Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Purchase Order.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.94127509116759
Filename:	Purchase Order.exe
Filesize:	529920
MD5:	b9f9c9cac777dca7a78819914da1ba15
SHA1:	2369adcf893a14e6b8351edeeb2b6b63147fd157
SHA256:	32aeea1990475960922b9a0bbda5a7edc864a3c70e4b8c5e84b16e269ea6fc7c
SHA512:	987ce8faf0a50e3ee2e68a5f8412c63c6ff02209f696abf9ebc3e130b4f3916ec8f58e1c3655d6fdc50675d1eab2909089f021885ab440bba6d05ea7f609d7a4
SSDEEP:	12288:GWkE8HrebvPyMjBeIlWeR17RiQ2BPHzrl5UH:GZqzPyKBZWeR1v2BPHduH
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U.................0............."*... ...@....@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Abnormal high CPU Usage	System Summary	Process Injection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
.NET source code contains methods with suspicious names	System Summary	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary	System Information Discovery
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order.exe.log
Category:	dropped
Dump:	Purchase Order.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Purchase Order.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Purchase Order.exe

"C:\Users\user\Desktop\Purchase Order.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6576
Target ID:	0
Parent PID:	2580
Name:	Purchase Order.exe
Path:	C:\Users\user\Desktop\Purchase Order.exe
Commandline:	"C:\Users\user\Desktop\Purchase Order.exe"
Size:	529920
MD5:	B9F9C9CAC777DCA7A78819914DA1BA15
Time:	16:34:01
Date:	04/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xf30000
Modulesize:	557056
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Initial sample is a PE file and has a suspicious name	System Summary
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\Purchase Order.exe

"C:\Users\user\Desktop\Purchase Order.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7048
Target ID:	2
Parent PID:	6576
Name:	Purchase Order.exe
Path:	C:\Users\user\Desktop\Purchase Order.exe
Commandline:	"C:\Users\user\Desktop\Purchase Order.exe"
Size:	529920
MD5:	B9F9C9CAC777DCA7A78819914DA1BA15
Time:	16:34:08
Date:	04/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xe40000
Modulesize:	557056
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Initial sample is a PE file and has a suspicious name	System Summary
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

http://www.apache.org/licenses/LICENSE-2.0

unknown

http://www.fontbureau.com

unknown

http://www.fontbureau.com/designersG

unknown

http://www.fontbureau.com/designers/?

unknown

http://www.founder.com.cn/cn/bThe

unknown

http://us2.smtp.mailhostbox.com

unknown

http://www.fontbureau.com/designers?

unknown

http://www.tiro.com

unknown

http://checkip.dyndns.org

unknown

http://www.fontbureau.com/designers

unknown

http://www.goodfont.co.kr

unknown

http://www.carterandcone.coml

unknown

http://www.sajatypeworks.com

unknown

http://www.typography.netD

unknown

http://www.fontbureau.com/designers/cabarga.htmlN

unknown

http://www.founder.com.cn/cn/cThe

unknown

http://www.galapagosdesign.com/staff/dennis.htm

unknown

http://www.founder.com.cn/cn

unknown

http://www.fontbureau.com/designers/frere-user.html

unknown

http://checkip.dyndns.org/

132.226.247.73

http://checkip.dyndns.org/q

unknown

http://www.jiyu-kobo.co.jp/

unknown

https://scratchdreams.tk

unknown

http://reallyfreegeoip.org

unknown

http://www.galapagosdesign.com/DPlease

unknown

https://reallyfreegeoip.org

unknown

http://www.fontbureau.com/designers8

unknown

https://scratchdreams.tk/_send_.php?TS

104.21.27.85

http://www.fonts.com

unknown

http://www.sandoll.co.kr

unknown

http://checkip.dyndns.com

unknown

http://www.urwpp.deDPlease

unknown

http://www.zhongyicts.com.cn

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://www.sakkal.com

unknown

https://reallyfreegeoip.org/xml/102.129.152.231$

unknown

http://scratchdreams.tk

unknown

https://reallyfreegeoip.org/xml/102.129.152.231

104.21.67.152

https://reallyfreegeoip.org/xml/

unknown

There are 29 hidden URLs, click here to show them.

Domains

Name

Malicious

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

us2.smtp.mailhostbox.com

208.91.199.224

Details

Name:	us2.smtp.mailhostbox.com
IP:	208.91.199.224
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
URLs found in memory or binary data	Networking

reallyfreegeoip.org

104.21.67.152

Details

Name:	reallyfreegeoip.org
IP:	104.21.67.152
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

scratchdreams.tk

104.21.27.85

Details

Name:	scratchdreams.tk
IP:	104.21.27.85
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

checkip.dyndns.com

132.226.247.73

IPs

Domain

Country

Malicious

104.21.67.152

reallyfreegeoip.org

United States

Details

IP:	104.21.67.152
TargetID:	2
Current Path:	C:\Users\user\Desktop\Purchase Order.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	reallyfreegeoip.org

Signature Hits	Behavior Group	Mitre Attack
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

208.91.199.224

us2.smtp.mailhostbox.com

United States

Details

IP:	208.91.199.224
TargetID:	2
Current Path:	C:\Users\user\Desktop\Purchase Order.exe
Country:	United States
Countrycode:	USA
ASN number:	394695
ASN name:	PUBLIC-DOMAIN-REGISTRYUS
Private:	false
Domain:	us2.smtp.mailhostbox.com

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

104.21.27.85

scratchdreams.tk

United States

Details

IP:	104.21.27.85
TargetID:	2
Current Path:	C:\Users\user\Desktop\Purchase Order.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	scratchdreams.tk

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

132.226.247.73

checkip.dyndns.com

United States

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Purchase Order_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Purchase Order_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Purchase Order_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Purchase Order_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Purchase Order_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Purchase Order_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Purchase Order_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Purchase Order_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Purchase Order_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Purchase Order_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Purchase Order_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Purchase Order_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Purchase Order_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Purchase Order_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

34A5000

trusted library allocation

page read and write

3201000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

447E000

trusted library allocation

page read and write

301E000

stack

page read and write

31FE000

stack

page read and write

32C2000

trusted library allocation

page read and write

18B0000

trusted library allocation

page read and write

33AA000

trusted library allocation

page read and write

7870000

heap

page read and write

42A1000

trusted library allocation

page read and write

14F0000

heap

page read and write

6E86000

trusted library allocation

page read and write

1474000

trusted library allocation

page read and write

346B000

trusted library allocation

page read and write

18A3000

trusted library allocation

page execute and read and write

1510000

heap

page read and write

6A67000

heap

page read and write

15F7000

trusted library allocation

page execute and read and write

428C000

trusted library allocation

page read and write

18D2000

trusted library allocation

page read and write

5A70000

trusted library allocation

page read and write

1688000

heap

page read and write

6E70000

trusted library allocation

page read and write

148D000

trusted library allocation

page execute and read and write

5BD3000

trusted library allocation

page read and write

5880000

trusted library allocation

page read and write

1473000

trusted library allocation

page execute and read and write

18AD000

trusted library allocation

page execute and read and write

A56C000

trusted library allocation

page read and write

32C4000

trusted library allocation

page read and write

57E0000

trusted library allocation

page read and write

94AE000

stack

page read and write

3343000

trusted library allocation

page read and write

176E000

stack

page read and write

1900000

trusted library allocation

page execute and read and write

58A0000

trusted library section

page readonly

7462000

trusted library allocation

page read and write

1917000

heap

page read and write

6F80000

trusted library allocation

page read and write

5850000

heap

page execute and read and write

1660000

trusted library allocation

page execute and read and write

6EC0000

trusted library allocation

page execute and read and write

9540000

trusted library allocation

page read and write

32FF000

trusted library allocation

page read and write

1460000

trusted library allocation

page read and write

5810000

heap

page read and write

56AD000

trusted library allocation

page read and write

15EA000

trusted library allocation

page execute and read and write

F5A000

stack

page read and write

1450000

heap

page read and write

5784000

trusted library allocation

page read and write

5680000

trusted library allocation

page read and write

5C10000

heap

page read and write

3470000

trusted library allocation

page read and write

6ED5000

trusted library allocation

page read and write

30E0000

heap

page read and write

169E000

heap

page read and write

6A49000

heap

page read and write

3454000

trusted library allocation

page read and write

7A90000

trusted library section

page read and write

32A1000

trusted library allocation

page read and write

6E90000

trusted library allocation

page execute and read and write

5B4E000

stack

page read and write

6E6E000

stack

page read and write

32F1000

trusted library allocation

page read and write

333F000

trusted library allocation

page read and write

579E000

trusted library allocation

page read and write

1469000

heap

page read and write

13BA000

heap

page read and write

338E000

trusted library allocation

page read and write

5DA0000

trusted library allocation

page read and write

7850000

heap

page read and write

148A000

heap

page read and write

1515000

heap

page read and write

4345000

trusted library allocation

page read and write

5C00000

heap

page read and write

FD0000

heap

page read and write

15E6000

trusted library allocation

page execute and read and write

926E000

stack

page read and write

16B6000

heap

page read and write

4201000

trusted library allocation

page read and write

68AE000

stack

page read and write

334F000

trusted library allocation

page read and write

58D0000

heap

page read and write

400000

remote allocation

page execute and read and write

42F7000

trusted library allocation

page read and write

1470000

trusted library allocation

page read and write

3280000

trusted library allocation

page read and write

5830000

trusted library allocation

page read and write

33BC000

trusted library allocation

page read and write

1610000

trusted library allocation

page read and write

30E0000

trusted library allocation

page read and write

94B0000

trusted library allocation

page execute and read and write

125A000

stack

page read and write

953E000

trusted library allocation

page read and write

18DB000

trusted library allocation

page execute and read and write

68EE000

stack

page read and write

151E000

stack

page read and write

5800000

heap

page read and write

5820000

heap

page read and write

1910000

heap

page read and write

3357000

trusted library allocation

page read and write

18CA000

trusted library allocation

page execute and read and write

798E000

stack

page read and write

4267000

trusted library allocation

page read and write

5840000

trusted library allocation

page execute and read and write

57B2000

trusted library allocation

page read and write

6ED0000

trusted library allocation

page read and write

33AD000

trusted library allocation

page read and write

18C6000

trusted library allocation

page execute and read and write

14B0000

heap

page read and write

5803000

heap

page read and write

6F90000

trusted library allocation

page read and write

6F46000

trusted library allocation

page read and write

42A9000

trusted library allocation

page read and write

6E7E000

trusted library allocation

page read and write

1680000

heap

page read and write

6CAE000

stack

page read and write

344D000

trusted library allocation

page read and write

FB4000

unkown

page readonly

69F0000

heap

page read and write

5C60000

heap

page read and write

6B6F000

stack

page read and write

14DF000

stack

page read and write

333B000

trusted library allocation

page read and write

F32000

unkown

page readonly

57A1000

trusted library allocation

page read and write

F30000

unkown

page readonly

18BD000

trusted library allocation

page execute and read and write

33E7000

trusted library allocation

page read and write

3365000

trusted library allocation

page read and write

AA9E000

stack

page read and write

7A8E000

stack

page read and write

172F000

stack

page read and write

56A1000

trusted library allocation

page read and write

30C0000

trusted library allocation

page read and write

7AC0000

trusted library allocation

page read and write

3270000

trusted library allocation

page read and write

1490000

heap

page read and write

6E80000

trusted library allocation

page read and write

30D0000

trusted library allocation

page read and write

3353000

trusted library allocation

page read and write

6F70000

trusted library allocation

page read and write

13F4000

heap

page read and write

32B2000

trusted library allocation

page read and write

56D0000

heap

page execute and read and write

67AE000

stack

page read and write

3373000

trusted library allocation

page read and write

140E000

stack

page read and write

1476000

heap

page read and write

1495000

heap

page read and write

1410000

heap

page read and write

52DE000

stack

page read and write

69EE000

stack

page read and write

3290000

heap

page execute and read and write

6D6E000

stack

page read and write

3467000

trusted library allocation

page read and write

312E000

stack

page read and write

94C0000

trusted library section

page read and write

6FA0000

trusted library allocation

page execute and read and write

78A1000

heap

page read and write

15F0000

trusted library allocation

page read and write

32DD000

trusted library allocation

page read and write

326B000

stack

page read and write

1670000

heap

page execute and read and write

523D000

stack

page read and write

349F000

trusted library allocation

page read and write

7899000

heap

page read and write

18D0000

trusted library allocation

page read and write

6FF0000

trusted library allocation

page execute and read and write

56E0000

trusted library allocation

page read and write

1357000

stack

page read and write

6A57000

heap

page read and write

33CA000

trusted library allocation

page read and write

6ED2000

trusted library allocation

page read and write

57A6000

trusted library allocation

page read and write

6F87000

trusted library allocation

page read and write

4282000

trusted library allocation

page read and write

5BD0000

trusted library allocation

page read and write

155E000

stack

page read and write

1480000

trusted library allocation

page read and write

162E000

stack

page read and write

3303000

trusted library allocation

page read and write

5C4F000

unkown

page read and write

5686000

trusted library allocation

page read and write

57AD000

trusted library allocation

page read and write

52E9000

trusted library allocation

page read and write

345D000

trusted library allocation

page read and write

3285000

trusted library allocation

page read and write

9530000

trusted library allocation

page read and write

349A000

trusted library allocation

page read and write

7AB0000

trusted library allocation

page execute and read and write

15F5000

trusted library allocation

page execute and read and write

15FB000

trusted library allocation

page execute and read and write

14D0000

heap

page read and write

6BAE000

stack

page read and write

912E000

stack

page read and write

186F000

stack

page read and write

18A0000

trusted library allocation

page read and write

3301000

trusted library allocation

page read and write

74D0000

heap

page read and write

5860000

trusted library allocation

page execute and read and write

147D000

trusted library allocation

page execute and read and write

7AA0000

trusted library section

page read and write

30D4000

trusted library allocation

page read and write

3449000

trusted library allocation

page read and write

A85F000

stack

page read and write

5C4E000

heap

page read and write

18C2000

trusted library allocation

page read and write

A89E000

stack

page read and write

5A80000

heap

page read and write

FC0000

heap

page read and write

6EA0000

trusted library allocation

page read and write

58C0000

heap

page read and write

32FB000

trusted library allocation

page read and write

93AE000

stack

page read and write

5310000

trusted library allocation

page read and write

936F000

stack

page read and write

1440000

heap

page read and write

16A9000

heap

page read and write

332A000

trusted library allocation

page read and write

6B2D000

stack

page read and write

1741000

heap

page read and write

15E2000

trusted library allocation

page read and write

18D7000

trusted library allocation

page execute and read and write

6FB0000

trusted library allocation

page read and write

6E8B000

trusted library allocation

page read and write

57C0000

trusted library allocation

page read and write

18F0000

trusted library allocation

page read and write

4229000

trusted library allocation

page read and write

5300000

trusted library allocation

page execute and read and write

58D3000

heap

page read and write

30C0000

trusted library allocation

page read and write

42A0000

trusted library allocation

page read and write

5C05000

heap

page read and write

3347000

trusted library allocation

page read and write

5832000

trusted library allocation

page read and write

6EB4000

trusted library allocation

page read and write

15E0000

trusted library allocation

page read and write

56B2000

trusted library allocation

page read and write

13E7000

heap

page read and write

56A6000

trusted library allocation

page read and write

12F7000

stack

page read and write

13BE000

heap

page read and write

3313000

trusted library allocation

page read and write

32E2000

trusted library allocation

page read and write

165E000

stack

page read and write

6E88000

trusted library allocation

page read and write

5C20000

heap

page read and write

30F0000

heap

page read and write

176A000

heap

page read and write

574D000

stack

page read and write

18A4000

trusted library allocation

page read and write

5DB0000

trusted library allocation

page execute and read and write

330C000

trusted library allocation

page read and write

15F2000

trusted library allocation

page read and write

7440000

trusted library allocation

page read and write

568E000

trusted library allocation

page read and write

533E000

stack

page read and write

18B3000

trusted library allocation

page read and write

334B000

trusted library allocation

page read and write

5ACC000

stack

page read and write

18C0000

trusted library allocation

page read and write

30D0000

trusted library allocation

page read and write

568B000

trusted library allocation

page read and write

428F000

trusted library allocation

page read and write

543C000

stack

page read and write

6FE0000

heap

page read and write

3493000

trusted library allocation

page read and write

13F2000

heap

page read and write

1890000

trusted library allocation

page read and write

32AA000

trusted library allocation

page read and write

52E0000

trusted library allocation

page read and write

16F8000

heap

page read and write

5D90000

heap

page read and write

3380000

trusted library allocation

page read and write

5780000

trusted library allocation

page read and write

569A000

trusted library allocation

page read and write

569E000

trusted library allocation

page read and write

58B0000

heap

page read and write

6EE0000

trusted library allocation

page read and write

3337000

trusted library allocation

page read and write

922F000

stack

page read and write

13B0000

heap

page read and write

322F000

stack

page read and write

5BCE000

stack

page read and write

4393000

trusted library allocation

page read and write

14C0000

heap

page read and write

There are 279 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Purchase Order.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportPurchase Order.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
Purchase Order.exe