Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Purchase Order.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.894453896411025
Filename:	Purchase Order.exe
Filesize:	546304
MD5:	7eb1409fed2a2b740122f997a76f7a94
SHA1:	8cc9e2d414bc1c8964b965989fb6648857ae9892
SHA256:	ff2ae4fd71daa1a98edd5f88b743a5daa5fb29f70b87dee08fec25313a3640f1
SHA512:	e1df8be427c813ded706628025f38454520a24990b8be54893132b9a44f6874cef1b54f51fa3dd4f56c9622df73ab71fc14ded126c262eea3f3d515039c238a0
SSDEEP:	12288:/WUHaP7P5nea9GotNgJ9/KYEQDSAj/aK5zYFQCmO5lT05G:/lHgj5nbGotNCVDSAWKcQCxQ
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T.................0..L..........:j... ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Abnormal high CPU Usage	System Summary	Process Injection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
.NET source code contains methods with suspicious names	System Summary	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary	System Information Discovery
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order.exe.log
Category:	dropped
Dump:	Purchase Order.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Purchase Order.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Purchase Order.exe

"C:\Users\user\Desktop\Purchase Order.exe"

Details

Is windows:	false
Is dropped:	false
PID:	1480
Target ID:	0
Parent PID:	1028
Name:	Purchase Order.exe
Path:	C:\Users\user\Desktop\Purchase Order.exe
Commandline:	"C:\Users\user\Desktop\Purchase Order.exe"
Size:	546304
MD5:	7EB1409FED2A2B740122F997A76F7A94
Time:	12:56:07
Date:	04/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x270000
Modulesize:	573440
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Initial sample is a PE file and has a suspicious name	System Summary
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\Purchase Order.exe

"C:\Users\user\Desktop\Purchase Order.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6336
Target ID:	3
Parent PID:	1480
Name:	Purchase Order.exe
Path:	C:\Users\user\Desktop\Purchase Order.exe
Commandline:	"C:\Users\user\Desktop\Purchase Order.exe"
Size:	546304
MD5:	7EB1409FED2A2B740122F997A76F7A94
Time:	12:56:12
Date:	04/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xad0000
Modulesize:	573440
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Initial sample is a PE file and has a suspicious name	System Summary
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

http://checkip.dyndns.org/

193.122.130.0

http://us2.smtp.mailhostbox.com

unknown

http://checkip.dyndns.org/q

unknown

https://scratchdreams.tk

unknown

http://reallyfreegeoip.org

unknown

https://reallyfreegeoip.org

unknown

https://scratchdreams.tk/_send_.php?TS

104.21.27.85

http://checkip.dyndns.org

unknown

http://checkip.dyndns.com

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://reallyfreegeoip.org/xml/102.129.152.231$

unknown

http://scratchdreams.tk

unknown

https://reallyfreegeoip.org/xml/102.129.152.231

172.67.177.134

https://reallyfreegeoip.org/xml/

unknown

There are 4 hidden URLs, click here to show them.

Domains

Name

Malicious

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

us2.smtp.mailhostbox.com

208.91.199.224

Details

Name:	us2.smtp.mailhostbox.com
IP:	208.91.199.224
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
URLs found in memory or binary data	Networking

reallyfreegeoip.org

172.67.177.134

Details

Name:	reallyfreegeoip.org
IP:	172.67.177.134
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

scratchdreams.tk

104.21.27.85

Details

Name:	scratchdreams.tk
IP:	104.21.27.85
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

checkip.dyndns.com

193.122.130.0

IPs

Domain

Country

Malicious

193.122.130.0

checkip.dyndns.com

United States

208.91.199.224

us2.smtp.mailhostbox.com

United States

Details

IP:	208.91.199.224
TargetID:	3
Current Path:	C:\Users\user\Desktop\Purchase Order.exe
Country:	United States
Countrycode:	USA
ASN number:	394695
ASN name:	PUBLIC-DOMAIN-REGISTRYUS
Private:	false
Domain:	us2.smtp.mailhostbox.com

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

172.67.177.134

reallyfreegeoip.org

United States

Details

IP:	172.67.177.134
TargetID:	3
Current Path:	C:\Users\user\Desktop\Purchase Order.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	reallyfreegeoip.org

Signature Hits	Behavior Group	Mitre Attack
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

104.21.27.85

scratchdreams.tk

United States

Details

IP:	104.21.27.85
TargetID:	3
Current Path:	C:\Users\user\Desktop\Purchase Order.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	scratchdreams.tk

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Purchase Order_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Purchase Order_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Purchase Order_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Purchase Order_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Purchase Order_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Purchase Order_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Purchase Order_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Purchase Order_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Purchase Order_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Purchase Order_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Purchase Order_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Purchase Order_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Purchase Order_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Purchase Order_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

2DF1000

trusted library allocation

page read and write

30C9000

trusted library allocation

page read and write

38AE000

trusted library allocation

page read and write

2F9D000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

72FE000

stack

page read and write

52E0000

trusted library allocation

page read and write

8B0000

trusted library allocation

page read and write

655E000

stack

page read and write

2F40000

trusted library allocation

page read and write

4DE0000

trusted library allocation

page execute and read and write

D1D000

trusted library allocation

page read and write

8C3000

trusted library allocation

page execute and read and write

2EF4000

trusted library allocation

page read and write

2F8000

unkown

page readonly

8C0000

trusted library allocation

page read and write

6716000

heap

page read and write

66D5000

heap

page read and write

71FE000

stack

page read and write

8C4000

trusted library allocation

page read and write

530E000

trusted library allocation

page read and write

EF7000

stack

page read and write

6B70000

trusted library allocation

page read and write

25B0000

trusted library allocation

page read and write

303C000

trusted library allocation

page read and write

59A0000

trusted library allocation

page read and write

6711000

heap

page read and write

4D40000

trusted library allocation

page read and write

2EF8000

trusted library allocation

page read and write

5340000

trusted library allocation

page read and write

2F28000

trusted library allocation

page read and write

52F0000

trusted library allocation

page read and write

BEA000

stack

page read and write

66A0000

heap

page read and write

4F30000

heap

page read and write

1220000

heap

page read and write

53F3000

heap

page read and write

6770000

trusted library section

page read and write

1230000

heap

page read and write

F58000

heap

page read and write

2F2C000

trusted library allocation

page read and write

253E000

stack

page read and write

2C2B000

trusted library allocation

page execute and read and write

2C16000

trusted library allocation

page execute and read and write

2C20000

trusted library allocation

page read and write

5334000

trusted library allocation

page read and write

8F2000

trusted library allocation

page read and write

F7A000

heap

page read and write

4B70000

heap

page read and write

2545000

trusted library allocation

page read and write

2C22000

trusted library allocation

page read and write

4DD0000

heap

page read and write

9A7E000

stack

page read and write

7E0000

heap

page read and write

6D72000

trusted library allocation

page read and write

2C40000

trusted library allocation

page read and write

659E000

stack

page read and write

52F6000

trusted library allocation

page read and write

CFB000

trusted library allocation

page read and write

3099000

trusted library allocation

page read and write

270000

unkown

page readonly

D40000

heap

page read and write

254E000

trusted library allocation

page read and write

4B90000

trusted library allocation

page read and write

50B0000

trusted library allocation

page read and write

B4F000

stack

page read and write

2BF0000

trusted library allocation

page read and write

2C1A000

trusted library allocation

page execute and read and write

940000

trusted library allocation

page execute and read and write

52D0000

trusted library allocation

page execute and read and write

7D0000

heap

page read and write

2DDE000

stack

page read and write

58DE000

stack

page read and write

10A0000

heap

page read and write

36D9000

trusted library allocation

page read and write

5302000

trusted library allocation

page read and write

D11000

trusted library allocation

page read and write

FDF000

heap

page read and write

4DB5000

heap

page read and write

272000

unkown

page readonly

2751000

trusted library allocation

page read and write

5360000

trusted library allocation

page read and write

54A0000

heap

page read and write

8CD000

trusted library allocation

page execute and read and write

920000

heap

page read and write

1307000

heap

page read and write

667E000

heap

page read and write

12F7000

heap

page read and write

83FF000

stack

page read and write

305E000

trusted library allocation

page read and write

82E000

stack

page read and write

F50000

heap

page read and write

2F9A000

trusted library allocation

page read and write

6B44000

trusted library allocation

page read and write

D57000

heap

page read and write

273A000

trusted library allocation

page read and write

3EA8000

trusted library allocation

page read and write

258D000

stack

page read and write

CD0000

trusted library allocation

page read and write

2FD7000

trusted library allocation

page read and write

6A1E000

stack

page read and write

C4E000

stack

page read and write

6C80000

trusted library allocation

page execute and read and write

5660000

trusted library allocation

page read and write

95E000

heap

page read and write

4F40000

heap

page read and write

6B60000

trusted library allocation

page read and write

8E2000

trusted library allocation

page read and write

2E95000

trusted library allocation

page read and write

6C17000

trusted library allocation

page read and write

2C00000

trusted library allocation

page read and write

C8E000

stack

page read and write

531D000

trusted library allocation

page read and write

52FE000

trusted library allocation

page read and write

4D9B000

stack

page read and write

3E89000

trusted library allocation

page read and write

2F55000

trusted library allocation

page read and write

984000

heap

page read and write

8E6000

trusted library allocation

page execute and read and write

3063000

trusted library allocation

page read and write

4F60000

heap

page read and write

2EE4000

trusted library allocation

page read and write

86E000

stack

page read and write

270D000

trusted library allocation

page read and write

389000

stack

page read and write

4B30000

trusted library allocation

page read and write

12F0000

heap

page read and write

718F000

stack

page read and write

6C6E000

stack

page read and write

3040000

trusted library allocation

page read and write

2CD0000

heap

page read and write

2C10000

trusted library allocation

page read and write

738E000

stack

page read and write

3727000

trusted library allocation

page read and write

2F38000

trusted library allocation

page read and write

2C25000

trusted library allocation

page execute and read and write

2EEC000

trusted library allocation

page read and write

A07000

heap

page read and write

8E0000

trusted library allocation

page read and write

2C27000

trusted library allocation

page execute and read and write

5330000

trusted library allocation

page read and write

6670000

heap

page read and write

3E7D000

trusted library allocation

page read and write

1040000

heap

page read and write

2BB0000

heap

page read and write

6A00000

trusted library section

page read and write

950000

heap

page read and write

CF0000

trusted library allocation

page read and write

4E20000

heap

page execute and read and write

6B65000

trusted library allocation

page read and write

3E58000

trusted library allocation

page read and write

53F0000

heap

page read and write

CCB000

stack

page read and write

9C7E000

stack

page read and write

3E19000

trusted library allocation

page read and write

305A000

trusted library allocation

page read and write

37C3000

trusted library allocation

page read and write

F6E000

heap

page read and write

2BE0000

trusted library allocation

page read and write

3E73000

trusted library allocation

page read and write

59A8000

trusted library allocation

page read and write

2F7F000

trusted library allocation

page read and write

67DD000

stack

page read and write

308E000

trusted library allocation

page read and write

59A6000

trusted library allocation

page read and write

4DA0000

trusted library section

page readonly

53CD000

stack

page read and write

6F7000

stack

page read and write

2CCE000

stack

page read and write

2F44000

trusted library allocation

page read and write

2BF4000

trusted library allocation

page read and write

D30000

trusted library allocation

page read and write

6C10000

trusted library allocation

page read and write

3DF1000

trusted library allocation

page read and write

2EB5000

trusted library allocation

page read and write

127E000

stack

page read and write

101A000

heap

page read and write

2C0D000

trusted library allocation

page execute and read and write

4E10000

trusted library section

page read and write

6B20000

trusted library allocation

page execute and read and write

26D1000

trusted library allocation

page read and write

308C000

trusted library allocation

page read and write

2735000

trusted library allocation

page read and write

6780000

trusted library allocation

page execute and read and write

977E000

stack

page read and write

3047000

trusted library allocation

page read and write

530A000

trusted library allocation

page read and write

4B80000

trusted library allocation

page execute and read and write

6C30000

trusted library allocation

page execute and read and write

134E000

stack

page read and write

6C20000

trusted library allocation

page read and write

2EF0000

trusted library allocation

page read and write

95A000

heap

page read and write

5690000

heap

page execute and read and write

7080000

heap

page read and write

6790000

trusted library allocation

page read and write

568E000

trusted library allocation

page read and write

2C8E000

stack

page read and write

3050000

trusted library allocation

page read and write

D16000

trusted library allocation

page read and write

2F48000

trusted library allocation

page read and write

3086000

trusted library allocation

page read and write

988000

heap

page read and write

12BE000

stack

page read and write

2F71000

trusted library allocation

page read and write

6B1E000

stack

page read and write

9880000

heap

page read and write

CE0000

heap

page read and write

66D1000

heap

page read and write

605F000

stack

page read and write

6A97000

trusted library allocation

page read and write

D22000

trusted library allocation

page read and write

910000

trusted library allocation

page read and write

8EA000

trusted library allocation

page execute and read and write

5322000

trusted library allocation

page read and write

6BD6000

trusted library allocation

page read and write

D0E000

trusted library allocation

page read and write

6A70000

trusted library allocation

page read and write

52FB000

trusted library allocation

page read and write

2DE0000

heap

page execute and read and write

36D1000

trusted library allocation

page read and write

2F3C000

trusted library allocation

page read and write

25B5000

trusted library allocation

page read and write

599E000

stack

page read and write

2EA6000

trusted library allocation

page read and write

2BF3000

trusted library allocation

page execute and read and write

5316000

trusted library allocation

page read and write

4DC0000

heap

page read and write

10C5000

heap

page read and write

870000

heap

page read and write

3092000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

6C40000

trusted library allocation

page read and write

977000

heap

page read and write

25A0000

trusted library allocation

page read and write

4B10000

trusted library allocation

page read and write

3775000

trusted library allocation

page read and write

1050000

heap

page read and write

D50000

heap

page read and write

728E000

stack

page read and write

2EA9000

trusted library allocation

page read and write

875000

heap

page read and write

2C12000

trusted library allocation

page read and write

2E9D000

trusted library allocation

page read and write

121E000

unkown

page read and write

6B30000

trusted library allocation

page read and write

8F7000

trusted library allocation

page execute and read and write

6C70000

heap

page read and write

6B62000

trusted library allocation

page read and write

5680000

trusted library allocation

page read and write

991000

heap

page read and write

2ECD000

trusted library allocation

page read and write

96F000

heap

page read and write

6C00000

trusted library allocation

page read and write

109E000

stack

page read and write

D43000

heap

page read and write

4DB0000

heap

page read and write

4F8E000

stack

page read and write

8D3000

trusted library allocation

page read and write

2F63000

trusted library allocation

page read and write

2EB2000

trusted library allocation

page read and write

8DD000

trusted library allocation

page execute and read and write

6C20000

trusted library allocation

page execute and read and write

8D0000

trusted library allocation

page read and write

2EE1000

trusted library allocation

page read and write

2F30000

trusted library allocation

page read and write

59AB000

trusted library allocation

page read and write

47CC000

stack

page read and write

4E00000

heap

page read and write

8FB000

trusted library allocation

page execute and read and write

F8E000

heap

page read and write

669E000

stack

page read and write

994000

heap

page read and write

11DE000

unkown

page read and write

4F2D000

stack

page read and write

6B50000

trusted library allocation

page execute and read and write

2F34000

trusted library allocation

page read and write

681F000

stack

page read and write

2EA2000

trusted library allocation

page read and write

9B7E000

stack

page read and write

1300000

heap

page read and write

2540000

trusted library allocation

page read and write

2BFD000

trusted library allocation

page execute and read and write

25C0000

heap

page execute and read and write

26CE000

stack

page read and write

5670000

trusted library allocation

page execute and read and write

5311000

trusted library allocation

page read and write

CF4000

trusted library allocation

page read and write

272B000

trusted library allocation

page read and write

3F0000

heap

page read and write

10C0000

heap

page read and write

There are 281 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Purchase Order.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportPurchase Order.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
Purchase Order.exe