Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

v32oH5Xhqw.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_v32oH5Xhqw.exe_761f3dd389387ec95f0c31ebe565003211cdf6_794c86f1_f6212bad-a0bf-4963-a377-f0ba69be4a17\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\AKKEHIECFCAAFIEBGIDA

ASCII text, with very long lines (1743), with CRLF line terminators

dropped

C:\ProgramData\BAFCFBAEGDHIEBFHDGCB

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1

dropped

C:\ProgramData\BJZFPPWAPT.docx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\BJZFPPWAPT.xlsx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\BQJUWOYRTO.docx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\BQJUWOYRTO.xlsx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\CGDGIJKFIJDAAAKFHIEGDGCAAA

SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3

dropped

C:\ProgramData\DHIEHIIEHIEHJKEBKEHJKJEBGI

SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2

dropped

C:\ProgramData\DUUDTUBZFW.xlsx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\EBAKEBAE

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3

dropped

C:\ProgramData\EBKKKEGIDBGHIDGDHDBF

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1

dropped

C:\ProgramData\EFOYFBOLXA.docx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\EFOYFBOLXA.xlsx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\EHDGIJJD

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8

dropped

C:\ProgramData\EIVQSAOTAQ.docx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\FGAWOVZUJP.xlsx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\GNJEVOXLLS.xlsx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\GRXZDKKVDB.docx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\IIDHJKFBGIIJJKFIJDBGCBGHID

SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4

dropped

C:\ProgramData\KEBKJDBAAKJDGCBFHCFCGIEBFB

SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER96A5.tmp.dmp

Mini DuMP crash report, 14 streams, Fri Oct 25 20:27:19 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER97B0.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER980F.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\NVWZAPQSQL.docx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\NWCXBPIUYI.docx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\NWCXBPIUYI.xlsx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\WSHEJMDVQC.docx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\ZGGKNSUKOP.xlsx

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\ProgramData\freebl3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\mozglue.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\msvcp140.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\ProgramData\nss3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\softokn3.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\ProgramData\vcruntime140.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm

data

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

data

dropped

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

There are 35 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\v32oH5Xhqw.exe

"C:\Users\user\Desktop\v32oH5Xhqw.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4268
Target ID:	0
Parent PID:	1028
Name:	v32oH5Xhqw.exe
Path:	C:\Users\user\Desktop\v32oH5Xhqw.exe
Commandline:	"C:\Users\user\Desktop\v32oH5Xhqw.exe"
Size:	351744
MD5:	E00B441455DC50083BB537C343EB1B99
Time:	16:26:56
Date:	25/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	2494464
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Yara detected Stealc	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Vidar stealer	Stealing of Sensitive Information, Remote Access Functionality
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information	Data from Local System
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 2212

Details

Is windows:	true
Is dropped:	false
PID:	1772
Target ID:	5
Parent PID:	4268
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 2212
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	16:27:19
Date:	25/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x9f0000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://62.204.41.177/db293a2c1b1c70c4/msvcp140.dll

62.204.41.177

http://62.204.41.177

unknown

http://62.204.41.177/db293a2c1b1c70c4/vcruntime140.dll

62.204.41.177

http://62.204.41.177/edd20096ecef326d.php

62.204.41.177

http://62.204.41.177/db293a2c1b1c70c4/nss3.dll

62.204.41.177

http://62.204.41.177/db293a2c1b1c70c4/mozglue.dll

62.204.41.177

http://62.204.41.177/db293a2c1b1c70c4/sqlite3.dll

62.204.41.177

http://62.204.41.177/db293a2c1b1c70c4/freebl3.dll

62.204.41.177

http://62.204.41.177/

62.204.41.177

http://62.204.41.177/db293a2c1b1c70c4/softokn3.dll

62.204.41.177

https://duckduckgo.com/chrome_newtab

unknown

https://duckduckgo.com/ac/?q=

unknown

http://62.204.41.177/edd20096ecef326d.php~s

unknown

http://62.204.41.177/db293a2c1b1c70c4/nss3.dll5

unknown

https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi

unknown

https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.

unknown

http://62.204.41.177/db293a2c1b1c70c4/mozglue.dll.

unknown

http://62.204.41.177/db293a2c1b1c70c4/mozglue.dll0

unknown

http://62.204.41.177/db293a2c1b1c70c4/softokn3.dllP

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

http://62.204.41.177/edd20096ecef326d.phpoft

unknown

http://62.204.41.177FCFII

unknown

http://62.204.41.177/edd20096ecef326d.phpe

unknown

http://62.204.41.177/edd20096ecef326d.phpa

unknown

http://62.204.41.177/edd20096ecef326d.phpowser

unknown

http://62.204.41.177/db293a2c1b1c70c4/nss3.dll_

unknown

http://62.204.41.177/edd20096ecef326d.phpWindows

unknown

http://62.204.41.177/edd20096ecef326d.phppG

unknown

http://62.204.41.177/edd20096ecef326d.php9d24a6706c098423e054ba02deae9f

unknown

http://62.204.41.177sition:

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

http://62.204.41.177AEBFH

unknown

http://62.204.41.177/edd20096ecef326d.phpition:

unknown

http://62.204.41.177/edd20096ecef326d.phpme=

unknown

http://62.204.41.177/edd20096ecef326d.php?

unknown

http://www.sqlite.org/copyright.html.

unknown

http://62.204.41.177/edd20096ecef326d.phpN4fDEwfDF8MXwwfERPQ3wlRE9DVU1FTlRTJVx8Ki50eHQsKi5kb2N4LCoue

unknown

http://62.204.41.177/db293a2c1b1c70c4/vcruntime140.dllI

unknown

http://www.mozilla.com/en-US/blocklist/

unknown

http://62.204.41.177/k

unknown

https://mozilla.org0/

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

http://62.204.41.177/edd20096ecef326d.php4

unknown

http://62.204.41.177edd20096ecef326d.phpN4fDEwfDF8MXwwfERPQ3wlRE9DVU1FTlRTJVx8Ki50eHQsKi5kb2N4LCoueG

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

http://62.204.41.177/edd20096ecef326d.phponCash

unknown

http://62.204.41.177/db293a2c1b1c70c4/sqlite3.dllN

unknown

http://upx.sf.net

unknown

https://www.ecosia.org/newtab/

unknown

https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta

unknown

https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br

unknown

http://62.204.41.177/db293a2c1b1c70c4/nss3.dllc

unknown

https://ac.ecosia.org/autocomplete?q=

unknown

https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg

unknown

http://62.204.41.177/edd20096ecef326d.phpoinomi

unknown

http://62.204.41.177/db293a2c1b1c70c4/freebl3.dllv

unknown

https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg

unknown

https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL

unknown

https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref

unknown

http://62.204.41.177/db293a2c1b1c70c4/msvcp140.dll4

unknown

https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477

unknown

https://support.mozilla.org

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

There are 53 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

62.204.41.177

unknown

United Kingdom

Details

IP:	62.204.41.177
TargetID:	0
Current Path:	C:\Users\user\Desktop\v32oH5Xhqw.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	30798
ASN name:	TNNET-ASTNNetOyMainnetworkFI
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
HTTP GET or POST without a user agent	Networking
Suricata IDS alerts with low severity for network traffic	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

\REGISTRY\A\{378c987e-f40a-ae86-115a-bc8e80c7a570}\Root\InventoryApplicationFile\v32oh5xhqw.exe|b5491d35fe935b65

ProgramId

\REGISTRY\A\{378c987e-f40a-ae86-115a-bc8e80c7a570}\Root\InventoryApplicationFile\v32oh5xhqw.exe|b5491d35fe935b65

FileId

\REGISTRY\A\{378c987e-f40a-ae86-115a-bc8e80c7a570}\Root\InventoryApplicationFile\v32oh5xhqw.exe|b5491d35fe935b65

LowerCaseLongPath

\REGISTRY\A\{378c987e-f40a-ae86-115a-bc8e80c7a570}\Root\InventoryApplicationFile\v32oh5xhqw.exe|b5491d35fe935b65

LongPathHash

\REGISTRY\A\{378c987e-f40a-ae86-115a-bc8e80c7a570}\Root\InventoryApplicationFile\v32oh5xhqw.exe|b5491d35fe935b65

Name

\REGISTRY\A\{378c987e-f40a-ae86-115a-bc8e80c7a570}\Root\InventoryApplicationFile\v32oh5xhqw.exe|b5491d35fe935b65

OriginalFileName

\REGISTRY\A\{378c987e-f40a-ae86-115a-bc8e80c7a570}\Root\InventoryApplicationFile\v32oh5xhqw.exe|b5491d35fe935b65

Publisher

\REGISTRY\A\{378c987e-f40a-ae86-115a-bc8e80c7a570}\Root\InventoryApplicationFile\v32oh5xhqw.exe|b5491d35fe935b65

Version

\REGISTRY\A\{378c987e-f40a-ae86-115a-bc8e80c7a570}\Root\InventoryApplicationFile\v32oh5xhqw.exe|b5491d35fe935b65

BinFileVersion

\REGISTRY\A\{378c987e-f40a-ae86-115a-bc8e80c7a570}\Root\InventoryApplicationFile\v32oh5xhqw.exe|b5491d35fe935b65

BinaryType

\REGISTRY\A\{378c987e-f40a-ae86-115a-bc8e80c7a570}\Root\InventoryApplicationFile\v32oh5xhqw.exe|b5491d35fe935b65

ProductName

\REGISTRY\A\{378c987e-f40a-ae86-115a-bc8e80c7a570}\Root\InventoryApplicationFile\v32oh5xhqw.exe|b5491d35fe935b65

ProductVersion

\REGISTRY\A\{378c987e-f40a-ae86-115a-bc8e80c7a570}\Root\InventoryApplicationFile\v32oh5xhqw.exe|b5491d35fe935b65

LinkDate

\REGISTRY\A\{378c987e-f40a-ae86-115a-bc8e80c7a570}\Root\InventoryApplicationFile\v32oh5xhqw.exe|b5491d35fe935b65

BinProductVersion

\REGISTRY\A\{378c987e-f40a-ae86-115a-bc8e80c7a570}\Root\InventoryApplicationFile\v32oh5xhqw.exe|b5491d35fe935b65

AppxPackageFullName

\REGISTRY\A\{378c987e-f40a-ae86-115a-bc8e80c7a570}\Root\InventoryApplicationFile\v32oh5xhqw.exe|b5491d35fe935b65

AppxPackageRelativeId

\REGISTRY\A\{378c987e-f40a-ae86-115a-bc8e80c7a570}\Root\InventoryApplicationFile\v32oh5xhqw.exe|b5491d35fe935b65

Size

\REGISTRY\A\{378c987e-f40a-ae86-115a-bc8e80c7a570}\Root\InventoryApplicationFile\v32oh5xhqw.exe|b5491d35fe935b65

Language

\REGISTRY\A\{378c987e-f40a-ae86-115a-bc8e80c7a570}\Root\InventoryApplicationFile\v32oh5xhqw.exe|b5491d35fe935b65

Usn

There are 9 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

916000

heap

page read and write

800000

direct allocation

page execute and read and write

400000

unkown

page execute and read and write

BD0000

direct allocation

page read and write

5CB000

unkown

page execute and read and write

26F51000

heap

page read and write

BCF000

stack

page read and write

438000

unkown

page readonly

20EC0000

heap

page read and write

20EC3000

heap

page read and write

20EAD000

heap

page read and write

20EC7000

heap

page read and write

6BE000

stack

page read and write

6C8D5000

unkown

page readonly

48F000

unkown

page execute and read and write

8DA000

heap

page read and write

20EE3000

heap

page read and write

64A000

unkown

page execute and read and write

20EBA000

heap

page read and write

8A0000

heap

page read and write

20EB9000

heap

page read and write

6C88F000

unkown

page readonly

94B000

heap

page read and write

20EC4000

heap

page read and write

8DE000

heap

page read and write

6C6E2000

unkown

page readonly

20EC5000

heap

page read and write

20EB6000

heap

page read and write

20EBA000

heap

page read and write

20EE2000

heap

page read and write

20EC7000

heap

page read and write

20EED000

heap

page read and write

1ACC0000

heap

page read and write

6C8CF000

unkown

page write copy

ACF000

stack

page read and write

6C651000

unkown

page execute read

20EC7000

heap

page read and write

2D19A000

heap

page read and write

20EC7000

heap

page read and write

4E2000

unkown

page execute and read and write

2D0EF000

stack

page read and write

20EC5000

heap

page read and write

20EC7000

heap

page read and write

61ECC000

direct allocation

page read and write

20ECD000

heap

page read and write

20EC7000

heap

page read and write

6FE000

stack

page read and write

4BD000

unkown

page execute and read and write

20ECD000

heap

page read and write

725000

heap

page read and write

6C6F0000

unkown

page readonly

5C5000

unkown

page execute and read and write

20FA6000

heap

page read and write

20EB7000

heap

page read and write

20EC7000

heap

page read and write

2D193000

heap

page read and write

20EED000

heap

page read and write

CAC000

heap

page read and write

20EC3000

heap

page read and write

20EC5000

heap

page read and write

401000

unkown

page execute read

1A61F000

stack

page read and write

20EC0000

heap

page read and write

8D0000

heap

page read and write

20ECD000

heap

page read and write

20EAB000

heap

page read and write

61EB7000

direct allocation

page readonly

20EAA000

heap

page read and write

20EB1000

heap

page read and write

6C650000

unkown

page readonly

40E000

unkown

page execute read

1F0000

heap

page read and write

20EC5000

heap

page read and write

9C000

stack

page read and write

20EED000

heap

page read and write

20EC7000

heap

page read and write

61ED0000

direct allocation

page read and write

20EC7000

heap

page read and write

1A71F000

stack

page read and write

20EC7000

heap

page read and write

20EB1000

heap

page read and write

CA6000

heap

page read and write

20EBF000

heap

page read and write

20EC5000

heap

page read and write

2CFEE000

stack

page read and write

43B000

unkown

page write copy

20EC7000

heap

page read and write

51B000

unkown

page execute and read and write

20EAA000

heap

page read and write

727000

heap

page read and write

61ED4000

direct allocation

page readonly

20EAB000

heap

page read and write

20EC5000

heap

page read and write

20ED5000

heap

page read and write

485000

unkown

page execute and read and write

61ED3000

direct allocation

page read and write

20D4D000

heap

page read and write

26F10000

heap

page read and write

C0E000

stack

page read and write

20ED5000

heap

page read and write

983000

heap

page read and write

5A5000

unkown

page execute and read and write

8EC000

heap

page execute and read and write

20EBA000

heap

page read and write

C5E000

stack

page read and write

20EC7000

heap

page read and write

CA0000

heap

page read and write

1ADD8000

heap

page read and write

20EC7000

heap

page read and write

20EB9000

heap

page read and write

6C6DE000

unkown

page read and write

20EED000

heap

page read and write

20EE3000

heap

page read and write

61E01000

direct allocation

page execute read

C10000

heap

page read and write

20EAD000

heap

page read and write

20EC7000

heap

page read and write

20EC5000

heap

page read and write

61E00000

direct allocation

page execute and read and write

20ED5000

heap

page read and write

988000

heap

page read and write

20DFE000

heap

page read and write

45A000

unkown

page execute and read and write

20ED4000

heap

page read and write

1A51F000

stack

page read and write

26F30000

heap

page read and write

61ECD000

direct allocation

page readonly

400000

unkown

page readonly

CA3000

heap

page read and write

1AB0E000

stack

page read and write

670000

heap

page read and write

2D18B000

heap

page read and write

492000

unkown

page execute and read and write

20EC5000

heap

page read and write

195000

stack

page read and write

1ACD1000

heap

page read and write

1AA0E000

stack

page read and write

20EB1000

heap

page read and write

1A9BD000

stack

page read and write

20ED5000

heap

page read and write

20EB9000

heap

page read and write

C9E000

stack

page read and write

20EC7000

heap

page read and write

20EBE000

heap

page read and write

2D194000

heap

page read and write

20EC3000

heap

page read and write

20ECD000

heap

page read and write

20EBD000

heap

page read and write

4EF000

unkown

page execute and read and write

6C6CD000

unkown

page readonly

995000

heap

page read and write

6C8CE000

unkown

page read and write

20EE3000

heap

page read and write

20EC7000

heap

page read and write

6C6F1000

unkown

page execute read

50F000

unkown

page execute and read and write

20EC1000

heap

page read and write

20EC3000

heap

page read and write

20EB1000

heap

page read and write

20ECC000

heap

page read and write

4B1000

unkown

page execute and read and write

20ED4000

heap

page read and write

1ACD0000

heap

page read and write

98D000

heap

page read and write

20EB9000

heap

page read and write

20EC7000

heap

page read and write

20EC7000

heap

page read and write

720000

heap

page read and write

2D18C000

heap

page read and write

20EC5000

heap

page read and write

20EC5000

heap

page read and write

1A8BE000

stack

page read and write

26FDF000

heap

page read and write

20EE2000

heap

page read and write

51B000

unkown

page readonly

93B000

heap

page read and write

20EB7000

heap

page read and write

1AC9E000

stack

page read and write

20EBE000

heap

page read and write

20EA2000

heap

page read and write

20EE3000

heap

page read and write

1A76E000

stack

page read and write

6C8D0000

unkown

page read and write

20ECD000

heap

page read and write

20EB9000

heap

page read and write

99A000

heap

page read and write

20EB9000

heap

page read and write

61EB4000

direct allocation

page read and write

1A86F000

stack

page read and write

20ECD000

heap

page read and write

890000

heap

page read and write

488000

unkown

page execute and read and write

65C000

unkown

page execute and read and write

969000

heap

page read and write

20EC7000

heap

page read and write

20EA0000

heap

page read and write

20ECD000

heap

page read and write

1ADD0000

trusted library allocation

page read and write

1AB9E000

stack

page read and write

There are 189 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
v32oH5Xhqw.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportv32oH5Xhqw.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
v32oH5Xhqw.exe