Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

RFQ-HL51L05.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.96200754410385
Filename:	RFQ-HL51L05.exe
Filesize:	1116160
MD5:	254d0303fffb227dde317b5e2bb664ae
SHA1:	f538ce2f5b72eaf0ecfb4a0b4a8af43436c0fb46
SHA256:	78fad406a45c2723861ac043560f4fcbe8ff4df4c5e49e702833944af1220e53
SHA512:	a9ef2d93e73edeac629d4c927c4e439e9e5b5a67e718edc8e638f7a99bb25745335bf633091dfda02ff6df4b21100106d0f48f4e1882e24ed19294c984213203
SSDEEP:	24576:NAHnh+eWsN3skA4RV1Hom2KXMmHa+Lm1ESsb5:sh+ZkldoPK8Ya+6af
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Binary is likely a compiled AutoIt script file	System Summary
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Application Window Discovery
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Valid Accounts
Contains functionality to launch a process as a different user	System Summary
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation Access Token Manipulation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Access Token Manipulation Clipboard Data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging	Access Token Manipulation
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Access Token Manipulation Encrypted Channel
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found evasive API chain (date check)	Malware Analysis System Evasion	Native API Access Token Manipulation
Found large amount of non-executed APIs	Malware Analysis System Evasion	Access Token Manipulation
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information	Access Token Manipulation System Shutdown/Reboot
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
Contains functionality for error logging	System Summary	Access Token Manipulation
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to check free disk space	System Summary
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion	Access Token Manipulation
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enum processes or threads	System Summary	Access Token Manipulation
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary	Access Token Manipulation
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery System Information Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection	Access Token Manipulation
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Program exit points	Malware Analysis System Evasion
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\autED7A.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\autED7A.tmp
Category:	dropped
Dump:	autED7A.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\RFQ-HL51L05.exe
Type:	data
Entropy:	7.943685591814366
Encrypted:	false
Ssdeep:	3072:uPs76F+ygKB60ExuppKFWhGOohDzq77vzGiejsr3nya8ulj5RpCFg:l5ygKBRRtkOohDz67vzGXs7ya8urB
Size:	155572
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\autEDC9.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\autEDC9.tmp
Category:	dropped
Dump:	autEDC9.tmp.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\RFQ-HL51L05.exe
Type:	data
Entropy:	7.592896424843614
Encrypted:	false
Ssdeep:	192:m+cK6f01Ehm0qek9Gh0qWbK307sZY3x22MN5+mP+8Hd63y:976Mkm7ek9y0pbK307sAk205z2i8y
Size:	9904
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\cunili

ASCII text, with very long lines (29744), with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\cunili
Category:	dropped
Dump:	cunili.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\RFQ-HL51L05.exe
Type:	ASCII text, with very long lines (29744), with no line terminators
Entropy:	3.546870904705114
Encrypted:	false
Ssdeep:	768:wiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbQE+I+h6584vfF3if6gC:wiTZ+2QoioGRk6ZklputwjpjBkCiw2R/
Size:	29744
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\meshummad

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\meshummad
Category:	dropped
Dump:	meshummad.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\RFQ-HL51L05.exe
Type:	data
Entropy:	6.6446670359003885
Encrypted:	false
Ssdeep:	6144:pQCpbZXx3HuQLYM9VN5NlbAhaHSZw++X0KjvfcsukHk:pQCfXUY7PlG9ZwrX0Kj8x
Size:	240128
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\RFQ-HL51L05.exe

"C:\Users\user\Desktop\RFQ-HL51L05.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5012
Target ID:	0
Parent PID:	4004
Name:	RFQ-HL51L05.exe
Path:	C:\Users\user\Desktop\RFQ-HL51L05.exe
Commandline:	"C:\Users\user\Desktop\RFQ-HL51L05.exe"
Size:	1116160
MD5:	254D0303FFFB227DDE317B5E2BB664AE
Time:	10:38:47
Date:	25/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xee0000
Modulesize:	1142784
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Binary is likely a compiled AutoIt script file	System Summary
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\RFQ-HL51L05.exe"

Details

Is windows:	true
Is dropped:	false
PID:	4924
Target ID:	2
Parent PID:	5012
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\RFQ-HL51L05.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	10:38:48
Date:	25/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x3f0000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://r3.o.lencr.org0

unknown

Details

Name:	http://r3.o.lencr.org0
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000002.00000002.3301412264.00000000026FE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303315424.0000000005A02000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303315424.0000000005A40000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3300886228.0000000000A30000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://account.dyn.com/

unknown

Details

Name:	https://account.dyn.com/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\RFQ-HL51L05.exe
Source:	RFQ-HL51L05.exe, 00000000.00000002.2068321175.0000000001260000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3300590413.00000000007C2000.00000040.80000000.00040000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://mail.cmcapama.top

unknown

http://x1.c.lencr.org/0

unknown

Details

Name:	http://x1.c.lencr.org/0
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000002.00000002.3301412264.00000000026FE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303315424.0000000005A02000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303315424.0000000005A40000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3300886228.0000000000A30000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3300706007.00000000009D4000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://x1.i.lencr.org/0

unknown

Details

Name:	http://x1.i.lencr.org/0
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000002.00000002.3301412264.00000000026FE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303315424.0000000005A02000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303315424.0000000005A40000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3300886228.0000000000A30000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3300706007.00000000009D4000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://cmcapama.top

unknown

http://r3.i.lencr.org/0

unknown

Details

Name:	http://r3.i.lencr.org/0
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000002.00000002.3301412264.00000000026FE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303315424.0000000005A02000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303315424.0000000005A40000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3300886228.0000000000A30000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

mail.cmcapama.top

unknown

Details

Name:	mail.cmcapama.top
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

cmcapama.top

194.36.191.196

Details

Name:	cmcapama.top
IP:	194.36.191.196
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

194.36.191.196

cmcapama.top

Netherlands

Details

IP:	194.36.191.196
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	Netherlands
Countrycode:	NLD
ASN number:	60117
ASN name:	HSAE
Private:	false
Domain:	cmcapama.top

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

Memdumps

Base Address

Regiontype

Protect

Malicious

26FE000

trusted library allocation

page read and write

2729000

trusted library allocation

page read and write

7C2000

system

page execute and read and write

1260000

direct allocation

page read and write

26B1000

trusted library allocation

page read and write

C22000

trusted library allocation

page read and write

3D3D000

direct allocation

page read and write

968000

heap

page read and write

140B000

heap

page read and write

DFF000

stack

page read and write

F9F000

unkown

page read and write

3AB0000

direct allocation

page read and write

12DF000

heap

page read and write

E3C000

stack

page read and write

4BFB000

trusted library allocation

page read and write

997000

heap

page read and write

12DB000

heap

page read and write

A3A000

stack

page read and write

1334000

heap

page read and write

3C10000

direct allocation

page read and write

AB3000

trusted library allocation

page execute and read and write

A02000

heap

page read and write

F6F000

unkown

page readonly

3C10000

direct allocation

page read and write

6390000

heap

page read and write

4BE3000

heap

page read and write

3714000

trusted library allocation

page read and write

FAA000

unkown

page readonly

4C11000

trusted library allocation

page read and write

1354000

heap

page read and write

5C30000

trusted library allocation

page read and write

12D2000

heap

page read and write

5190000

trusted library allocation

page read and write

12A8000

heap

page read and write

3DEE000

direct allocation

page read and write

1477000

heap

page read and write

11D4000

heap

page read and write

4BC0000

trusted library allocation

page read and write

E1B000

stack

page read and write

1E9F000

stack

page read and write

4C22000

trusted library allocation

page read and write

C1D000

trusted library allocation

page execute and read and write

588E000

stack

page read and write

63A0000

trusted library allocation

page execute and read and write

EE0000

unkown

page readonly

1445000

heap

page read and write

ABD000

trusted library allocation

page execute and read and write

FA8000

unkown

page readonly

F6F000

unkown

page readonly

3D79000

direct allocation

page read and write

C35000

trusted library allocation

page execute and read and write

995000

heap

page read and write

3D3D000

direct allocation

page read and write

1335000

heap

page read and write

FB8000

unkown

page readonly

3A70000

direct allocation

page read and write

3B93000

direct allocation

page read and write

578E000

stack

page read and write

6580000

heap

page read and write

2731000

trusted library allocation

page read and write

1454000

heap

page read and write

3D39000

direct allocation

page read and write

4BD0000

trusted library allocation

page read and write

3BD3000

direct allocation

page read and write

F95000

unkown

page readonly

3BD3000

direct allocation

page read and write

4C40000

trusted library allocation

page read and write

FA8000

unkown

page readonly

3D39000

direct allocation

page read and write

12D4000

heap

page read and write

139B000

heap

page read and write

5B40000

trusted library allocation

page execute and read and write

1415000

heap

page read and write

3D3D000

direct allocation

page read and write

1170000

heap

page read and write

36D9000

trusted library allocation

page read and write

269F000

stack

page read and write

36B1000

trusted library allocation

page read and write

3DAE000

direct allocation

page read and write

5A02000

heap

page read and write

4C02000

trusted library allocation

page read and write

46B8000

trusted library allocation

page read and write

5BDE000

stack

page read and write

ECE000

stack

page read and write

12DF000

heap

page read and write

26FC000

trusted library allocation

page read and write

131F000

heap

page read and write

A60000

heap

page read and write

516E000

stack

page read and write

5A5E000

heap

page read and write

820000

heap

page read and write

EE1000

unkown

page execute read

6360000

trusted library allocation

page read and write

AB0000

trusted library allocation

page read and write

C26000

trusted library allocation

page execute and read and write

59F0000

heap

page read and write

840000

heap

page read and write

F9F000

unkown

page write copy

4C0A000

trusted library allocation

page read and write

5C20000

trusted library allocation

page read and write

3D79000

direct allocation

page read and write

7F870000

trusted library allocation

page execute and read and write

789000

stack

page read and write

3DEE000

direct allocation

page read and write

4B90000

heap

page read and write

4BF0000

trusted library allocation

page read and write

4D20000

heap

page execute and read and write

2725000

trusted library allocation

page read and write

131F000

heap

page read and write

2717000

trusted library allocation

page read and write

FB8000

unkown

page readonly

3DAE000

direct allocation

page read and write

C20000

trusted library allocation

page read and write

AC0000

heap

page read and write

825000

heap

page read and write

7C0000

system

page execute and read and write

3B93000

direct allocation

page read and write

4C0E000

trusted library allocation

page read and write

C10000

trusted library allocation

page read and write

502F000

stack

page read and write

12C3000

heap

page read and write

130F000

heap

page read and write

130F000

heap

page read and write

C37000

trusted library allocation

page execute and read and write

68A000

stack

page read and write

26A0000

heap

page execute and read and write

4BB0000

trusted library allocation

page execute and read and write

3DEE000

direct allocation

page read and write

4C30000

trusted library allocation

page read and write

12E0000

heap

page read and write

5C1D000

stack

page read and write

3D39000

direct allocation

page read and write

5AF0000

trusted library allocation

page execute and read and write

59D0000

heap

page read and write

960000

heap

page read and write

519C000

trusted library allocation

page read and write

3B93000

direct allocation

page read and write

484D000

stack

page read and write

1444000

heap

page read and write

506E000

stack

page read and write

CE0000

heap

page read and write

1477000

heap

page read and write

1454000

heap

page read and write

611E000

stack

page read and write

12DF000

heap

page read and write

1334000

heap

page read and write

EE1000

unkown

page execute read

4C9C000

stack

page read and write

4BFE000

trusted library allocation

page read and write

1190000

heap

page read and write

3C50000

direct allocation

page read and write

4BE0000

heap

page read and write

3D7D000

direct allocation

page read and write

C50000

trusted library allocation

page read and write

AB4000

trusted library allocation

page read and write

59F8000

heap

page read and write

1463000

heap

page read and write

5A40000

heap

page read and write

131F000

heap

page read and write

FAA000

unkown

page readonly

A30000

heap

page read and write

CDC000

stack

page read and write

FA3000

unkown

page write copy

3C50000

direct allocation

page read and write

3AB0000

direct allocation

page read and write

13CA000

heap

page read and write

CF0000

heap

page read and write

5B3D000

stack

page read and write

11B0000

direct allocation

page execute and read and write

4C16000

trusted library allocation

page read and write

621E000

stack

page read and write

12A0000

heap

page read and write

3DAE000

direct allocation

page read and write

3C10000

direct allocation

page read and write

12FF000

heap

page read and write

4D10000

trusted library allocation

page read and write

C32000

trusted library allocation

page read and write

3BD3000

direct allocation

page read and write

12FF000

heap

page read and write

4C1D000

trusted library allocation

page read and write

3C50000

direct allocation

page read and write

E0F000

stack

page read and write

3D79000

direct allocation

page read and write

3A70000

direct allocation

page read and write

5AE0000

trusted library allocation

page read and write

1334000

heap

page read and write

1477000

heap

page read and write

3A70000

direct allocation

page read and write

3C10000

direct allocation

page read and write

5AE6000

trusted library allocation

page read and write

11D0000

heap

page read and write

3D7D000

direct allocation

page read and write

3D7D000

direct allocation

page read and write

4BF4000

trusted library allocation

page read and write

3A70000

direct allocation

page read and write

4F2C000

stack

page read and write

59DE000

heap

page read and write

3AB0000

direct allocation

page read and write

4D30000

heap

page read and write

C9E000

stack

page read and write

C2A000

trusted library allocation

page execute and read and write

3DAE000

direct allocation

page read and write

98A000

heap

page read and write

1110000

heap

page read and write

EE0000

unkown

page readonly

110E000

stack

page read and write

E80000

heap

page read and write

4CFE000

stack

page read and write

1334000

heap

page read and write

C3B000

trusted library allocation

page execute and read and write

12EE000

heap

page read and write

F95000

unkown

page readonly

4BF6000

trusted library allocation

page read and write

5DDD000

stack

page read and write

3D39000

direct allocation

page read and write

ED0000

heap

page read and write

1435000

heap

page read and write

1A9E000

stack

page read and write

12D2000

heap

page read and write

5AD0000

trusted library allocation

page read and write

1435000

heap

page read and write

3B93000

direct allocation

page read and write

1334000

heap

page read and write

3D3D000

direct allocation

page read and write

5C27000

trusted library allocation

page read and write

9D4000

heap

page read and write

AA0000

trusted library allocation

page read and write

There are 217 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
RFQ-HL51L05.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportRFQ-HL51L05.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
RFQ-HL51L05.exe