Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

109__Purchase_Order.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.954555318380262
Filename:	109__Purchase_Order.exe
Filesize:	518656
MD5:	4a14a9dedd4dfe259949539090ccc9fe
SHA1:	31d7fe0d77ef9b7d3df2f1a2865c3823b116991e
SHA256:	9fc2770fbd67c9b6f9f244ac6ac0fa8810c3d50e08c7d77b332bf1447ab77fab
SHA512:	87a4f19ce0391e07cf44a90476e180e1d0d7593f760044cc1a264a4d633f458b5d4965acbfceae692936e5263af396b8293644cc17fed97b379a2eb716333210
SSDEEP:	12288:Mhfsby3wzyYyVF/W6OTj1JucaNz3ie6m/dzb8B+:PewzyYMfa1JZaVye6Ab8k
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z.n...............0.............2.... ........@.. .......................@............@................................

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation	Software Packing
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
.NET source code contains methods with suspicious names	System Summary	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\109__Purchase_Order.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\109__Purchase_Order.exe.log
Category:	dropped
Dump:	109__Purchase_Order.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\109__Purchase_Order.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\109__Purchase_Order.exe

"C:\Users\user\Desktop\109__Purchase_Order.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7304
Target ID:	0
Parent PID:	2580
Name:	109__Purchase_Order.exe
Path:	C:\Users\user\Desktop\109__Purchase_Order.exe
Commandline:	"C:\Users\user\Desktop\109__Purchase_Order.exe"
Size:	518656
MD5:	4A14A9DEDD4DFE259949539090CCC9FE
Time:	01:20:50
Date:	04/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xdc0000
Modulesize:	540672
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Initial sample is a PE file and has a suspicious name	System Summary
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\109__Purchase_Order.exe

"C:\Users\user\Desktop\109__Purchase_Order.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7532
Target ID:	2
Parent PID:	7304
Name:	109__Purchase_Order.exe
Path:	C:\Users\user\Desktop\109__Purchase_Order.exe
Commandline:	"C:\Users\user\Desktop\109__Purchase_Order.exe"
Size:	518656
MD5:	4A14A9DEDD4DFE259949539090CCC9FE
Time:	01:20:56
Date:	04/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xda0000
Modulesize:	540672
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Initial sample is a PE file and has a suspicious name	System Summary
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

http://www.apache.org/licenses/LICENSE-2.0

unknown

http://www.fontbureau.com

unknown

http://www.fontbureau.com/designersG

unknown

http://www.fontbureau.com/designers/?

unknown

http://www.founder.com.cn/cn/bThe

unknown

http://us2.smtp.mailhostbox.com

unknown

http://www.fontbureau.com/designers?

unknown

http://tempuri.org/DataSet1.xsd

unknown

http://www.tiro.com

unknown

http://checkip.dyndns.org

unknown

http://www.fontbureau.com/designers

unknown

http://www.goodfont.co.kr

unknown

http://www.carterandcone.coml

unknown

http://www.sajatypeworks.com

unknown

http://www.typography.netD

unknown

http://www.fontbureau.com/designers/cabarga.htmlN

unknown

http://www.founder.com.cn/cn/cThe

unknown

http://www.galapagosdesign.com/staff/dennis.htm

unknown

http://www.founder.com.cn/cn

unknown

http://www.fontbureau.com/designers/frere-user.html

unknown

http://checkip.dyndns.org/

193.122.6.168

http://checkip.dyndns.org/q

unknown

http://www.jiyu-kobo.co.jp/

unknown

https://scratchdreams.tk

unknown

http://reallyfreegeoip.org

unknown

http://www.galapagosdesign.com/DPlease

unknown

https://reallyfreegeoip.org

unknown

http://www.fontbureau.com/designers8

unknown

https://scratchdreams.tk/_send_.php?TS

104.21.27.85

http://www.fonts.com

unknown

http://www.sandoll.co.kr

unknown

http://checkip.dyndns.com

unknown

http://www.urwpp.deDPlease

unknown

http://www.zhongyicts.com.cn

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://www.sakkal.com

unknown

https://reallyfreegeoip.org/xml/102.129.152.231$

unknown

http://scratchdreams.tk

unknown

https://reallyfreegeoip.org/xml/102.129.152.231

172.67.177.134

https://reallyfreegeoip.org/xml/

unknown

There are 30 hidden URLs, click here to show them.

Domains

Name

Malicious

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

us2.smtp.mailhostbox.com

208.91.199.225

Details

Name:	us2.smtp.mailhostbox.com
IP:	208.91.199.225
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
URLs found in memory or binary data	Networking

reallyfreegeoip.org

172.67.177.134

Details

Name:	reallyfreegeoip.org
IP:	172.67.177.134
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

scratchdreams.tk

104.21.27.85

Details

Name:	scratchdreams.tk
IP:	104.21.27.85
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

checkip.dyndns.com

193.122.6.168

IPs

Domain

Country

Malicious

193.122.6.168

checkip.dyndns.com

United States

208.91.199.225

us2.smtp.mailhostbox.com

United States

Details

IP:	208.91.199.225
TargetID:	2
Current Path:	C:\Users\user\Desktop\109__Purchase_Order.exe
Country:	United States
Countrycode:	USA
ASN number:	394695
ASN name:	PUBLIC-DOMAIN-REGISTRYUS
Private:	false
Domain:	us2.smtp.mailhostbox.com

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

172.67.177.134

reallyfreegeoip.org

United States

Details

IP:	172.67.177.134
TargetID:	2
Current Path:	C:\Users\user\Desktop\109__Purchase_Order.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	reallyfreegeoip.org

Signature Hits	Behavior Group	Mitre Attack
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

104.21.27.85

scratchdreams.tk

United States

Details

IP:	104.21.27.85
TargetID:	2
Current Path:	C:\Users\user\Desktop\109__Purchase_Order.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	scratchdreams.tk

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\109__Purchase_Order_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\109__Purchase_Order_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\109__Purchase_Order_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\109__Purchase_Order_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\109__Purchase_Order_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\109__Purchase_Order_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\109__Purchase_Order_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\109__Purchase_Order_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\109__Purchase_Order_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\109__Purchase_Order_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\109__Purchase_Order_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\109__Purchase_Order_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\109__Purchase_Order_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\109__Purchase_Order_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

3081000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

435E000

trusted library allocation

page read and write

3334000

trusted library allocation

page read and write

3215000

trusted library allocation

page read and write

2EDB000

trusted library allocation

page execute and read and write

6EB0000

trusted library allocation

page read and write

56B2000

trusted library allocation

page read and write

6EA0000

trusted library allocation

page read and write

3243000

trusted library allocation

page read and write

6ED0000

trusted library allocation

page read and write

3251000

trusted library allocation

page read and write

4081000

trusted library allocation

page read and write

31BE000

trusted library allocation

page read and write

77C8000

trusted library allocation

page read and write

177E000

stack

page read and write

55D2000

trusted library allocation

page read and write

3148000

trusted library allocation

page read and write

5BA0000

trusted library allocation

page execute and read and write

1500000

trusted library allocation

page read and write

3234000

trusted library allocation

page read and write

2F60000

trusted library allocation

page read and write

3177000

trusted library allocation

page read and write

31D6000

trusted library allocation

page read and write

6AEE000

stack

page read and write

3163000

trusted library allocation

page read and write

6CEE000

stack

page read and write

2FEE000

trusted library allocation

page read and write

6DF4000

trusted library allocation

page read and write

5CD0000

trusted library allocation

page read and write

6AAD000

stack

page read and write

6E90000

trusted library allocation

page read and write

5CD8000

trusted library allocation

page read and write

32FA000

trusted library allocation

page read and write

1300000

heap

page read and write

31CE000

trusted library allocation

page read and write

317E000

stack

page read and write

5626000

trusted library allocation

page read and write

1547000

trusted library allocation

page execute and read and write

332E000

trusted library allocation

page read and write

5870000

trusted library allocation

page read and write

5CDB000

trusted library allocation

page read and write

764E000

heap

page read and write

326E000

trusted library allocation

page read and write

DC0000

unkown

page readonly

55AE000

trusted library allocation

page read and write

2FF0000

trusted library allocation

page execute and read and write

16F0000

trusted library allocation

page read and write

59F0000

trusted library allocation

page read and write

5632000

trusted library allocation

page read and write

13EF000

heap

page read and write

1520000

trusted library allocation

page read and write

6F20000

heap

page read and write

15A0000

heap

page read and write

55E0000

trusted library allocation

page read and write

14F0000

trusted library allocation

page read and write

7200000

trusted library allocation

page read and write

5A60000

trusted library section

page readonly

2FDE000

stack

page read and write

152A000

trusted library allocation

page execute and read and write

40ED000

trusted library allocation

page read and write

16F3000

trusted library allocation

page execute and read and write

7640000

heap

page read and write

1720000

heap

page read and write

2F70000

trusted library allocation

page execute and read and write

55F0000

trusted library allocation

page read and write

4225000

trusted library allocation

page read and write

13D7000

heap

page read and write

6B2E000

stack

page read and write

4114000

trusted library allocation

page read and write

59D0000

trusted library allocation

page read and write

55E4000

trusted library allocation

page read and write

2F00000

trusted library allocation

page execute and read and write

1700000

trusted library allocation

page read and write

13D7000

heap

page read and write

1560000

trusted library allocation

page read and write

32DC000

trusted library allocation

page read and write

151D000

trusted library allocation

page execute and read and write

2ED2000

trusted library allocation

page read and write

4273000

trusted library allocation

page read and write

13E4000

heap

page read and write

59FE000

trusted library allocation

page read and write

5A90000

heap

page read and write

1526000

trusted library allocation

page execute and read and write

31D2000

trusted library allocation

page read and write

155E000

stack

page read and write

69DA000

heap

page read and write

7E20000

heap

page read and write

5A80000

heap

page read and write

16E0000

trusted library allocation

page read and write

6F40000

trusted library allocation

page execute and read and write

682E000

stack

page read and write

7BEE000

stack

page read and write

318A000

trusted library allocation

page read and write

EBA000

stack

page read and write

16AE000

stack

page read and write

7E25000

heap

page read and write

2F10000

heap

page read and write

55BE000

trusted library allocation

page read and write

167E000

stack

page read and write

3322000

trusted library allocation

page read and write

2F5E000

stack

page read and write

31C2000

trusted library allocation

page read and write

59E0000

trusted library allocation

page execute and read and write

4189000

trusted library allocation

page read and write

7E30000

heap

page read and write

171A000

trusted library allocation

page execute and read and write

696F000

stack

page read and write

32E2000

trusted library allocation

page read and write

1570000

heap

page read and write

560B000

trusted library allocation

page read and write

52BC000

stack

page read and write

7230000

trusted library section

page read and write

1712000

trusted library allocation

page read and write

3179000

trusted library allocation

page read and write

7740000

trusted library section

page read and write

40A9000

trusted library allocation

page read and write

71F0000

trusted library section

page read and write

7F5E000

stack

page read and write

FD7000

stack

page read and write

151E000

stack

page read and write

2FE0000

trusted library allocation

page read and write

5A70000

heap

page read and write

6F30000

heap

page read and write

5604000

trusted library allocation

page read and write

31C6000

trusted library allocation

page read and write

56D0000

heap

page execute and read and write

1710000

trusted library allocation

page read and write

13CA000

heap

page read and write

31E4000

trusted library allocation

page read and write

58DB000

stack

page read and write

A94E000

stack

page read and write

5B0E000

stack

page read and write

5640000

trusted library allocation

page read and write

6EF0000

trusted library allocation

page read and write

7B00000

trusted library allocation

page read and write

3186000

trusted library allocation

page read and write

3065000

trusted library allocation

page read and write

2FE5000

trusted library allocation

page read and write

69D1000

heap

page read and write

31F9000

trusted library allocation

page read and write

55A0000

trusted library allocation

page read and write

3207000

trusted library allocation

page read and write

672E000

stack

page read and write

3182000

trusted library allocation

page read and write

1478000

heap

page read and write

13B0000

heap

page read and write

1513000

trusted library allocation

page read and write

3040000

trusted library allocation

page read and write

5740000

heap

page read and write

31DB000

trusted library allocation

page read and write

5621000

trusted library allocation

page read and write

41D7000

trusted library allocation

page read and write

56A0000

heap

page read and write

6DEE000

stack

page read and write

5A00000

heap

page execute and read and write

5CF0000

trusted library allocation

page read and write

2ED5000

trusted library allocation

page execute and read and write

303D000

stack

page read and write

515E000

stack

page read and write

6EE0000

trusted library allocation

page execute and read and write

1320000

heap

page read and write

A84E000

stack

page read and write

1220000

heap

page read and write

32FE000

trusted library allocation

page read and write

1310000

heap

page read and write

4107000

trusted library allocation

page read and write

69E9000

heap

page read and write

2F90000

heap

page read and write

7210000

trusted library allocation

page execute and read and write

1330000

heap

page read and write

5CE0000

trusted library allocation

page execute and read and write

525E000

stack

page read and write

1453000

heap

page read and write

5ADE000

heap

page read and write

55A6000

trusted library allocation

page read and write

5743000

heap

page read and write

2ED7000

trusted library allocation

page execute and read and write

6970000

heap

page read and write

2ED0000

trusted library allocation

page read and write

32D7000

trusted library allocation

page read and write

2F70000

heap

page execute and read and write

3050000

trusted library allocation

page read and write

56C0000

trusted library allocation

page execute and read and write

31CA000

trusted library allocation

page read and write

7A6E000

stack

page read and write

1427000

heap

page read and write

FB7000

stack

page read and write

14EE000

stack

page read and write

31BC000

trusted library allocation

page read and write

3131000

trusted library allocation

page read and write

6EC7000

trusted library allocation

page read and write

154B000

trusted library allocation

page execute and read and write

31DA000

trusted library allocation

page read and write

5CD6000

trusted library allocation

page read and write

2F60000

heap

page read and write

55C1000

trusted library allocation

page read and write

7220000

trusted library allocation

page read and write

55C6000

trusted library allocation

page read and write

32EC000

trusted library allocation

page read and write

5AF0000

heap

page read and write

6EC0000

trusted library allocation

page read and write

5610000

trusted library allocation

page read and write

6E00000

trusted library allocation

page execute and read and write

4125000

trusted library allocation

page read and write

561E000

trusted library allocation

page read and write

3070000

heap

page execute and read and write

170D000

trusted library allocation

page execute and read and write

1240000

heap

page read and write

58E0000

heap

page read and write

3231000

trusted library allocation

page read and write

7262000

trusted library allocation

page read and write

314B000

trusted library allocation

page read and write

4112000

trusted library allocation

page read and write

139E000

stack

page read and write

13BE000

heap

page read and write

13A8000

heap

page read and write

5750000

heap

page read and write

1537000

heap

page read and write

1510000

trusted library allocation

page read and write

144D000

heap

page read and write

5600000

trusted library allocation

page read and write

1716000

trusted library allocation

page execute and read and write

2F5E000

stack

page read and write

13BE000

heap

page read and write

7240000

trusted library allocation

page read and write

5A5E000

stack

page read and write

32F5000

trusted library allocation

page read and write

5AB9000

heap

page read and write

A74F000

stack

page read and write

145E000

heap

page read and write

56B0000

trusted library allocation

page read and write

7E00000

trusted library allocation

page read and write

3200000

trusted library allocation

page read and write

5AA0000

heap

page read and write

55AB000

trusted library allocation

page read and write

686E000

stack

page read and write

5660000

trusted library allocation

page read and write

2EF0000

trusted library allocation

page read and write

55B2000

trusted library allocation

page read and write

1504000

trusted library allocation

page read and write

A64E000

stack

page read and write

7AFE000

stack

page read and write

3329000

trusted library allocation

page read and write

1530000

heap

page read and write

150D000

trusted library allocation

page execute and read and write

2F63000

heap

page read and write

EDA000

stack

page read and write

567D000

stack

page read and write

318E000

trusted library allocation

page read and write

13A0000

heap

page read and write

2F80000

trusted library allocation

page read and write

DC2000

unkown

page readonly

1503000

trusted library allocation

page execute and read and write

400000

remote allocation

page execute and read and write

137E000

stack

page read and write

31DE000

trusted library allocation

page read and write

55CD000

trusted library allocation

page read and write

7AAE000

stack

page read and write

3060000

trusted library allocation

page read and write

13F2000

heap

page read and write

805F000

stack

page read and write

1540000

trusted library allocation

page read and write

6E92000

trusted library allocation

page read and write

16FD000

trusted library allocation

page execute and read and write

16F4000

trusted library allocation

page read and write

1542000

trusted library allocation

page read and write

6C2E000

stack

page read and write

55BA000

trusted library allocation

page read and write

4181000

trusted library allocation

page read and write

5A95000

heap

page read and write

51BC000

stack

page read and write

13B8000

heap

page read and write

562D000

trusted library allocation

page read and write

6E16000

trusted library allocation

page read and write

3140000

trusted library allocation

page read and write

5AB0000

heap

page read and write

3181000

trusted library allocation

page read and write

148C000

heap

page read and write

6E95000

trusted library allocation

page read and write

31E9000

trusted library allocation

page read and write

307E000

stack

page read and write

There are 272 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
109__Purchase_Order.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report109__Purchase_Order.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
109__Purchase_Order.exe