Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

nQBmwBd90o.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.645570077432501
Filename:	nQBmwBd90o.exe
Filesize:	46592
MD5:	2bbb433718d061e161f1d0e224451746
SHA1:	94d37443c9d9b71997f4918106533b76c01d8032
SHA256:	cb15dc95e0a14080e8c3df816b6d54a101c3b4a307a8db0d71131869602480d9
SHA512:	d61d90ecffb3ec0debc1aa679bc1ddcafeafff2cf466ee9e29b630098d2b9f6e94c994617740dc31d3962ef05371831473311cd9a2112d1ab824cd6240f71bcb
SSDEEP:	768:qdhO/poiiUcjlJInjTH9Xqk5nWEZ5SbTDaLIuI7CPW5N:Mw+jjgnPH9XqcnW85SbTwIuIl
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............>.... ........@.. ....................... ............`................................

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for dropped file	AV Detection	Masquerading Security Software Discovery
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation	Software Packing
Machine Learning detection for dropped file	AV Detection
Machine Learning detection for sample	AV Detection
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nQBmwBd90o.exe.log

CSV text

modified

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nQBmwBd90o.exe.log
Category:	modified
Dump:	nQBmwBd90o.exe.log.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\nQBmwBd90o.exe
Type:	CSV text
Entropy:	5.360398796477698
Encrypted:	false
Ssdeep:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
Size:	226
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Temp\tmp86AB.tmp

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\tmp86AB.tmp
Category:	dropped
Dump:	tmp86AB.tmp.1.dr
ID:	dr_3
Target ID:	1
Process:	C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.9440022926047367
Encrypted:	false
Ssdeep:	12:StLJ+DWg0Sa+Nn/WNeMS7Xp1yd3YL6WVYXqOVl7KfTShhJKShjNI0QBDO1dArHAP:StLJ+S8AMEoL6fUMhEMj+0QdrOtn
Size:	1069
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Scheduled temp file as task from temp location	Persistence and Installation Behavior
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Add Scheduled Task Parent	System Summary
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe
Category:	dropped
Dump:	nQBmwBd90o.exe.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\nQBmwBd90o.exe
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.645570077432501
Encrypted:	false
Ssdeep:	768:qdhO/poiiUcjlJInjTH9Xqk5nWEZ5SbTDaLIuI7CPW5N:Mw+jjgnPH9XqcnW85SbTwIuIl
Size:	46592
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Sigma detected: Scheduled temp file as task from temp location	Persistence and Installation Behavior
Yara detected XenoRAT	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for dropped file	AV Detection
Machine Learning detection for sample	AV Detection
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Add Scheduled Task Parent	System Summary
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe:Zone.Identifier

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe:Zone.Identifier
Category:	dropped
Dump:	nQBmwBd90o.exe_Zone.Identifier.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\nQBmwBd90o.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for dropped file	AV Detection
Machine Learning detection for sample	AV Detection
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\nQBmwBd90o.exe

"C:\Users\user\Desktop\nQBmwBd90o.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6836
Target ID:	0
Parent PID:	2580
Name:	nQBmwBd90o.exe
Path:	C:\Users\user\Desktop\nQBmwBd90o.exe
Commandline:	"C:\Users\user\Desktop\nQBmwBd90o.exe"
Size:	46592
MD5:	2BBB433718D061E161F1D0E224451746
Time:	12:31:56
Date:	27/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xe10000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Sigma detected: Scheduled temp file as task from temp location	Persistence and Installation Behavior
Yara detected XenoRAT	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Add Scheduled Task Parent	System Summary
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe

"C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe"

Details

Is windows:	false
Is dropped:	true
PID:	7004
Target ID:	1
Parent PID:	6836
Name:	nQBmwBd90o.exe
Path:	C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe
Commandline:	"C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe"
Size:	46592
MD5:	2BBB433718D061E161F1D0E224451746
Time:	12:31:56
Date:	27/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xbe0000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Sigma detected: Scheduled temp file as task from temp location	Persistence and Installation Behavior
Yara detected XenoRAT	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Add Scheduled Task Parent	System Summary
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "update_blender" /XML "C:\Users\user\AppData\Local\Temp\tmp86AB.tmp" /F

Details

Is windows:	true
Is dropped:	false
PID:	3300
Target ID:	2
Parent PID:	7004
Name:	schtasks.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\schtasks.exe
Commandline:	"schtasks.exe" /Create /TN "update_blender" /XML "C:\Users\user\AppData\Local\Temp\tmp86AB.tmp" /F
Size:	187904
MD5:	48C2FE20575769DE916F48EF0676A965
Time:	12:32:01
Date:	27/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x960000
Modulesize:	204800
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Scheduled temp file as task from temp location	Persistence and Installation Behavior
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Add Scheduled Task Parent	System Summary
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe

Details

Is windows:	false
Is dropped:	true
PID:	3696
Target ID:	4
Parent PID:	1044
Name:	nQBmwBd90o.exe
Path:	C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe
Commandline:	C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe
Size:	46592
MD5:	2BBB433718D061E161F1D0E224451746
Time:	12:32:03
Date:	27/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x90000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Sigma detected: Scheduled temp file as task from temp location	Persistence and Installation Behavior
Yara detected XenoRAT	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Add Scheduled Task Parent	System Summary
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	5180
Target ID:	3
Parent PID:	3300
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	12:32:01
Date:	27/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

82.64.210.112

Details

Name:	82.64.210.112
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\nQBmwBd90o.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

IPs

Domain

Country

Malicious

82.64.210.112

unknown

France

Details

IP:	82.64.210.112
TargetID:	1
Current Path:	C:\Users\user\AppData\Roaming\XenoManager\nQBmwBd90o.exe
Country:	France
Countrycode:	FRA
ASN number:	12322
ASN name:	PROXADFR
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Memdumps

Base Address

Regiontype

Protect

Malicious

E12000

unkown

page readonly

13F5000

heap

page read and write

15F4000

trusted library allocation

page read and write

15E4000

trusted library allocation

page read and write

9EE000

stack

page read and write

EBC000

stack

page read and write

12D0000

heap

page read and write

13DC000

heap

page read and write

2CAD000

trusted library allocation

page execute and read and write

2CE0000

trusted library allocation

page read and write

566E000

stack

page read and write

13E4000

heap

page read and write

582D000

stack

page read and write

5DDF000

stack

page read and write

2ECC000

trusted library allocation

page read and write

7A0000

heap

page read and write

1031000

heap

page read and write

15E0000

trusted library allocation

page read and write

12BE000

stack

page read and write

45BE000

stack

page read and write

1086000

heap

page read and write

11A5000

heap

page read and write

13F1000

heap

page read and write

13B8000

heap

page read and write

7CA000

heap

page read and write

E1E000

unkown

page readonly

2FB0000

heap

page execute and read and write

127E000

stack

page read and write

7D7000

heap

page read and write

2ED0000

trusted library allocation

page read and write

1018000

heap

page read and write

E10000

unkown

page readonly

1EE000

stack

page read and write

687000

trusted library allocation

page execute and read and write

114E000

stack

page read and write

55ED000

stack

page read and write

FFA000

heap

page read and write

15AE000

stack

page read and write

2CB7000

trusted library allocation

page execute and read and write

1A0000

heap

page read and write

167F000

stack

page read and write

2CB2000

trusted library allocation

page read and write

4F9000

stack

page read and write

2CCB000

trusted library allocation

page execute and read and write

7A7000

heap

page read and write

2C4B000

heap

page read and write

8AA000

stack

page read and write

1650000

trusted library allocation

page read and write

5380000

trusted library allocation

page read and write

5390000

trusted library allocation

page read and write

7C4000

heap

page read and write

1230000

heap

page read and write

770000

heap

page read and write

5B9E000

stack

page read and write

4BAE000

stack

page read and write

664000

trusted library allocation

page read and write

30EF000

stack

page read and write

2E40000

heap

page execute and read and write

1660000

heap

page read and write

528D000

stack

page read and write

2BB0000

heap

page read and write

40F1000

trusted library allocation

page read and write

12BF000

stack

page read and write

605C000

stack

page read and write

2CA0000

trusted library allocation

page read and write

2ECE000

trusted library allocation

page read and write

F89000

stack

page read and write

4F3D000

stack

page read and write

2C60000

heap

page read and write

660000

trusted library allocation

page read and write

760000

trusted library allocation

page read and write

5A1E000

stack

page read and write

13C000

stack

page read and write

2F5E000

stack

page read and write

12D5000

heap

page read and write

2C90000

trusted library allocation

page read and write

1640000

trusted library allocation

page execute and read and write

2D2E000

stack

page read and write

BFE000

stack

page read and write

58ED000

stack

page read and write

137E000

stack

page read and write

161B000

trusted library allocation

page execute and read and write

5630000

heap

page execute and read and write

5F1E000

stack

page read and write

596F000

stack

page read and write

1F0000

heap

page read and write

1100000

heap

page read and write

2E30000

trusted library allocation

page execute and read and write

176E000

stack

page read and write

5C9E000

stack

page read and write

68B000

trusted library allocation

page execute and read and write

13BE000

heap

page read and write

FF0000

heap

page read and write

11A0000

heap

page read and write

30F1000

trusted library allocation

page read and write

24BE000

stack

page read and write

1617000

trusted library allocation

page execute and read and write

6FE000

stack

page read and write

2CC0000

trusted library allocation

page read and write

2F9D000

stack

page read and write

2AEE000

stack

page read and write

5F5C000

stack

page read and write

145B000

heap

page read and write

5910000

heap

page read and write

2C9D000

trusted library allocation

page execute and read and write

2CC2000

trusted library allocation

page read and write

6A5000

heap

page read and write

2B00000

heap

page read and write

1160000

heap

page read and write

2E6E000

trusted library allocation

page read and write

2C94000

trusted library allocation

page read and write

16BE000

stack

page read and write

2C93000

trusted library allocation

page execute and read and write

2E2F000

stack

page read and write

2C80000

trusted library allocation

page read and write

133D000

stack

page read and write

3E61000

trusted library allocation

page read and write

13B0000

heap

page read and write

2B4F000

stack

page read and write

5A5E000

stack

page read and write

FFE000

heap

page read and write

53A0000

heap

page execute and read and write

2E75000

trusted library allocation

page read and write

586E000

stack

page read and write

86D000

stack

page read and write

1630000

trusted library allocation

page read and write

54AF000

stack

page read and write

4AA0000

heap

page execute and read and write

1428000

heap

page read and write

609E000

stack

page read and write

B1F000

stack

page read and write

5E1E000

stack

page read and write

2CB0000

trusted library allocation

page read and write

2E61000

trusted library allocation

page read and write

654000

trusted library allocation

page read and write

5B5F000

stack

page read and write

700000

heap

page execute and read and write

34C1000

trusted library allocation

page read and write

2AAE000

unkown

page read and write

E8C000

stack

page read and write

619F000

stack

page read and write

74C000

stack

page read and write

12FE000

stack

page read and write

1220000

heap

page read and write

15E3000

trusted library allocation

page execute and read and write

15F0000

trusted library allocation

page read and write

6A0000

heap

page read and write

1900000

heap

page read and write

2C40000

heap

page read and write

653000

trusted library allocation

page execute and read and write

2FC0000

heap

page read and write

24C1000

trusted library allocation

page read and write

1180000

heap

page read and write

5CDE000

stack

page read and write

C10000

heap

page read and write

2E50000

heap

page read and write

99F000

stack

page read and write

910000

heap

page read and write

A10000

heap

page read and write

10F0000

heap

page read and write

1064000

heap

page read and write

2CC7000

trusted library allocation

page execute and read and write

65D000

trusted library allocation

page execute and read and write

2AF0000

heap

page read and write

2CBA000

trusted library allocation

page execute and read and write

790000

heap

page read and write

95E000

unkown

page read and write

576F000

stack

page read and write

750000

trusted library allocation

page execute and read and write

2FA0000

trusted library allocation

page read and write

2ECA000

trusted library allocation

page read and write

15D0000

trusted library allocation

page read and write

61E000

stack

page read and write

49FE000

stack

page read and write

2ED2000

trusted library allocation

page read and write

503E000

stack

page read and write

1610000

trusted library allocation

page read and write

2EC4000

trusted library allocation

page read and write

9A0000

trusted library allocation

page read and write

FB9000

stack

page read and write

2FE0000

heap

page read and write

640000

trusted library allocation

page read and write

7BE000

heap

page read and write

5780000

trusted library allocation

page read and write

There are 174 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
nQBmwBd90o.exe

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportnQBmwBd90o.exe

Files

Processes

URLs

IPs

Memdumps

IOC Report
nQBmwBd90o.exe