Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

XCN5xgaiac.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.847015351108806
Filename:	XCN5xgaiac.exe
Filesize:	367616
MD5:	24899e0590707e01cd9fbdfab6dd922b
SHA1:	ae88a813c9dd1d766134789052f1e8e1ecaeb4be
SHA256:	054527988476fbdfcca3d4eec4d530c5529e2360b3f84beab0578b1411cad952
SHA512:	1c514b5cccd7610260a52f8810c8bfe67c9c7d18d31a7fd1d85a1bb3ace5ff9e2212599653f323cf022a8c0d1f5a28bc8f32b59c87c4c9428fe7e852109c9f44
SSDEEP:	6144:XUYNazqRCG5W3N95g8xzxr2RFx7+/3qrjTepYSUtKAhJMmo+g1R5E/meXvgDSgi8:EdzmloBxzxr2Rv7+CrHD5tlJyDnK/mek
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..................................... ....@.. ....................... ............`................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file has nameless sections	System Summary
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information
Tries to harvest and steal ftp login credentials	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Tries to steal Mail credentials (via file registry)	Stealing of Sensitive Information	Credentials in Registry
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Security Software Discovery
Checks if the current process is being debugged	Anti Debugging
Contains functionality to call native functions	System Summary
Contains functionality to read the PEB	Anti Debugging
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
One or more processes crash	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Contains functionality to download additional files from the internet	Networking
Contains functionality to instantiate COM classes	System Summary
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XCN5xgaiac.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XCN5xgaiac.exe.log
Category:	dropped
Dump:	XCN5xgaiac.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\XCN5xgaiac.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.349842958726647
Encrypted:	false
Ssdeep:	12:Q3La/hz92n4M0kvoDLI4MWuCqDLI4MWuPTAq1KDLI4M9XKbbDLI4MWuPJKAVKhav:MLU84jE4K5E4KH1qE4qXKDE4KhKiKhk
Size:	706
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file has nameless sections	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Roaming\188E93\31437F.lck

very short file (no magic)

dropped

Details

File:	C:\Users\user\AppData\Roaming\188E93\31437F.lck
Category:	dropped
Dump:	31437F.lck.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Users\user\Desktop\XCN5xgaiac.exe
Type:	very short file (no magic)
Entropy:	0.0
Encrypted:	false
Ssdeep:	3:U:U
Size:	1
Whitelisted:	true
Reputation:	high

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06
Category:	dropped
Dump:	bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06.2.dr
ID:	dr_1
Target ID:	2
Process:	C:\Users\user\Desktop\XCN5xgaiac.exe
Type:	data
Entropy:	1.0424600748477153
Encrypted:	false
Ssdeep:	3:/lbq:4
Size:	46
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\XCN5xgaiac.exe

"C:\Users\user\Desktop\XCN5xgaiac.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7308
Target ID:	0
Parent PID:	2580
Name:	XCN5xgaiac.exe
Path:	C:\Users\user\Desktop\XCN5xgaiac.exe
Commandline:	"C:\Users\user\Desktop\XCN5xgaiac.exe"
Size:	367616
MD5:	24899E0590707E01CD9FBDFAB6DD922B
Time:	01:56:58
Date:	20/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x180000
Modulesize:	401408
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Lokibot	Stealing of Sensitive Information
Yara detected Lokibot	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file has nameless sections	System Summary
Yara detected aPLib compressed binary	Data Obfuscation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file contains sections with non-standard names	Data Obfuscation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\XCN5xgaiac.exe

Details

Is windows:	false
Is dropped:	false
PID:	7368
Target ID:	1
Parent PID:	7308
Name:	XCN5xgaiac.exe
Path:	C:\Users\user\Desktop\XCN5xgaiac.exe
Commandline:	C:\Users\user\Desktop\XCN5xgaiac.exe
Size:	367616
MD5:	24899E0590707E01CD9FBDFAB6DD922B
Time:	01:56:59
Date:	20/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x480000
Modulesize:	401408
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Lokibot	Stealing of Sensitive Information
Yara detected Lokibot	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file has nameless sections	System Summary
Yara detected aPLib compressed binary	Data Obfuscation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file contains sections with non-standard names	Data Obfuscation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\XCN5xgaiac.exe

Details

Is windows:	false
Is dropped:	false
PID:	7376
Target ID:	2
Parent PID:	7308
Name:	XCN5xgaiac.exe
Path:	C:\Users\user\Desktop\XCN5xgaiac.exe
Commandline:	C:\Users\user\Desktop\XCN5xgaiac.exe
Size:	367616
MD5:	24899E0590707E01CD9FBDFAB6DD922B
Time:	01:56:59
Date:	20/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x870000
Modulesize:	401408
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Lokibot	Stealing of Sensitive Information
Yara detected Lokibot	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file has nameless sections	System Summary
Yara detected aPLib compressed binary	Data Obfuscation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file contains sections with non-standard names	Data Obfuscation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\XCN5xgaiac.exe

Details

Is windows:	false
Is dropped:	false
PID:	7392
Target ID:	4
Parent PID:	7308
Name:	XCN5xgaiac.exe
Path:	C:\Users\user\Desktop\XCN5xgaiac.exe
Commandline:	C:\Users\user\Desktop\XCN5xgaiac.exe
Size:	367616
MD5:	24899E0590707E01CD9FBDFAB6DD922B
Time:	01:56:59
Date:	20/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x6a0000
Modulesize:	401408
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Lokibot	Stealing of Sensitive Information
Yara detected Lokibot	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file has nameless sections	System Summary
Yara detected aPLib compressed binary	Data Obfuscation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file contains sections with non-standard names	Data Obfuscation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\XCN5xgaiac.exe

Details

Is windows:	false
Is dropped:	false
PID:	7432
Target ID:	5
Parent PID:	7308
Name:	XCN5xgaiac.exe
Path:	C:\Users\user\Desktop\XCN5xgaiac.exe
Commandline:	C:\Users\user\Desktop\XCN5xgaiac.exe
Size:	367616
MD5:	24899E0590707E01CD9FBDFAB6DD922B
Time:	01:56:59
Date:	20/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xf10000
Modulesize:	401408
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Lokibot	Stealing of Sensitive Information
Yara detected Lokibot	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file has nameless sections	System Summary
Yara detected aPLib compressed binary	Data Obfuscation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file contains sections with non-standard names	Data Obfuscation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7368 -s 80

Details

Is windows:	true
Is dropped:	false
PID:	7484
Target ID:	7
Parent PID:	7368
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7368 -s 80
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	01:56:59
Date:	20/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xf10000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://94.156.65.182/tomthf/cvghx/five/fre.php

94.156.65.182

Details

Name:	http://94.156.65.182/tomthf/cvghx/five/fre.php
IP:	94.156.65.182
TargetID:	2
From Memory:	false
Current Path:	C:\Users\user\Desktop\XCN5xgaiac.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

http://kbfvzoboss.bid/alien/fre.php

Details

Name:	http://kbfvzoboss.bid/alien/fre.php
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\XCN5xgaiac.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

http://alphastand.win/alien/fre.php

Details

Name:	http://alphastand.win/alien/fre.php
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\XCN5xgaiac.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

http://alphastand.trade/alien/fre.php

Details

Name:	http://alphastand.trade/alien/fre.php
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\XCN5xgaiac.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

http://alphastand.top/alien/fre.php

Details

Name:	http://alphastand.top/alien/fre.php
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\XCN5xgaiac.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

http://94.156.65.182/

unknown

Details

Name:	http://94.156.65.182/
TargetID:	2
From Memory:	true
Current Path:	C:\Users\user\Desktop\XCN5xgaiac.exe
Source:	XCN5xgaiac.exe, 00000002.00000002.1711487587.0000000000F6D000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
URLs found in memory or binary data	Networking

http://www.ibsensoftware.com/

unknown

IPs

Domain

Country

Malicious

94.156.65.182

unknown

Bulgaria

Details

IP:	94.156.65.182
TargetID:	2
Current Path:	C:\Users\user\Desktop\XCN5xgaiac.exe
Country:	Bulgaria
Countrycode:	BGR
ASN number:	31420
ASN name:	TERASYST-ASBG
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

26A8000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

F08000

heap

page read and write

4119000

trusted library allocation

page read and write

268C000

trusted library allocation

page read and write

26E0000

trusted library allocation

page read and write

26C3000

trusted library allocation

page read and write

4A0000

remote allocation

page execute and read and write

3601000

trusted library allocation

page read and write

3040000

heap

page read and write

7FE000

heap

page read and write

9F0000

trusted library allocation

page read and write

4049000

trusted library allocation

page read and write

919E000

stack

page read and write

2E82000

heap

page read and write

D7A9000

trusted library allocation

page read and write

7A3000

trusted library allocation

page execute and read and write

A7C000

stack

page read and write

25F0000

heap

page read and write

700E000

stack

page read and write

AFD000

stack

page read and write

4B80000

heap

page execute and read and write

89B000

heap

page read and write

1390000

heap

page read and write

57C000

stack

page read and write

26A6000

trusted library allocation

page read and write

3FAD000

trusted library allocation

page read and write

943E000

stack

page read and write

7B0000

trusted library allocation

page read and write

8D1000

heap

page read and write

7A4000

trusted library allocation

page read and write

26FE000

trusted library allocation

page read and write

837000

heap

page read and write

578000

stack

page read and write

AC0000

trusted library allocation

page read and write

46FE000

stack

page read and write

251E000

stack

page read and write

2A30000

heap

page read and write

7DB000

trusted library allocation

page execute and read and write

1D0000

unkown

page readonly

D79C000

trusted library allocation

page read and write

ECD000

stack

page read and write

3EEF000

trusted library allocation

page read and write

4B7E000

stack

page read and write

897000

heap

page read and write

D73D000

trusted library section

page read and write

DBFE000

stack

page read and write

D760000

trusted library allocation

page read and write

9440000

heap

page read and write

D799000

trusted library allocation

page read and write

D75B000

trusted library allocation

page read and write

E15000

heap

page read and write

B290000

trusted library allocation

page read and write

C5E000

stack

page read and write

1400000

heap

page read and write

81D000

heap

page read and write

1408000

heap

page read and write

299F000

stack

page read and write

C7E000

stack

page read and write

A90000

heap

page read and write

F2F000

heap

page read and write

2540000

trusted library allocation

page read and write

A3E000

stack

page read and write

7CA000

trusted library allocation

page execute and read and write

92F0000

trusted library allocation

page read and write

9D0000

heap

page read and write

3E82000

trusted library allocation

page read and write

D8BE000

stack

page read and write

2688000

trusted library allocation

page read and write

C10000

heap

page read and write

B00000

heap

page read and write

92B0000

trusted library allocation

page execute and read and write

5F0000

heap

page read and write

D88000

heap

page read and write

B70000

heap

page read and write

4B3E000

stack

page read and write

4A0000

remote allocation

page execute and read and write

DABE000

stack

page read and write

8C3000

heap

page read and write

2520000

trusted library allocation

page read and write

AB0000

trusted library allocation

page read and write

C15000

heap

page read and write

A80000

trusted library allocation

page execute and read and write

864000

heap

page read and write

96C000

stack

page read and write

79C000

stack

page read and write

2E70000

heap

page read and write

DCFE000

stack

page read and write

7C6000

trusted library allocation

page execute and read and write

A24E000

stack

page read and write

6A0000

heap

page read and write

D5F000

stack

page read and write

905E000

stack

page read and write

B40000

heap

page execute and read and write

E10000

heap

page read and write

CFC000

stack

page read and write

7AD000

trusted library allocation

page execute and read and write

180000

unkown

page readonly

123C000

stack

page read and write

9E0000

heap

page read and write

D7A0000

trusted library allocation

page read and write

1370000

heap

page read and write

25E0000

trusted library section

page read and write

40B1000

trusted library allocation

page read and write

933E000

stack

page read and write

E60000

heap

page read and write

E0E000

stack

page read and write

D60000

heap

page read and write

BE0000

heap

page read and write

47B000

stack

page read and write

D771000

trusted library allocation

page read and write

2E7E000

stack

page read and write

182000

unkown

page readonly

1395000

heap

page read and write

7D7000

trusted library allocation

page execute and read and write

D785000

trusted library allocation

page read and write

D790000

trusted library allocation

page read and write

63E000

stack

page read and write

10FE000

stack

page read and write

929F000

stack

page read and write

D6E0000

trusted library section

page read and write

8FD000

stack

page read and write

67D000

stack

page read and write

822000

heap

page read and write

7A0000

trusted library allocation

page read and write

7B4000

trusted library allocation

page read and write

133C000

stack

page read and write

9F0000

heap

page read and write

DBBE000

stack

page read and write

AA0000

trusted library allocation

page execute and read and write

9EF000

stack

page read and write

182000

unkown

page execute and read and write

3F79000

trusted library allocation

page read and write

F00000

heap

page read and write

25CE000

stack

page read and write

E5E000

stack

page read and write

7010000

trusted library section

page read and write

A14E000

stack

page read and write

790000

trusted library allocation

page read and write

7F0000

heap

page read and write

B50000

heap

page read and write

D76E000

trusted library allocation

page read and write

7C0000

trusted library allocation

page read and write

2870000

heap

page read and write

25D0000

heap

page read and write

258E000

stack

page read and write

8CB000

heap

page read and write

7F8000

heap

page read and write

915E000

stack

page read and write

2601000

trusted library allocation

page read and write

A10E000

stack

page read and write

3FE1000

trusted library allocation

page read and write

5E0000

heap

page read and write

D740000

trusted library allocation

page read and write

D80000

heap

page read and write

D8FE000

stack

page read and write

3605000

trusted library allocation

page read and write

1380000

heap

page read and write

3E4E000

trusted library allocation

page read and write

D756000

trusted library allocation

page read and write

F6D000

heap

page read and write

6A5000

heap

page read and write

820000

heap

page read and write

There are 153 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
XCN5xgaiac.exe

Files

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportXCN5xgaiac.exe

Files

Processes

URLs

IPs

Memdumps

IOC Report
XCN5xgaiac.exe