp

unknown

There are 56 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

62.204.41.176

unknown

United Kingdom

Details

IP:	62.204.41.176
TargetID:	0
Current Path:	C:\Users\user\Desktop\NK3SASJheq.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	30798
ASN name:	TNNET-ASTNNetOyMainnetworkFI
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
HTTP GET or POST without a user agent	Networking
Suricata IDS alerts with low severity for network traffic	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

\REGISTRY\A\{d8782d8e-28a2-f196-485e-6507a20d7b80}\Root\InventoryApplicationFile\nk3sasjheq.exe|a0ac60ea4cd387d3

ProgramId

\REGISTRY\A\{d8782d8e-28a2-f196-485e-6507a20d7b80}\Root\InventoryApplicationFile\nk3sasjheq.exe|a0ac60ea4cd387d3

FileId

\REGISTRY\A\{d8782d8e-28a2-f196-485e-6507a20d7b80}\Root\InventoryApplicationFile\nk3sasjheq.exe|a0ac60ea4cd387d3

LowerCaseLongPath

\REGISTRY\A\{d8782d8e-28a2-f196-485e-6507a20d7b80}\Root\InventoryApplicationFile\nk3sasjheq.exe|a0ac60ea4cd387d3

LongPathHash

\REGISTRY\A\{d8782d8e-28a2-f196-485e-6507a20d7b80}\Root\InventoryApplicationFile\nk3sasjheq.exe|a0ac60ea4cd387d3

Name

\REGISTRY\A\{d8782d8e-28a2-f196-485e-6507a20d7b80}\Root\InventoryApplicationFile\nk3sasjheq.exe|a0ac60ea4cd387d3

OriginalFileName

\REGISTRY\A\{d8782d8e-28a2-f196-485e-6507a20d7b80}\Root\InventoryApplicationFile\nk3sasjheq.exe|a0ac60ea4cd387d3

Publisher

\REGISTRY\A\{d8782d8e-28a2-f196-485e-6507a20d7b80}\Root\InventoryApplicationFile\nk3sasjheq.exe|a0ac60ea4cd387d3

Version

\REGISTRY\A\{d8782d8e-28a2-f196-485e-6507a20d7b80}\Root\InventoryApplicationFile\nk3sasjheq.exe|a0ac60ea4cd387d3

BinFileVersion

\REGISTRY\A\{d8782d8e-28a2-f196-485e-6507a20d7b80}\Root\InventoryApplicationFile\nk3sasjheq.exe|a0ac60ea4cd387d3

BinaryType

\REGISTRY\A\{d8782d8e-28a2-f196-485e-6507a20d7b80}\Root\InventoryApplicationFile\nk3sasjheq.exe|a0ac60ea4cd387d3

ProductName

\REGISTRY\A\{d8782d8e-28a2-f196-485e-6507a20d7b80}\Root\InventoryApplicationFile\nk3sasjheq.exe|a0ac60ea4cd387d3

ProductVersion

\REGISTRY\A\{d8782d8e-28a2-f196-485e-6507a20d7b80}\Root\InventoryApplicationFile\nk3sasjheq.exe|a0ac60ea4cd387d3

LinkDate

\REGISTRY\A\{d8782d8e-28a2-f196-485e-6507a20d7b80}\Root\InventoryApplicationFile\nk3sasjheq.exe|a0ac60ea4cd387d3

BinProductVersion

\REGISTRY\A\{d8782d8e-28a2-f196-485e-6507a20d7b80}\Root\InventoryApplicationFile\nk3sasjheq.exe|a0ac60ea4cd387d3

AppxPackageFullName

\REGISTRY\A\{d8782d8e-28a2-f196-485e-6507a20d7b80}\Root\InventoryApplicationFile\nk3sasjheq.exe|a0ac60ea4cd387d3

AppxPackageRelativeId

\REGISTRY\A\{d8782d8e-28a2-f196-485e-6507a20d7b80}\Root\InventoryApplicationFile\nk3sasjheq.exe|a0ac60ea4cd387d3

Size

\REGISTRY\A\{d8782d8e-28a2-f196-485e-6507a20d7b80}\Root\InventoryApplicationFile\nk3sasjheq.exe|a0ac60ea4cd387d3

Language

\REGISTRY\A\{d8782d8e-28a2-f196-485e-6507a20d7b80}\Root\InventoryApplicationFile\nk3sasjheq.exe|a0ac60ea4cd387d3

Usn

There are 9 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

2460000

direct allocation

page read and write

2410000

direct allocation

page execute and read and write

9B8000

heap

page read and write

400000

unkown

page execute and read and write

20FE7000

heap

page read and write

485000

unkown

page execute and read and write

270DF000

heap

page read and write

6CBB0000

unkown

page readonly

27071000

heap

page read and write

2706C000

heap

page read and write

20FE7000

heap

page read and write

45A000

unkown

page execute and read and write

1AB5E000

stack

page read and write

97A000

heap

page read and write

61E00000

direct allocation

page execute and read and write

6CC42000

unkown

page readonly

1A8DE000

stack

page read and write

27061000

heap

page read and write

21002000

heap

page read and write

20FD9000

heap

page read and write

5CB000

unkown

page execute and read and write

26C0000

heap

page read and write

7D0000

heap

page read and write

400000

unkown

page readonly

20FD1000

heap

page read and write

2707F000

heap

page read and write

6CC51000

unkown

page execute read

20FE5000

heap

page read and write

401000

unkown

page execute read

1AF10000

trusted library allocation

page read and write

20FED000

heap

page read and write

61EB4000

direct allocation

page read and write

20FDF000

heap

page read and write

98E000

heap

page execute and read and write

20FDD000

heap

page read and write

27020000

heap

page read and write

20FE5000

heap

page read and write

20F29000

heap

page read and write

8DF000

stack

page read and write

20FE0000

heap

page read and write

210C0000

heap

page read and write

61ED3000

direct allocation

page read and write

5A5000

unkown

page execute and read and write

20FE7000

heap

page read and write

268E000

stack

page read and write

20FE5000

heap

page read and write

20FE3000

heap

page read and write

20FE0000

heap

page read and write

740000

heap

page read and write

2D163000

heap

page read and write

4E2000

unkown

page execute and read and write

6CE2E000

unkown

page read and write

20FC2000

heap

page read and write

20FED000

heap

page read and write

6CE30000

unkown

page read and write

24CE000

stack

page read and write

270F2000

heap

page read and write

9C000

stack

page read and write

438000

unkown

page readonly

40E000

unkown

page execute read

21003000

heap

page read and write

20FE7000

heap

page read and write

488000

unkown

page execute and read and write

510000

unkown

page execute and read and write

6CDEF000

unkown

page readonly

51B000

unkown

page readonly

20FE7000

heap

page read and write

20FE7000

heap

page read and write

1AB1D000

stack

page read and write

20FD9000

heap

page read and write

195000

stack

page read and write

4BD000

unkown

page execute and read and write

6CBB1000

unkown

page execute read

20FDE000

heap

page read and write

20FE7000

heap

page read and write

20FCD000

heap

page read and write

20FE7000

heap

page read and write

27083000

heap

page read and write

970000

heap

page read and write

1AC9E000

stack

page read and write

1F0000

heap

page read and write

7D7000

heap

page read and write

20FD1000

heap

page read and write

20FD9000

heap

page read and write

21003000

heap

page read and write

A6D000

heap

page read and write

4EF000

unkown

page execute and read and write

5C5000

unkown

page execute and read and write

1AE11000

heap

page read and write

20FED000

heap

page read and write

43B000

unkown

page write copy

20FEC000

heap

page read and write

20FE7000

heap

page read and write

20FE5000

heap

page read and write

2D15B000

heap

page read and write

27088000

heap

page read and write

20FE1000

heap

page read and write

20FCD000

heap

page read and write

61E01000

direct allocation

page execute read

61EB7000

direct allocation

page readonly

27077000

heap

page read and write

20FF5000

heap

page read and write

20FD7000

heap

page read and write

20FD9000

heap

page read and write

20FC0000

heap

page read and write

1AF1F000

heap

page read and write

61ECD000

direct allocation

page readonly

2540000

heap

page read and write

20FE5000

heap

page read and write

20FE5000

heap

page read and write

9EE000

heap

page read and write

1A9DF000

stack

page read and write

20FE7000

heap

page read and write

6CE2F000

unkown

page write copy

21003000

heap

page read and write

1AA1E000

stack

page read and write

20FE7000

heap

page read and write

2543000

heap

page read and write

1A79F000

stack

page read and write

20FE5000

heap

page read and write

20FF5000

heap

page read and write

20FE5000

heap

page read and write

1AC5E000

stack

page read and write

21003000

heap

page read and write

20FE7000

heap

page read and write

1A89F000

stack

page read and write

20FCA000

heap

page read and write

20FE3000

heap

page read and write

1AE10000

heap

page read and write

20FDA000

heap

page read and write

48F000

unkown

page execute and read and write

20FF5000

heap

page read and write

61ECC000

direct allocation

page read and write

20FE7000

heap

page read and write

61ED0000

direct allocation

page read and write

6CC50000

unkown

page readonly

20FF4000

heap

page read and write

6CC2D000

unkown

page readonly

24D0000

heap

page read and write

78E000

stack

page read and write

20FD6000

heap

page read and write

20FE7000

heap

page read and write

20FF4000

heap

page read and write

264F000

stack

page read and write

64A000

unkown

page execute and read and write

97E000

heap

page read and write

21002000

heap

page read and write

20FED000

heap

page read and write

2D15C000

heap

page read and write

1AD9E000

stack

page read and write

20FED000

heap

page read and write

20FD1000

heap

page read and write

2100D000

heap

page read and write

254C000

heap

page read and write

20FCB000

heap

page read and write

20FE3000

heap

page read and write

20FE7000

heap

page read and write

20FE7000

heap

page read and write

2100D000

heap

page read and write

251E000

stack

page read and write

20FD9000

heap

page read and write

20FD1000

heap

page read and write

2D169000

heap

page read and write

7D5000

heap

page read and write

2100D000

heap

page read and write

20FED000

heap

page read and write

A09000

heap

page read and write

20FDE000

heap

page read and write

20FE7000

heap

page read and write

20FD9000

heap

page read and write

A6A000

heap

page read and write

27040000

heap

page read and write

2100D000

heap

page read and write

20FF5000

heap

page read and write

20FCA000

heap

page read and write

2470000

heap

page read and write

20FED000

heap

page read and write

6CC3E000

unkown

page read and write

20FDA000

heap

page read and write

2D164000

heap

page read and write

20FCB000

heap

page read and write

270CB000

heap

page read and write

20E87000

heap

page read and write

20FDA000

heap

page read and write

20FE5000

heap

page read and write

20FE7000

heap

page read and write

2706E000

heap

page read and write

20FE4000

heap

page read and write

20FE3000

heap

page read and write

65C000

unkown

page execute and read and write

4B1000

unkown

page execute and read and write

20FE5000

heap

page read and write

1AE00000

heap

page read and write

51B000

unkown

page execute and read and write

61ED4000

direct allocation

page readonly

20FE7000

heap

page read and write

6CE35000

unkown

page readonly

20FE7000

heap

page read and write

492000

unkown

page execute and read and write

7CE000

stack

page read and write

B6F000

stack

page read and write

91E000

stack

page read and write

C6E000

stack

page read and write

20FD7000

heap

page read and write

There are 194 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
NK3SASJheq.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportNK3SASJheq.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
NK3SASJheq.exe