Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

windxcmd.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.999409826341136
Filename:	windxcmd.exe
Filesize:	3542528
MD5:	65f2df92724e59cabe9cc5f12768ad93
SHA1:	6f21c66f2c529d37b046f53b04e3fd3baf91b13b
SHA256:	bd5f54fa6a6b85d25c93c790c1b63f28f557cb7d9c1a79cbe702df30f6d0cc07
SHA512:	59d5584d99401502babae333b85c68b39ca027710b19d27711b083526812593cdaca14c4e68f1b4f31daabbf1c8c7881e0ccd289567bd296fc7718f8dfed78f0
SSDEEP:	98304:L/NSW1ks76/dzpo0XxEVDixT8tgbCfBIo:L/NShxp5+ViwgbB
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c.Cg..................6.........~"6.. ...@6...@.. ........................6...........@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Drops PE files with benign system names	Persistence and Installation Behavior
Machine Learning detection for sample	AV Detection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Drops PE files	Persistence and Installation Behavior
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Yara signature match	System Summary
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Drops files with a known system name (to hide its detection)
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\windxcmd.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\windxcmd.exe.log
Category:	dropped
Dump:	windxcmd.exe.log.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\windxcmd.exe
Type:	CSV text
Entropy:	5.380476433908377
Encrypted:	false
Ssdeep:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
Size:	654
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Roaming\svchost.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\svchost.exe
Category:	dropped
Dump:	svchost.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\windxcmd.exe
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.6065495020412435
Encrypted:	false
Ssdeep:	768:yvDn5gHCJiQtTZeIAIxZH9oLIbtAW0xEtF5Pa9gveOwhI33Eab:YCHMlhZDAI6kN0xMFY9gmOw+UY
Size:	40448
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Sigma detected: Schedule system process	Persistence and Installation Behavior
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected AsyncRAT	Key, Mouse, Clipboard, Microphone and Screen Capturing, Boot Survival, Malware Analysis System Evasion, Lowering of HIPS / PFW / Operating System Security Settings	Scheduled Task/Job Obfuscated Files or Information
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)	Anti Debugging	Security Software Discovery
Drops PE files with benign system names	Persistence and Installation Behavior	Masquerading
Machine Learning detection for dropped file	AV Detection
Protects its processes via BreakOnTermination flag	Operating System Destruction
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Sigma detected: Files With System Process Name In Unsuspected Locations	System Summary
Sigma detected: System File Execution Location Anomaly	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Yara detected Generic Downloader	Networking
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings	Security Software Discovery Windows Management Instrumentation
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion	System Information Discovery Security Software Discovery Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: Suspicious Add Scheduled Task Parent	System Summary
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Sigma detected: Uncommon Svchost Parent Process	System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Checks the free space of harddrives	Malware Analysis System Evasion	System Information Discovery
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Drops files with a known system name (to hide its detection)
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Roaming\wind.exe

PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\wind.exe
Category:	dropped
Dump:	wind.exe.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\windxcmd.exe
Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy:	7.809105520751368
Encrypted:	false
Ssdeep:	49152:zOzR/epSFnOne5uBwoqzCr4MnYrX6AXoZNM1Ho7Fif35uA+2c/8UdhbIJYkg4Huc:zOz0YMzwQ4nqqoYWy97c/TM5g4+K
Size:	3491840
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Machine Learning detection for dropped file	AV Detection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\windxcmd.exe

"C:\Users\user\Desktop\windxcmd.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7404
Target ID:	0
Parent PID:	2580
Name:	windxcmd.exe
Path:	C:\Users\user\Desktop\windxcmd.exe
Commandline:	"C:\Users\user\Desktop\windxcmd.exe"
Size:	3542528
MD5:	65F2DF92724E59CABE9CC5F12768AD93
Time:	02:55:17
Date:	25/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xf00000
Modulesize:	3571712
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AsyncRAT	Key, Mouse, Clipboard, Microphone and Screen Capturing, Boot Survival, Malware Analysis System Evasion, Lowering of HIPS / PFW / Operating System Security Settings	Scheduled Task/Job Obfuscated Files or Information
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Sigma detected: Files With System Process Name In Unsuspected Locations	System Summary
Sigma detected: System File Execution Location Anomaly	System Summary
Yara detected Generic Downloader	Networking
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Uncommon Svchost Parent Process	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Roaming\svchost.exe

"C:\Users\user\AppData\Roaming\svchost.exe"

Details

Is windows:	false
Is dropped:	true
PID:	7456
Target ID:	1
Parent PID:	7404
Name:	svchost.exe
Path:	C:\Users\user\AppData\Roaming\svchost.exe
Commandline:	"C:\Users\user\AppData\Roaming\svchost.exe"
Size:	40448
MD5:	FBC06EB9F872988CF94EC59C859FACD7
Time:	02:55:18
Date:	25/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x300000
Modulesize:	65536
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Schedule system process	Persistence and Installation Behavior
Yara detected AsyncRAT	Key, Mouse, Clipboard, Microphone and Screen Capturing, Boot Survival, Malware Analysis System Evasion, Lowering of HIPS / PFW / Operating System Security Settings	Scheduled Task/Job Obfuscated Files or Information
Yara detected XWorm	Stealing of Sensitive Information, Remote Access Functionality
Drops PE files with benign system names	Persistence and Installation Behavior	Masquerading
Sample uses string decryption to hide its real strings	AV Detection
Sigma detected: Files With System Process Name In Unsuspected Locations	System Summary
Sigma detected: System File Execution Location Anomaly	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Add Scheduled Task Parent	System Summary
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Sigma detected: Uncommon Svchost Parent Process	System Summary
Creates files inside the user directory	System Summary	Masquerading
Drops files with a known system name (to hide its detection)
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\wind.exe

"C:\Users\user\AppData\Roaming\wind.exe"

Details

Is windows:	false
Is dropped:	true
PID:	7480
Target ID:	2
Parent PID:	7404
Name:	wind.exe
Path:	C:\Users\user\AppData\Roaming\wind.exe
Commandline:	"C:\Users\user\AppData\Roaming\wind.exe"
Size:	3491840
MD5:	A43BF335D87DF0128E7DA328C6A447B7
Time:	02:55:18
Date:	25/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x1cd8cab0000
Modulesize:	3506176
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7704
Target ID:	4
Parent PID:	7456
Name:	schtasks.exe
Class:	system-tools
Path:	C:\Windows\System32\schtasks.exe
Commandline:	"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe"
Size:	235008
MD5:	76CD6626DD8834BD4A42E6A565104DC2
Time:	02:55:24
Date:	25/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff76f990000
Modulesize:	253952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Schedule system process	Persistence and Installation Behavior
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Add Scheduled Task Parent	System Summary
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7712
Target ID:	5
Parent PID:	7704
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	02:55:24
Date:	25/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

45.141.26.134

http://www.apache.org/licenses/LICENSE-2.0

unknown

http://www.fontbureau.com

unknown

http://www.fontbureau.com/designersG

unknown

http://www.fontbureau.com/designers/?

unknown

http://www.founder.com.cn/cn/bThe

unknown

http://www.fontbureau.com/designers?

unknown

http://www.tiro.com

unknown

http://www.fontbureau.com/designers

unknown

http://www.goodfont.co.kr

unknown

http://www.carterandcone.coml

unknown

http://www.sajatypeworks.com

unknown

http://www.typography.netD

unknown

http://www.fontbureau.com/designers/cabarga.htmlN

unknown

http://www.founder.com.cn/cn/cThe

unknown

http://www.galapagosdesign.com/staff/dennis.htm

unknown

http://www.founder.com.cn/cn

unknown

http://www.fontbureau.com/designers/frere-user.html

unknown

https://discord.gg/arzenshop%click

unknown

http://www.jiyu-kobo.co.jp/

unknown

http://www.galapagosdesign.com/DPlease

unknown

http://www.fontbureau.com/designers8

unknown

http://www.fonts.com

unknown

http://www.sandoll.co.kr

unknown

http://www.urwpp.deDPlease

unknown

https://github.com/stark11231/spoof/raw/main/WindXTen.exeAC:

unknown

http://www.zhongyicts.com.cn

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://www.sakkal.com

unknown

http://ip-api.com/line/?fields=hosting

208.95.112.1

There are 20 hidden URLs, click here to show them.

Domains

Name

Malicious

ip-api.com

208.95.112.1

Details

Name:	ip-api.com
IP:	208.95.112.1
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection
Check if machine is in data center or colocation facility	Malware Analysis System Evasion	Security Software Discovery
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

45.141.26.134

unknown

Netherlands

Details

IP:	45.141.26.134
TargetID:	1
Current Path:	C:\Users\user\AppData\Roaming\svchost.exe
Country:	Netherlands
Countrycode:	NLD
ASN number:	62068
ASN name:	SPECTRAIPSpectraIPBVNL
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sample uses string decryption to hide its real strings	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

208.95.112.1

ip-api.com

United States

Details

IP:	208.95.112.1
TargetID:	1
Current Path:	C:\Users\user\AppData\Roaming\svchost.exe
Country:	United States
Countrycode:	USA
ASN number:	53334
ASN name:	TUT-ASUS
Private:	false
Domain:	ip-api.com

Signature Hits	Behavior Group	Mitre Attack
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection

Memdumps

Base Address

Regiontype

Protect

Malicious

302000

unkown

page readonly

3541000

trusted library allocation

page read and write

27A1000

trusted library allocation

page read and write

1D90C000

stack

page read and write

1C1AE000

stack

page read and write

1CDA79C3000

heap

page read and write

1CD8D330000

heap

page read and write

1CDA7FA0000

trusted library allocation

page read and write

848000

heap

page read and write

7FFD9B504000

trusted library allocation

page read and write

29C6E880000

heap

page read and write

913000

heap

page read and write

13541000

trusted library allocation

page read and write

7FFD9B5CC000

trusted library allocation

page execute and read and write

1C1B0000

heap

page read and write

1CD8CFB8000

heap

page read and write

198C3FE000

stack

page read and write

7FFD9B53B000

trusted library allocation

page execute and read and write

7FFD9B52D000

trusted library allocation

page execute and read and write

80B000

heap

page read and write

AC8C95E000

unkown

page read and write

AC8C8D9000

stack

page read and write

1CD8CFC3000

heap

page read and write

1CD8D0A0000

heap

page read and write

1C891000

heap

page read and write

13F0000

heap

page read and write

1C5AE000

stack

page read and write

198D3FC000

stack

page read and write

13A4000

stack

page read and write

1CD8D230000

trusted library allocation

page read and write

7FFD9B56C000

trusted library allocation

page execute and read and write

7FFD9B600000

trusted library allocation

page execute and read and write

1C0AD000

stack

page read and write

1CDA86F5000

trusted library allocation

page read and write

1CDA7509000

heap

page read and write

1CD8D07D000

heap

page read and write

1C902000

heap

page read and write

AC8C9DF000

stack

page read and write

1D0D5000

stack

page read and write

7FFD9B5A0000

trusted library allocation

page execute and read and write

7FFD9B5C6000

trusted library allocation

page execute and read and write

1CDA76C0000

heap

page read and write

1970000

trusted library allocation

page read and write

840000

heap

page read and write

1CDA7460000

heap

page execute and read and write

7FFD9B4E0000

trusted library allocation

page read and write

1C3AF000

stack

page read and write

1CDA74B1000

heap

page read and write

3B0000

heap

page read and write

1CD8CE90000

heap

page read and write

16F0000

heap

page read and write

1CD8D1A5000

heap

page read and write

1CDA74A0000

heap

page read and write

1CDA76E1000

heap

page read and write

6F1000

stack

page read and write

C02000

heap

page read and write

1CD8D0C0000

heap

page read and write

1CDA8701000

trusted library allocation

page read and write

1D80F000

stack

page read and write

1CD8CF86000

heap

page read and write

3C0000

heap

page read and write

8D5000

heap

page read and write

17EC000

heap

page read and write

1CD8D2D0000

heap

page read and write

1760000

heap

page read and write

7FFD9B502000

trusted library allocation

page read and write

1CD8ECA0000

heap

page read and write

127AE000

trusted library allocation

page read and write

82D000

heap

page read and write

1995000

heap

page read and write

1CDA9770000

trusted library allocation

page read and write

813000

heap

page read and write

AFC000

stack

page read and write

1CD8CFF2000

heap

page read and write

1CDA8744000

trusted library allocation

page read and write

1AC1D000

stack

page read and write

7FFD9B5A0000

trusted library allocation

page read and write

1CDA8706000

trusted library allocation

page read and write

7FFD9B4E3000

trusted library allocation

page execute and read and write

893000

heap

page read and write

7FFD9B5D6000

trusted library allocation

page execute and read and write

1CDA871F000

trusted library allocation

page read and write

1CD8D06F000

heap

page read and write

7FFD9B4F3000

trusted library allocation

page execute and read and write

7FFD9B500000

trusted library allocation

page read and write

1CDA8715000

trusted library allocation

page read and write

1990000

heap

page read and write

1CD8D240000

trusted library section

page read and write

1AFF0000

heap

page read and write

1C804000

heap

page read and write

B00000

heap

page read and write

1CD8D270000

trusted library allocation

page read and write

1C102000

heap

page execute and read and write

1CDA77EF000

heap

page read and write

1C88E000

heap

page read and write

846000

heap

page read and write

7FFD9B680000

trusted library allocation

page read and write

1CD8ECB1000

trusted library allocation

page read and write

1CD9ECB1000

trusted library allocation

page read and write

7FFD9B514000

trusted library allocation

page read and write

7FF4542D0000

trusted library allocation

page execute and read and write

1DC0C000

stack

page read and write

171B000

heap

page read and write

7FFD9B5AC000

trusted library allocation

page execute and read and write

1264000

unkown

page readonly

1CD8CFAE000

heap

page read and write

13543000

trusted library allocation

page read and write

7FFD9B59C000

trusted library allocation

page execute and read and write

1CDA77D0000

heap

page read and write

800000

heap

page read and write

1D70C000

stack

page read and write

7FFD9B4FD000

trusted library allocation

page execute and read and write

7D0000

trusted library allocation

page read and write

1C84D000

heap

page read and write

7FFD9B51D000

trusted library allocation

page execute and read and write

7FFD9B590000

trusted library allocation

page read and write

1BF00000

heap

page execute and read and write

7FFD9B596000

trusted library allocation

page read and write

1CD8CF80000

heap

page read and write

1CD8D075000

heap

page read and write

29C6E7C0000

heap

page read and write

17F0000

heap

page read and write

1CDA86FF000

trusted library allocation

page read and write

7FFD9B4F0000

trusted library allocation

page read and write

127A1000

trusted library allocation

page read and write

1A9E000

stack

page read and write

7FFD9B690000

trusted library allocation

page execute and read and write

7FFD9B6B0000

trusted library allocation

page read and write

16FC000

heap

page read and write

3A0000

heap

page read and write

7FFD9B500000

trusted library allocation

page read and write

1C8BF000

heap

page read and write

1C7AE000

stack

page read and write

1CD8D080000

heap

page read and write

351E000

stack

page read and write

127B1000

trusted library allocation

page read and write

902000

heap

page read and write

7FFD9B50D000

trusted library allocation

page execute and read and write

175E000

heap

page read and write

7FFD9B54C000

trusted library allocation

page execute and read and write

1C6AB000

stack

page read and write

C13000

heap

page read and write

7F0000

trusted library allocation

page read and write

1CD8ED68000

trusted library allocation

page read and write

269E000

stack

page read and write

1CD8D100000

trusted library allocation

page read and write

3530000

heap

page read and write

7FFD9B5C0000

trusted library allocation

page read and write

1CDA8717000

trusted library allocation

page read and write

7FFD9B50D000

trusted library allocation

page execute and read and write

1920000

heap

page read and write

1D2D6000

stack

page read and write

279D000

stack

page read and write

7FFD9B5F6000

trusted library allocation

page execute and read and write

1A7D0000

trusted library allocation

page read and write

198CFFD000

stack

page read and write

83E000

heap

page read and write

7FFD9B534000

trusted library allocation

page read and write

1C4AE000

stack

page read and write

851000

heap

page read and write

8B1000

heap

page read and write

7FFD9B50B000

trusted library allocation

page execute and read and write

7FFD9B6A0000

trusted library allocation

page execute and read and write

1D60F000

stack

page read and write

1C4FE000

stack

page read and write

7FFD9B4FD000

trusted library allocation

page execute and read and write

1C897000

heap

page read and write

1CDA76D0000

heap

page read and write

1C002000

heap

page read and write

F00000

unkown

page readonly

1725000

heap

page read and write

29C6E810000

heap

page read and write

825000

heap

page read and write

1CD8D1A0000

heap

page read and write

1BACC000

stack

page read and write

1DA0A000

stack

page read and write

1CD8D033000

heap

page read and write

29C6E889000

heap

page read and write

1C5FF000

stack

page read and write

7FFD9B513000

trusted library allocation

page execute and read and write

7FFD9B6B0000

trusted library allocation

page read and write

29C6E6E0000

heap

page read and write

1CD8CFC1000

heap

page read and write

7FFD9B53C000

trusted library allocation

page execute and read and write

1C8B7000

heap

page read and write

8F1000

heap

page read and write

84B000

heap

page read and write

B20000

heap

page read and write

7FFD9B5C6000

trusted library allocation

page read and write

1CD8D2C0000

trusted library section

page readonly

1CD8D180000

heap

page read and write

1732000

heap

page read and write

F02000

unkown

page readonly

7FFD9B53D000

trusted library allocation

page execute and read and write

198CBFE000

stack

page read and write

3410000

heap

page execute and read and write

7FFD9B4F2000

trusted library allocation

page read and write

1CD8D2A0000

trusted library allocation

page read and write

F00000

unkown

page readonly

1CD8D130000

trusted library allocation

page read and write

1CD8CF8C000

heap

page read and write

7FFD9B690000

trusted library allocation

page read and write

29C6E7E0000

heap

page read and write

300000

unkown

page readonly

29C6E815000

heap

page read and write

1B9E000

stack

page read and write

877000

heap

page read and write

1CD8CFED000

heap

page read and write

1C1C5000

heap

page read and write

1CD8CFEF000

heap

page read and write

380000

heap

page read and write

127A8000

trusted library allocation

page read and write

1CDA871D000

trusted library allocation

page read and write

1C8CB000

heap

page read and write

7FFD9B530000

trusted library allocation

page read and write

7FFD9B522000

trusted library allocation

page read and write

1CD9ECB7000

trusted library allocation

page read and write

1C7FE000

stack

page read and write

7FFD9B4E4000

trusted library allocation

page read and write

B33000

trusted library allocation

page read and write

33D0000

heap

page read and write

3340000

trusted library allocation

page read and write

7FFD9B5B0000

trusted library allocation

page execute and read and write

1CDA8722000

trusted library allocation

page read and write

1714000

heap

page read and write

1CDA9792000

trusted library allocation

page read and write

B40000

heap

page execute and read and write

1CDA76DC000

heap

page read and write

1C880000

heap

page read and write

1CDA75A0000

heap

page read and write

B10000

heap

page execute and read and write

1815000

heap

page read and write

1D1DA000

stack

page read and write

D02000

heap

page read and write

1C820000

heap

page read and write

1C800000

heap

page read and write

191F000

stack

page read and write

7FFD9B5D0000

trusted library allocation

page execute and read and write

29C6E88E000

heap

page read and write

7FFD9B6C0000

trusted library allocation

page execute and read and write

1C88A000

heap

page read and write

7FFD9B4F4000

trusted library allocation

page read and write

7FFD9B504000

trusted library allocation

page read and write

1CDA7490000

heap

page read and write

1CD8CAB2000

unkown

page readonly

1CD8D290000

heap

page execute and read and write

7FFD9B510000

trusted library allocation

page read and write

1CDA8729000

trusted library allocation

page read and write

1CD8D120000

trusted library allocation

page read and write

8A5000

heap

page read and write

1C3FE000

stack

page read and write

1734000

heap

page read and write

1CD8D335000

heap

page read and write

1B010000

heap

page read and write

1CDA8724000

trusted library allocation

page read and write

1CDA7493000

heap

page read and write

7FFD9B4ED000

trusted library allocation

page execute and read and write

1CD8CAB0000

unkown

page readonly

1C2FA000

stack

page read and write

1CDA76C8000

heap

page read and write

8FF000

heap

page read and write

B30000

trusted library allocation

page read and write

1CD9ECC1000

trusted library allocation

page read and write

16F6000

heap

page read and write

17B6000

heap

page read and write

1810000

heap

page read and write

1CDA76EB000

heap

page read and write

7FFD9B630000

trusted library allocation

page execute and read and write

1C844000

heap

page read and write

7FFD9B610000

trusted library allocation

page execute and read and write

16D0000

heap

page read and write

13548000

trusted library allocation

page read and write

198BFF4000

stack

page read and write

7FFD9B520000

trusted library allocation

page read and write

1CD8D133000

trusted library allocation

page read and write

1CDA8713000

trusted library allocation

page read and write

1CDA74E9000

heap

page read and write

1C8B5000

heap

page read and write

There are 268 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
windxcmd.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportwindxcmd.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
windxcmd.exe