Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

N7qmK9sbZa.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.650105320584323
Filename:	N7qmK9sbZa.exe
Filesize:	46592
MD5:	8d16c9b3848f78fc49cb51dfe233bf5a
SHA1:	9256f7b300ceea8a10385a43e94dea1636aebda6
SHA256:	a613c952168c9a5fb4bd937d036857f1759a0dde6019f147d41df1ccf3aeedf7
SHA512:	65969c38e4a1dde8e42d64e200f93f529810e63d99cbefc77fe652fef5cc8f69115bf02b22f53b6249b0aff171e0ca6fcb89b4e40301d34ec4cecda4d40395c7
SSDEEP:	768:adhM/poiiUcjlJInf4NRgHNYfYtSKTnW+Z5CmbJODog63I7CPW5a:82+jjgnQNQNYADTnWK5rboL63IC
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....-..........."...0.................. ........@.. ....................... ............`................................

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for dropped file	AV Detection	Masquerading
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation	Software Packing
Machine Learning detection for dropped file	AV Detection
Machine Learning detection for sample	AV Detection
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings	Security Software Discovery
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp Security Software Discovery
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings	Windows Management Instrumentation
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Security Software Discovery
Detected potential crypto function	System Summary	Security Software Discovery Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Security Software Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Security Software Discovery System Information Discovery
Sample file is different than original file name gathered from version info	System Summary	Security Software Discovery
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
Checks the free space of harddrives	Malware Analysis System Evasion
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary	Security Software Discovery
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Security Software Discovery
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking	Security Software Discovery
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\N7qmK9sbZa.exe.log

CSV text

modified

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\N7qmK9sbZa.exe.log
Category:	modified
Dump:	N7qmK9sbZa.exe.log.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\N7qmK9sbZa.exe
Type:	CSV text
Entropy:	5.360398796477698
Encrypted:	false
Ssdeep:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
Size:	226
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe
Category:	dropped
Dump:	N7qmK9sbZa.exe.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\N7qmK9sbZa.exe
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.650105320584323
Encrypted:	false
Ssdeep:	768:adhM/poiiUcjlJInf4NRgHNYfYtSKTnW+Z5CmbJODog63I7CPW5a:82+jjgnQNQNYADTnWK5rboL63IC
Size:	46592
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Sigma detected: Scheduled temp file as task from temp location	Persistence and Installation Behavior
Yara detected XenoRAT	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for dropped file	AV Detection
Machine Learning detection for sample	AV Detection
Sigma detected: Potentially Suspicious Malware Callback Communication	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings	Security Software Discovery Windows Management Instrumentation
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Add Scheduled Task Parent	System Summary
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Checks the free space of harddrives	Malware Analysis System Evasion	System Information Discovery
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe:Zone.Identifier

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe:Zone.Identifier
Category:	dropped
Dump:	N7qmK9sbZa.exe_Zone.Identifier.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\N7qmK9sbZa.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for dropped file	AV Detection
Machine Learning detection for sample	AV Detection
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings	Security Software Discovery Windows Management Instrumentation
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Checks the free space of harddrives	Malware Analysis System Evasion	System Information Discovery
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Temp\tmpDF0A.tmp

ASCII text

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\tmpDF0A.tmp
Category:	dropped
Dump:	tmpDF0A.tmp.1.dr
ID:	dr_3
Target ID:	1
Process:	C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe
Type:	ASCII text
Entropy:	3.897861630393202
Encrypted:	false
Ssdeep:	12:FLJ+DW2SFFkFmMMLGId1L6AEJl7XpShhJKShe/Q0QK1++udpuBdxv3n:FLJ+S3Mmd1L6ztMhEMOQ0Q+udULxvn
Size:	1052
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Scheduled temp file as task from temp location	Persistence and Installation Behavior
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Add Scheduled Task Parent	System Summary
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Spawns processes	System Summary	Process Injection

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\N7qmK9sbZa.exe

"C:\Users\user\Desktop\N7qmK9sbZa.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5756
Target ID:	0
Parent PID:	1028
Name:	N7qmK9sbZa.exe
Path:	C:\Users\user\Desktop\N7qmK9sbZa.exe
Commandline:	"C:\Users\user\Desktop\N7qmK9sbZa.exe"
Size:	46592
MD5:	8D16C9B3848F78FC49CB51DFE233BF5A
Time:	12:41:52
Date:	20/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xf10000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Sigma detected: Scheduled temp file as task from temp location	Persistence and Installation Behavior
Yara detected XenoRAT	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Sigma detected: Potentially Suspicious Malware Callback Communication	System Summary
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Add Scheduled Task Parent	System Summary
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe

"C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe"

Details

Is windows:	false
Is dropped:	true
PID:	4324
Target ID:	1
Parent PID:	5756
Name:	N7qmK9sbZa.exe
Path:	C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe
Commandline:	"C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe"
Size:	46592
MD5:	8D16C9B3848F78FC49CB51DFE233BF5A
Time:	12:41:52
Date:	20/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x50000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Sigma detected: Scheduled temp file as task from temp location	Persistence and Installation Behavior
Yara detected XenoRAT	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Sigma detected: Potentially Suspicious Malware Callback Communication	System Summary
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Add Scheduled Task Parent	System Summary
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "SystemUpdateManager" /XML "C:\Users\user\AppData\Local\Temp\tmpDF0A.tmp" /F

Details

Is windows:	true
Is dropped:	false
PID:	5508
Target ID:	3
Parent PID:	4324
Name:	schtasks.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\schtasks.exe
Commandline:	"schtasks.exe" /Create /TN "SystemUpdateManager" /XML "C:\Users\user\AppData\Local\Temp\tmpDF0A.tmp" /F
Size:	187904
MD5:	48C2FE20575769DE916F48EF0676A965
Time:	12:41:57
Date:	20/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x110000
Modulesize:	204800
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Scheduled temp file as task from temp location	Persistence and Installation Behavior
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Add Scheduled Task Parent	System Summary
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe

Details

Is windows:	false
Is dropped:	true
PID:	7132
Target ID:	5
Parent PID:	1068
Name:	N7qmK9sbZa.exe
Path:	C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe
Commandline:	C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe
Size:	46592
MD5:	8D16C9B3848F78FC49CB51DFE233BF5A
Time:	12:41:59
Date:	20/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x340000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Sigma detected: Scheduled temp file as task from temp location	Persistence and Installation Behavior
Yara detected XenoRAT	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Sigma detected: Potentially Suspicious Malware Callback Communication	System Summary
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Add Scheduled Task Parent	System Summary
Sigma detected: Suspicious Schtasks From Env Var Folder	System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	3128
Target ID:	4
Parent PID:	5508
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	12:41:57
Date:	20/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

34.229.235.165

Details

Name:	34.229.235.165
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\N7qmK9sbZa.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sigma detected: Potentially Suspicious Malware Callback Communication	System Summary
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

IPs

Domain

Country

Malicious

34.229.235.165

unknown

United States

Details

IP:	34.229.235.165
TargetID:	1
Current Path:	C:\Users\user\AppData\Local\Temp\SystemManager\N7qmK9sbZa.exe
Country:	United States
Countrycode:	USA
ASN number:	14618
ASN name:	AMAZON-AESUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sigma detected: Potentially Suspicious Malware Callback Communication	System Summary
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

F12000

unkown

page readonly

25BF000

stack

page read and write

53D0000

trusted library allocation

page read and write

3611000

trusted library allocation

page read and write

3371000

trusted library allocation

page read and write

234E000

stack

page read and write

5EE000

stack

page read and write

96B000

trusted library allocation

page execute and read and write

85C000

stack

page read and write

5FFE000

stack

page read and write

5D7E000

stack

page read and write

488E000

stack

page read and write

870000

heap

page read and write

32D1000

trusted library allocation

page read and write

18D0000

trusted library allocation

page execute and read and write

1827000

trusted library allocation

page execute and read and write

9F0000

heap

page read and write

237E000

trusted library allocation

page read and write

C90000

heap

page read and write

2440000

trusted library allocation

page read and write

956000

trusted library allocation

page execute and read and write

661000

heap

page read and write

257E000

trusted library allocation

page read and write

2385000

trusted library allocation

page read and write

490000

heap

page read and write

1315000

heap

page read and write

1900000

heap

page read and write

8D3000

heap

page read and write

617E000

stack

page read and write

940000

trusted library allocation

page read and write

18CE000

stack

page read and write

5EFE000

stack

page read and write

603B000

stack

page read and write

91E000

stack

page read and write

760000

heap

page read and write

FF080000

trusted library allocation

page execute and read and write

4AEE000

stack

page read and write

5C3E000

stack

page read and write

1840000

trusted library allocation

page read and write

25FC000

stack

page read and write

C1F000

stack

page read and write

510C000

stack

page read and write

1505000

heap

page read and write

244A000

trusted library allocation

page read and write

2240000

heap

page read and write

4E1A000

stack

page read and write

5770000

heap

page read and write

2360000

heap

page execute and read and write

654000

heap

page read and write

2E5E000

stack

page read and write

24BE000

stack

page read and write

FBC000

stack

page read and write

1440000

heap

page read and write

3170000

heap

page execute and read and write

8B5000

heap

page read and write

16CE000

stack

page read and write

5B3E000

stack

page read and write

17E0000

trusted library allocation

page read and write

5AFE000

stack

page read and write

542C000

stack

page read and write

2DD0000

heap

page read and write

6A2000

heap

page read and write

962000

trusted library allocation

page read and write

6EB000

heap

page read and write

F1E000

unkown

page readonly

8A6000

heap

page read and write

14DE000

heap

page read and write

59FE000

stack

page read and write

3399000

trusted library allocation

page read and write

2611000

trusted library allocation

page read and write

4CDF000

stack

page read and write

49AE000

stack

page read and write

C34000

trusted library allocation

page read and write

5DBE000

stack

page read and write

470000

heap

page read and write

980000

trusted library allocation

page read and write

14D0000

heap

page read and write

24A8000

trusted library allocation

page read and write

460000

heap

page read and write

29FD000

stack

page read and write

17F0000

trusted library allocation

page read and write

2E1F000

unkown

page read and write

4D1C000

stack

page read and write

188E000

stack

page read and write

1804000

trusted library allocation

page read and write

14FD000

heap

page read and write

FC000

stack

page read and write

5850000

heap

page read and write

2F00000

heap

page read and write

967000

trusted library allocation

page execute and read and write

3EC000

stack

page read and write

182B000

trusted library allocation

page execute and read and write

62E000

heap

page read and write

31C0000

heap

page read and write

1571000

heap

page read and write

9E0000

trusted library allocation

page read and write

620000

heap

page read and write

C23000

trusted library allocation

page execute and read and write

6EF000

heap

page read and write

2470000

heap

page execute and read and write

4FF9000

stack

page read and write

3160000

trusted library allocation

page read and write

62A000

heap

page read and write

4BEF000

stack

page read and write

17F3000

trusted library allocation

page execute and read and write

9AE000

stack

page read and write

C57000

trusted library allocation

page execute and read and write

44AD000

stack

page read and write

2DC0000

heap

page read and write

495000

heap

page read and write

546C000

stack

page read and write

1800000

trusted library allocation

page read and write

2CA0000

heap

page read and write

14DA000

heap

page read and write

2F0B000

heap

page read and write

878000

heap

page read and write

48A0000

heap

page execute and read and write

B00000

trusted library allocation

page read and write

F10000

unkown

page readonly

2350000

trusted library allocation

page read and write

75E000

stack

page read and write

2450000

trusted library allocation

page read and write

2DBE000

unkown

page read and write

8DE000

stack

page read and write

95A000

trusted library allocation

page execute and read and write

3150000

heap

page read and write

1330000

heap

page read and write

4EFC000

stack

page read and write

26C8000

trusted library allocation

page read and write

5670000

heap

page read and write

14CE000

stack

page read and write

25F8000

trusted library allocation

page read and write

47F0000

heap

page read and write

43AD000

stack

page read and write

9D0000

trusted library allocation

page execute and read and write

12F9000

stack

page read and write

2600000

heap

page read and write

556C000

stack

page read and write

17CF000

stack

page read and write

B10000

heap

page read and write

AAF000

stack

page read and write

6F9000

stack

page read and write

484E000

stack

page read and write

930000

trusted library allocation

page read and write

4B80000

heap

page execute and read and write

C24000

trusted library allocation

page read and write

1513000

heap

page read and write

534C000

stack

page read and write

89D000

stack

page read and write

899000

heap

page read and write

4AAE000

stack

page read and write

952000

trusted library allocation

page read and write

94D000

trusted library allocation

page execute and read and write

93D000

trusted library allocation

page execute and read and write

C30000

trusted library allocation

page read and write

5EBE000

stack

page read and write

520F000

stack

page read and write

5AE000

stack

page read and write

26D6000

trusted library allocation

page read and write

1410000

heap

page read and write

3150000

trusted library allocation

page read and write

934000

trusted library allocation

page read and write

613C000

stack

page read and write

C80000

trusted library allocation

page execute and read and write

750000

heap

page read and write

2E9F000

stack

page read and write

627F000

stack

page read and write

4B2E000

stack

page read and write

148D000

stack

page read and write

566C000

stack

page read and write

1820000

trusted library allocation

page read and write

6DB000

heap

page read and write

4C9D000

stack

page read and write

4D8E000

stack

page read and write

17F4000

trusted library allocation

page read and write

610000

heap

page read and write

4BF0000

trusted library allocation

page read and write

AEE000

stack

page read and write

53CE000

stack

page read and write

1310000

heap

page read and write

18E0000

heap

page read and write

9CE000

stack

page read and write

933000

trusted library allocation

page execute and read and write

2C3A000

stack

page read and write

1F9000

stack

page read and write

2371000

trusted library allocation

page read and write

32CE000

stack

page read and write

894000

heap

page read and write

4B6E000

stack

page read and write

58F0000

heap

page execute and read and write

920000

trusted library allocation

page read and write

770000

heap

page read and write

C5B000

trusted library allocation

page execute and read and write

5C7E000

stack

page read and write

4C8E000

stack

page read and write

1542000

heap

page read and write

47AE000

stack

page read and write

C2D000

trusted library allocation

page execute and read and write

6FC000

heap

page read and write

42D1000

trusted library allocation

page read and write

There are 190 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
N7qmK9sbZa.exe

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportN7qmK9sbZa.exe

Files

Processes

URLs

IPs

Memdumps

IOC Report
N7qmK9sbZa.exe