Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Docs.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.885360040283727
Filename:	Docs.exe
Filesize:	765952
MD5:	28da32c1cf8ead709f4888f84a697c28
SHA1:	45122f3c46fb3400cc6710a830a259da54b07298
SHA256:	c10f8bc18521b4c90063ae5fc1e0e95e40ed35be3758d90f597d7cc1e3853ade
SHA512:	6d67f361a2f126e35f31e0ff5298bed2ee36e0262a8d71ec5254277c2ed122d9769bb7cc168d00b47616fd381f625a1a6542854c84d9c7cc184c607312fdef13
SSDEEP:	12288:90K/pbM4nsSz3ITyeYmaNKiz4xrreLpSYHK6rPILRwwAF9:90iM4nuTyVXNDz4xIYGK2Wg9
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\|. f..............0..p...0......Z.... ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation
.NET source code contains very large array initializations	System Summary	Disable or Modify Tools
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion
Machine Learning detection for sample	AV Detection
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation Security Software Discovery
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information	Credentials in Registry
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to harvest and steal ftp login credentials	Stealing of Sensitive Information
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Docs.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Docs.exe.log
Category:	dropped
Dump:	Docs.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Docs.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Docs.exe

"C:\Users\user\Desktop\Docs.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7388
Target ID:	0
Parent PID:	2580
Name:	Docs.exe
Path:	C:\Users\user\Desktop\Docs.exe
Commandline:	"C:\Users\user\Desktop\Docs.exe"
Size:	765952
MD5:	28DA32C1CF8EAD709F4888F84A697C28
Time:	11:09:15
Date:	26/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x680000
Modulesize:	778240
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\Docs.exe

"C:\Users\user\Desktop\Docs.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7576
Target ID:	2
Parent PID:	7388
Name:	Docs.exe
Path:	C:\Users\user\Desktop\Docs.exe
Commandline:	"C:\Users\user\Desktop\Docs.exe"
Size:	765952
MD5:	28DA32C1CF8EAD709F4888F84A697C28
Time:	11:09:19
Date:	26/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xf10000
Modulesize:	778240
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

https://api.ipify.org/

172.67.74.152

http://mail.alkuwaiti.com

unknown

http://www.apache.org/licenses/LICENSE-2.0

unknown

http://www.fontbureau.com

unknown

http://www.fontbureau.com/designersG

unknown

http://www.ctvnews.ca/rss/business/ctv-news-business-headlines-1.867648

unknown

http://www.fontbureau.com/designers/?

unknown

http://www.founder.com.cn/cn/bThe

unknown

https://account.dyn.com/

unknown

http://www.fontbureau.com/designers?

unknown

http://www.tiro.com

unknown

http://www.fontbureau.com/designers

unknown

http://www.goodfont.co.kr

unknown

https://api.ipify.org/t

unknown

http://www.carterandcone.coml

unknown

http://r3.i.lencr.org/0

unknown

http://www.sajatypeworks.com

unknown

http://www.typography.netD

unknown

http://www.fontbureau.com/designers/cabarga.htmlN

unknown

http://www.founder.com.cn/cn/cThe

unknown

http://www.galapagosdesign.com/staff/dennis.htm

unknown

https://api.ipify.org

unknown

http://www.founder.com.cn/cn

unknown

http://www.fontbureau.com/designers/frere-user.html

unknown

http://www.ctvnews.ca/rss/ctvnews-ca-top-stories-public-rss-1.822009

unknown

http://xml.weather.yahoo.com/ns/rss/1.0

unknown

http://x1.c.lencr.org/0

unknown

http://x1.i.lencr.org/0

unknown

http://www.jiyu-kobo.co.jp/

unknown

http://weather.yahooapis.com/forecastrss?w=4118

unknown

http://r3.o.lencr.org0

unknown

http://www.galapagosdesign.com/DPlease

unknown

http://www.fontbureau.com/designers8

unknown

http://www.fonts.com

unknown

http://www.sandoll.co.kr

unknown

http://www.urwpp.deDPlease

unknown

http://www.zhongyicts.com.cn

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://www.sakkal.com

unknown

There are 29 hidden URLs, click here to show them.

Domains

Name

Malicious

mail.alkuwaiti.com

50.87.219.149

Details

Name:	mail.alkuwaiti.com
IP:	50.87.219.149
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

api.ipify.org

172.67.74.152

Details

Name:	api.ipify.org
IP:	172.67.74.152
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

50.87.219.149

mail.alkuwaiti.com

United States

Details

IP:	50.87.219.149
TargetID:	2
Current Path:	C:\Users\user\Desktop\Docs.exe
Country:	United States
Countrycode:	USA
ASN number:	46606
ASN name:	UNIFIEDLAYER-AS-1US
Private:	false
Domain:	mail.alkuwaiti.com

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

172.67.74.152

api.ipify.org

United States

Details

IP:	172.67.74.152
TargetID:	2
Current Path:	C:\Users\user\Desktop\Docs.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Docs_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Docs_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Docs_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Docs_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Docs_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Docs_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Docs_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Docs_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Docs_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Docs_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Docs_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Docs_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Docs_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Docs_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

48A3000

trusted library allocation

page read and write

3461000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

348B000

trusted library allocation

page read and write

1070000

trusted library allocation

page execute and read and write

17B7000

heap

page read and write

D26D000

stack

page read and write

6DAE000

stack

page read and write

DF0000

trusted library allocation

page read and write

57D1000

trusted library allocation

page read and write

C75000

heap

page read and write

1773000

trusted library allocation

page execute and read and write

5B19000

heap

page read and write

2B61000

trusted library allocation

page read and write

4FC0000

trusted library allocation

page execute and read and write

10A7000

heap

page read and write

4453000

trusted library allocation

page read and write

7090000

trusted library allocation

page read and write

6C22000

trusted library allocation

page read and write

2A7E000

stack

page read and write

2AA0000

trusted library allocation

page read and write

1458000

heap

page read and write

2AB0000

heap

page read and write

5B10000

heap

page read and write

C4E000

stack

page read and write

6F90000

trusted library allocation

page read and write

1430000

heap

page read and write

79DE000

stack

page read and write

680000

unkown

page readonly

726E000

stack

page read and write

1790000

trusted library allocation

page read and write

1780000

trusted library allocation

page read and write

7CA000

stack

page read and write

2AF2000

trusted library allocation

page read and write

17A2000

trusted library allocation

page read and write

72AE000

stack

page read and write

53B0000

heap

page read and write

5B3E000

heap

page read and write

5D4E000

stack

page read and write

6EFF000

stack

page read and write

57CE000

trusted library allocation

page read and write

6F37000

trusted library allocation

page read and write

2E6C000

trusted library allocation

page read and write

5270000

trusted library allocation

page execute and read and write

4FB9000

trusted library allocation

page read and write

146E000

heap

page read and write

4FD0000

trusted library allocation

page read and write

5540000

trusted library section

page read and write

77E0000

heap

page read and write

5010000

trusted library allocation

page execute and read and write

2C65000

trusted library allocation

page read and write

4FB0000

trusted library allocation

page read and write

51D0000

heap

page read and write

57B0000

trusted library allocation

page read and write

6F7E000

stack

page read and write

288E000

stack

page read and write

3487000

trusted library allocation

page read and write

4439000

trusted library allocation

page read and write

6F18000

trusted library allocation

page read and write

E98000

heap

page read and write

73AF000

stack

page read and write

54C0000

trusted library section

page read and write

6B6E000

stack

page read and write

1486000

heap

page read and write

D5ED000

stack

page read and write

345D000

trusted library allocation

page read and write

5770000

trusted library allocation

page read and write

700E000

heap

page read and write

5840000

heap

page read and write

2970000

heap

page read and write

5750000

heap

page read and write

1358000

stack

page read and write

74EF000

stack

page read and write

3240000

trusted library allocation

page read and write

57A0000

heap

page execute and read and write

68EE000

stack

page read and write

E78000

heap

page read and write

E00000

trusted library allocation

page read and write

3B61000

trusted library allocation

page read and write

4FB2000

trusted library allocation

page read and write

447D000

trusted library allocation

page read and write

6A2E000

stack

page read and write

9EF0000

trusted library allocation

page read and write

57C2000

trusted library allocation

page read and write

6B70000

heap

page read and write

6FA0000

trusted library allocation

page execute and read and write

E20000

trusted library allocation

page read and write

E10000

trusted library allocation

page read and write

EA4000

heap

page read and write

7097000

trusted library allocation

page read and write

E3B000

trusted library allocation

page execute and read and write

296B000

stack

page read and write

2AF0000

trusted library allocation

page read and write

3268000

trusted library allocation

page read and write

6F20000

trusted library allocation

page read and write

1770000

trusted library allocation

page read and write

5843000

heap

page read and write

E04000

trusted library allocation

page read and write

77DE000

stack

page read and write

6F2D000

trusted library allocation

page read and write

3244000

trusted library allocation

page read and write

3446000

trusted library allocation

page read and write

7000000

heap

page read and write

17F0000

trusted library allocation

page read and write

6DB0000

heap

page read and write

552E000

stack

page read and write

7FAA0000

trusted library allocation

page execute and read and write

400000

remote allocation

page execute and read and write

1810000

heap

page read and write

1760000

trusted library allocation

page read and write

2AB3000

heap

page read and write

73EE000

stack

page read and write

D7E000

stack

page read and write

17AB000

trusted library allocation

page execute and read and write

17A7000

trusted library allocation

page execute and read and write

E03000

trusted library allocation

page execute and read and write

E70000

heap

page read and write

5CCE000

stack

page read and write

2A95000

trusted library allocation

page read and write

178D000

trusted library allocation

page execute and read and write

485F000

trusted library allocation

page read and write

179A000

trusted library allocation

page execute and read and write

7400000

trusted library allocation

page read and write

10A0000

heap

page read and write

2AE6000

trusted library allocation

page read and write

77F1000

heap

page read and write

6F30000

trusted library allocation

page read and write

33FD000

stack

page read and write

7440000

heap

page read and write

57E2000

trusted library allocation

page read and write

6BBF000

heap

page read and write

5B50000

heap

page read and write

A1B0000

trusted library section

page read and write

7FDF0000

trusted library allocation

page execute and read and write

5030000

trusted library section

page readonly

2C61000

trusted library allocation

page read and write

2B10000

trusted library allocation

page read and write

E0D000

trusted library allocation

page execute and read and write

43B7000

trusted library allocation

page read and write

AF7000

stack

page read and write

2A80000

trusted library allocation

page read and write

14B7000

heap

page read and write

1792000

trusted library allocation

page read and write

1435000

heap

page read and write

5260000

trusted library allocation

page read and write

125A000

stack

page read and write

17E0000

trusted library allocation

page execute and read and write

7590000

trusted library allocation

page read and write

57BB000

trusted library allocation

page read and write

75D0000

trusted library allocation

page execute and read and write

1080000

trusted library allocation

page read and write

57BE000

trusted library allocation

page read and write

1450000

heap

page read and write

5000000

trusted library allocation

page read and write

17A0000

trusted library allocation

page read and write

3250000

heap

page read and write

4405000

trusted library allocation

page read and write

31FF000

stack

page read and write

E60000

heap

page read and write

5D0D000

stack

page read and write

2DC4000

trusted library allocation

page read and write

4FBD000

trusted library allocation

page read and write

7080000

trusted library allocation

page execute and read and write

5230000

heap

page read and write

2AE1000

trusted library allocation

page read and write

3400000

heap

page execute and read and write

E50000

trusted library allocation

page read and write

152A000

heap

page read and write

752E000

stack

page read and write

C00000

heap

page read and write

6F80000

heap

page read and write

2AED000

trusted library allocation

page read and write

D6EE000

stack

page read and write

6DFE000

stack

page read and write

65AE000

stack

page read and write

5BCE000

stack

page read and write

453E000

trusted library allocation

page read and write

30FE000

stack

page read and write

4FF0000

trusted library allocation

page read and write

4411000

trusted library allocation

page read and write

67ED000

stack

page read and write

54BD000

stack

page read and write

5B00000

heap

page read and write

E7E000

heap

page read and write

75F5000

trusted library allocation

page read and write

106F000

stack

page read and write

344F000

trusted library allocation

page read and write

2ADE000

trusted library allocation

page read and write

D36D000

stack

page read and write

E22000

trusted library allocation

page read and write

57CA000

trusted library allocation

page read and write

73A000

unkown

page readonly

177D000

trusted library allocation

page execute and read and write

D5AE000

stack

page read and write

64AE000

stack

page read and write

34A1000

trusted library allocation

page read and write

75F0000

trusted library allocation

page read and write

5240000

trusted library allocation

page read and write

4FA0000

heap

page read and write

2898000

trusted library allocation

page read and write

13B0000

heap

page read and write

54E5000

heap

page read and write

3411000

trusted library allocation

page read and write

1483000

heap

page read and write

682000

unkown

page readonly

522C000

stack

page read and write

703E000

stack

page read and write

C70000

heap

page read and write

17A5000

trusted library allocation

page execute and read and write

323C000

stack

page read and write

1796000

trusted library allocation

page execute and read and write

E13000

trusted library allocation

page read and write

B20000

heap

page read and write

D4AD000

stack

page read and write

17D0000

trusted library allocation

page read and write

E37000

trusted library allocation

page execute and read and write

758E000

stack

page read and write

692D000

stack

page read and write

7540000

trusted library allocation

page read and write

17B0000

heap

page read and write

7530000

trusted library allocation

page execute and read and write

E2A000

trusted library allocation

page execute and read and write

57D6000

trusted library allocation

page read and write

57B6000

trusted library allocation

page read and write

DBE000

stack

page read and write

6F10000

trusted library allocation

page read and write

6B86000

heap

page read and write

7410000

trusted library allocation

page read and write

3489000

trusted library allocation

page read and write

EB2000

heap

page read and write

1800000

trusted library allocation

page read and write

582C000

stack

page read and write

E26000

trusted library allocation

page execute and read and write

6CAE000

stack

page read and write

5B8C000

stack

page read and write

4C5C000

stack

page read and write

DC0000

heap

page read and write

2AC0000

trusted library allocation

page read and write

D370000

heap

page read and write

6BFD000

heap

page read and write

1400000

heap

page read and write

1774000

trusted library allocation

page read and write

7450000

trusted library allocation

page execute and read and write

57DD000

trusted library allocation

page read and write

14F4000

heap

page read and write

1090000

trusted library allocation

page read and write

6A6D000

stack

page read and write

51E0000

heap

page execute and read and write

3B69000

trusted library allocation

page read and write

5530000

trusted library section

page read and write

7610000

heap

page read and write

75F7000

trusted library allocation

page read and write

5850000

heap

page read and write

2B50000

heap

page execute and read and write

54E0000

heap

page read and write

E1D000

trusted library allocation

page execute and read and write

6C00000

trusted library allocation

page read and write

2A90000

trusted library allocation

page read and write

There are 248 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Docs.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportDocs.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
Docs.exe