Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

invoice & packing list.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.963304670236745
Filename:	invoice & packing list.exe
Filesize:	677888
MD5:	e9de39ce29b4e19d9487d6517f5fe390
SHA1:	aa9300231e426c9d0cbffe0bcf36f047235e79a6
SHA256:	24390949599e57a802ea820e402befca0610937e51e19a4db8228235d0017a58
SHA512:	bf67fd485900c9279b9d6be034c4f98c8b2ea711e32dc86821b83d5be17612a0bb326206a6695852228fbbd7cdb72e4c5f152108454f63ea53c9b3669ff0c849
SSDEEP:	12288:GORgtsY15YRNYpMIhka5EzcCWee290ki+lMkmn4HA3eKzm1asfD:6P5S4MIXeeUn1mkmnqQeKzmwsfD
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....J f.................4..."......NS... ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation
.NET source code contains very large array initializations	System Summary	Disable or Modify Tools
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)	Malware Analysis System Evasion
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information	Credentials in Registry
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\invoice & packing list.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\invoice & packing list.exe.log
Category:	dropped
Dump:	invoice & packing list.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\invoice & packing list.exe
Type:	CSV text
Entropy:	5.342567089024067
Encrypted:	false
Ssdeep:	48:MxHKlYHKh3ouHgJHreylEHMHKo/tHo6hAHKzeRHKx1qHKHxvj:iqlYqh3ou0aymsqwtI6eqzqqxwqRb
Size:	2056
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\invoice & packing list.exe

"C:\Users\user\Desktop\invoice & packing list.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6616
Target ID:	0
Parent PID:	2580
Name:	invoice & packing list.exe
Path:	C:\Users\user\Desktop\invoice & packing list.exe
Commandline:	"C:\Users\user\Desktop\invoice & packing list.exe"
Size:	677888
MD5:	E9DE39CE29B4E19D9487D6517F5FE390
Time:	02:20:51
Date:	18/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x2e0000
Modulesize:	696320
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\invoice & packing list.exe

"C:\Users\user\Desktop\invoice & packing list.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6324
Target ID:	2
Parent PID:	6616
Name:	invoice & packing list.exe
Path:	C:\Users\user\Desktop\invoice & packing list.exe
Commandline:	"C:\Users\user\Desktop\invoice & packing list.exe"
Size:	677888
MD5:	E9DE39CE29B4E19D9487D6517F5FE390
Time:	02:20:55
Date:	18/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xa60000
Modulesize:	696320
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

https://api.ipify.org/

172.67.74.152

http://www.apache.org/licenses/LICENSE-2.0

unknown

http://www.fontbureau.com

unknown

http://www.fontbureau.com/designersG

unknown

http://www.fontbureau.com/designers/?

unknown

http://www.founder.com.cn/cn/bThe

unknown

https://account.dyn.com/

unknown

http://www.fontbureau.com/designers?

unknown

http://www.tiro.com

unknown

http://www.fontbureau.com/designers

unknown

http://www.goodfont.co.kr

unknown

https://api.ipify.org/t

unknown

http://www.carterandcone.coml

unknown

http://r3.i.lencr.org/0

unknown

http://www.sajatypeworks.com

unknown

http://www.typography.netD

unknown

http://www.fontbureau.com/designers/cabarga.htmlN

unknown

http://www.founder.com.cn/cn/cThe

unknown

http://www.galapagosdesign.com/staff/dennis.htm

unknown

https://api.ipify.org

unknown

http://www.founder.com.cn/cn

unknown

http://www.fontbureau.com/designers/frere-user.html

unknown

http://x1.c.lencr.org/0

unknown

http://x1.i.lencr.org/0

unknown

http://www.jiyu-kobo.co.jp/

unknown

http://r3.o.lencr.org0

unknown

http://www.galapagosdesign.com/DPlease

unknown

http://www.fontbureau.com/designers8

unknown

http://www.fonts.com

unknown

http://www.sandoll.co.kr

unknown

http://mail.techwiser.in

unknown

http://www.urwpp.deDPlease

unknown

http://www.zhongyicts.com.cn

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://www.sakkal.com

unknown

There are 25 hidden URLs, click here to show them.

Domains

Name

Malicious

api.ipify.org

172.67.74.152

Details

Name:	api.ipify.org
IP:	172.67.74.152
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

mail.techwiser.in

162.241.123.30

Details

Name:	mail.techwiser.in
IP:	162.241.123.30
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

162.241.123.30

mail.techwiser.in

United States

Details

IP:	162.241.123.30
TargetID:	2
Current Path:	C:\Users\user\Desktop\invoice & packing list.exe
Country:	United States
Countrycode:	USA
ASN number:	46606
ASN name:	UNIFIEDLAYER-AS-1US
Private:	false
Domain:	mail.techwiser.in

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

172.67.74.152

api.ipify.org

United States

Details

IP:	172.67.74.152
TargetID:	2
Current Path:	C:\Users\user\Desktop\invoice & packing list.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\invoice & packing list_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\invoice & packing list_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\invoice & packing list_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\invoice & packing list_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\invoice & packing list_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\invoice & packing list_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\invoice & packing list_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\invoice & packing list_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\invoice & packing list_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\invoice & packing list_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\invoice & packing list_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\invoice & packing list_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\invoice & packing list_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\invoice & packing list_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

2CB7000

trusted library allocation

page read and write

2C91000

trusted library allocation

page read and write

36B3000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

940000

heap

page read and write

4D3F000

heap

page read and write

6F70000

trusted library section

page read and write

4D81000

heap

page read and write

4FF1000

trusted library allocation

page read and write

1070000

trusted library allocation

page read and write

B40000

trusted library allocation

page read and write

6AB0000

heap

page read and write

10B0000

trusted library allocation

page read and write

10B2000

trusted library allocation

page read and write

3F3B000

trusted library allocation

page read and write

808000

heap

page read and write

10A2000

trusted library allocation

page read and write

2520000

heap

page read and write

2C3E000

stack

page read and write

109D000

trusted library allocation

page execute and read and write

99AE000

stack

page read and write

7E0000

heap

page read and write

7EE000

heap

page read and write

8CE000

heap

page read and write

EF9000

stack

page read and write

B77000

trusted library allocation

page execute and read and write

56DC000

stack

page read and write

823000

heap

page read and write

B66000

trusted library allocation

page execute and read and write

51AC000

stack

page read and write

5002000

trusted library allocation

page read and write

6A5D000

trusted library allocation

page read and write

85A000

heap

page read and write

52A6000

trusted library allocation

page read and write

4FFD000

trusted library allocation

page read and write

73DE000

stack

page read and write

2CD6000

trusted library allocation

page read and write

24E0000

trusted library allocation

page execute and read and write

10A6000

trusted library allocation

page execute and read and write

4FD0000

trusted library allocation

page read and write

6FB0000

trusted library allocation

page execute and read and write

14B7000

heap

page read and write

52CD000

trusted library allocation

page read and write

B4D000

trusted library allocation

page execute and read and write

2E2000

unkown

page readonly

1157000

heap

page read and write

5000000

trusted library allocation

page read and write

9BED000

stack

page read and write

52EE000

stack

page read and write

3672000

trusted library allocation

page read and write

50C0000

heap

page read and write

3C41000

trusted library allocation

page read and write

4D57000

heap

page read and write

6A60000

trusted library allocation

page read and write

780000

heap

page read and write

1025000

heap

page read and write

1155000

heap

page read and write

B60000

trusted library allocation

page read and write

5440000

heap

page read and write

2510000

trusted library allocation

page read and write

51B0000

trusted library allocation

page execute and read and write

6BC0000

trusted library allocation

page read and write

11BD000

heap

page read and write

B56000

trusted library allocation

page read and write

9AAE000

stack

page read and write

10E0000

trusted library allocation

page execute and read and write

5020000

trusted library allocation

page read and write

4CF0000

heap

page read and write

821000

heap

page read and write

B30000

trusted library allocation

page read and write

3C69000

trusted library allocation

page read and write

790000

heap

page read and write

647D000

stack

page read and write

28C6000

trusted library allocation

page read and write

1080000

trusted library allocation

page read and write

89B000

heap

page read and write

5330000

heap

page read and write

6F80000

heap

page read and write

6F30000

trusted library allocation

page read and write

2630000

heap

page execute and read and write

6AC0000

trusted library allocation

page execute and read and write

5035000

trusted library allocation

page read and write

633D000

stack

page read and write

67FD000

stack

page read and write

6800000

heap

page read and write

262E000

stack

page read and write

B72000

trusted library allocation

page read and write

1020000

heap

page read and write

6F70000

heap

page read and write

46AE000

stack

page read and write

5453000

heap

page read and write

B5D000

trusted library allocation

page execute and read and write

9BF0000

heap

page read and write

26AA000

trusted library allocation

page read and write

5470000

heap

page read and write

6A40000

trusted library allocation

page read and write

5010000

trusted library allocation

page read and write

4B74000

heap

page read and write

B80000

heap

page read and write

4FDB000

trusted library allocation

page read and write

4D3B000

heap

page read and write

B58000

trusted library allocation

page read and write

4C48000

trusted library allocation

page read and write

B62000

trusted library allocation

page read and write

66BE000

stack

page read and write

1198000

heap

page read and write

9E2E000

stack

page read and write

6A3F000

stack

page read and write

643E000

stack

page read and write

51E0000

heap

page read and write

4665000

trusted library allocation

page read and write

B75000

trusted library allocation

page execute and read and write

689A000

heap

page read and write

2C8D000

trusted library allocation

page read and write

2CCE000

trusted library allocation

page read and write

52D2000

trusted library allocation

page read and write

4660000

trusted library allocation

page read and write

9AED000

stack

page read and write

657E000

stack

page read and write

2C76000

trusted library allocation

page read and write

2B3E000

stack

page read and write

B43000

trusted library allocation

page execute and read and write

4B70000

heap

page read and write

4D29000

heap

page read and write

1128000

heap

page read and write

4FD4000

trusted library allocation

page read and write

4D5B000

heap

page read and write

B87000

heap

page read and write

4B6B000

trusted library allocation

page read and write

4026000

trusted library allocation

page read and write

47DB000

stack

page read and write

4F2F000

stack

page read and write

5030000

trusted library allocation

page read and write

CBF000

stack

page read and write

52AB000

trusted library allocation

page read and write

4FEE000

trusted library allocation

page read and write

10A0000

trusted library allocation

page read and write

2AF0000

heap

page execute and read and write

9D2D000

stack

page read and write

639000

stack

page read and write

2C41000

trusted library allocation

page read and write

7EE20000

trusted library allocation

page execute and read and write

6F90000

trusted library allocation

page execute and read and write

6845000

heap

page read and write

4D1C000

stack

page read and write

6BB0000

trusted library allocation

page read and write

2AD0000

trusted library allocation

page read and write

114B000

heap

page read and write

26AD000

trusted library allocation

page read and write

1100000

trusted library allocation

page read and write

9E6D000

stack

page read and write

52BE000

trusted library allocation

page read and write

1030000

heap

page read and write

50A0000

trusted library section

page readonly

2AE0000

trusted library allocation

page read and write

571E000

stack

page read and write

816000

heap

page read and write

364D000

trusted library allocation

page read and write

4FF6000

trusted library allocation

page read and write

4DAE000

heap

page read and write

6FFE000

stack

page read and write

3EED000

trusted library allocation

page read and write

B1F000

stack

page read and write

10D0000

trusted library allocation

page read and write

4B60000

trusted library allocation

page read and write

B7B000

trusted library allocation

page execute and read and write

5300000

heap

page read and write

6AD0000

trusted library allocation

page execute and read and write

10BB000

trusted library allocation

page execute and read and write

5040000

trusted library allocation

page read and write

6BC7000

trusted library allocation

page read and write

688C000

heap

page read and write

7DE000

stack

page read and write

10AA000

trusted library allocation

page execute and read and write

599E000

stack

page read and write

F00000

heap

page read and write

51C0000

trusted library allocation

page read and write

10B5000

trusted library allocation

page execute and read and write

1084000

trusted library allocation

page read and write

52B2000

trusted library allocation

page read and write

7FB80000

trusted library allocation

page execute and read and write

B50000

trusted library allocation

page read and write

B6A000

trusted library allocation

page execute and read and write

3CAA000

trusted library allocation

page read and write

6F60000

trusted library section

page read and write

1090000

trusted library allocation

page read and write

6F90000

trusted library allocation

page read and write

B70000

trusted library allocation

page read and write

B9A000

stack

page read and write

108D000

trusted library allocation

page execute and read and write

3649000

trusted library allocation

page read and write

52A0000

trusted library allocation

page read and write

52E0000

trusted library allocation

page read and write

4650000

trusted library allocation

page execute and read and write

5576000

trusted library allocation

page read and write

4CE0000

heap

page read and write

9F6E000

stack

page read and write

6A67000

trusted library allocation

page read and write

51E5000

heap

page read and write

52BA000

trusted library allocation

page read and write

5320000

heap

page execute and read and write

6A48000

trusted library allocation

page read and write

10F0000

heap

page read and write

70FE000

stack

page read and write

10B7000

trusted library allocation

page execute and read and write

4E1E000

stack

page read and write

6B6E000

stack

page read and write

52AE000

trusted library allocation

page read and write

1120000

heap

page read and write

5450000

heap

page read and write

52C6000

trusted library allocation

page read and write

3641000

trusted library allocation

page read and write

693E000

stack

page read and write

581E000

stack

page read and write

5080000

trusted library allocation

page read and write

2500000

heap

page execute and read and write

65BE000

stack

page read and write

24F0000

trusted library allocation

page read and write

11FE000

heap

page read and write

24DB000

stack

page read and write

66FE000

stack

page read and write

6FA0000

trusted library allocation

page read and write

736000

stack

page read and write

6F30000

trusted library section

page read and write

11AC000

heap

page read and write

547E000

heap

page read and write

1191000

heap

page read and write

266D000

trusted library allocation

page read and write

7E8000

heap

page read and write

55DC000

stack

page read and write

BB0000

heap

page read and write

4D31000

heap

page read and write

5570000

trusted library allocation

page read and write

A7A8000

trusted library allocation

page read and write

B44000

trusted library allocation

page read and write

4F30000

trusted library section

page read and write

986E000

stack

page read and write

6F80000

trusted library allocation

page read and write

5070000

trusted library allocation

page read and write

6B30000

trusted library allocation

page read and write

6B52000

trusted library allocation

page read and write

2E0000

unkown

page readonly

5050000

trusted library allocation

page execute and read and write

52C1000

trusted library allocation

page read and write

91E000

stack

page read and write

6A50000

trusted library allocation

page read and write

6AAD000

stack

page read and write

2641000

trusted library allocation

page read and write

5060000

heap

page read and write

BA0000

trusted library allocation

page read and write

52F0000

heap

page read and write

996F000

stack

page read and write

2C7F000

trusted library allocation

page read and write

585E000

stack

page read and write

249E000

stack

page read and write

6F40000

trusted library allocation

page read and write

11F2000

heap

page read and write

3E9F000

trusted library allocation

page read and write

595F000

stack

page read and write

14B0000

heap

page read and write

400000

remote allocation

page execute and read and write

AD10000

trusted library section

page read and write

4E2E000

stack

page read and write

1110000

heap

page read and write

50B0000

heap

page read and write

1083000

trusted library allocation

page execute and read and write

60BE000

stack

page read and write

There are 257 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
invoice & packing list.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportinvoice & packing list.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
invoice & packing list.exe