Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Arrival Notice CIA INV.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.976374990533191
Filename:	Arrival Notice CIA INV.exe
Filesize:	630272
MD5:	3e106abbfe0c2a9909ddf61528e91f1d
SHA1:	f650705c7f784edc4aa97c2539713ed4483491df
SHA256:	4658db261066122d0f627ac3452a3dbc06dea0c458f706a7be9f615a0f00995d
SHA512:	acc467b9fb0fecdf9b125372410e6fc53cea9fa4abd2ac400635f033cde71921e02b5e95432c33a036ef2c2bf2bb8d08f44969fdbb4f64469d1b14b2b66e1278
SSDEEP:	12288:NK5xa5WrP/Y7ioOwz/XjasozU8mkLcvNnt7Jwj6OS7L7WIfiRf:NUDrwWoOkXjFtnJa/2/hiRf
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&..f............................N.... ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation	Software Packing
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)	Malware Analysis System Evasion
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information	Credentials in Registry
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Abnormal high CPU Usage	System Summary	Process Injection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Creates a window with clipboard capturing capabilities	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Detected potential crypto function	System Summary	Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
.NET source code contains methods with suspicious names	System Summary	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary	Windows Management Instrumentation System Information Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Arrival Notice CIA INV.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Arrival Notice CIA INV.exe.log
Category:	dropped
Dump:	Arrival Notice CIA INV.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Arrival Notice CIA INV.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Arrival Notice CIA INV.exe

"C:\Users\user\Desktop\Arrival Notice CIA INV.exe"

Details

Is windows:	false
Is dropped:	false
PID:	716
Target ID:	0
Parent PID:	4004
Name:	Arrival Notice CIA INV.exe
Path:	C:\Users\user\Desktop\Arrival Notice CIA INV.exe
Commandline:	"C:\Users\user\Desktop\Arrival Notice CIA INV.exe"
Size:	630272
MD5:	3E106ABBFE0C2A9909DDF61528E91F1D
Time:	19:37:57
Date:	26/03/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x490000
Modulesize:	655360
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Initial sample is a PE file and has a suspicious name	System Summary
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\Arrival Notice CIA INV.exe

"C:\Users\user\Desktop\Arrival Notice CIA INV.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6060
Target ID:	2
Parent PID:	716
Name:	Arrival Notice CIA INV.exe
Path:	C:\Users\user\Desktop\Arrival Notice CIA INV.exe
Commandline:	"C:\Users\user\Desktop\Arrival Notice CIA INV.exe"
Size:	630272
MD5:	3E106ABBFE0C2A9909DDF61528E91F1D
Time:	19:37:58
Date:	26/03/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x940000
Modulesize:	655360
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Initial sample is a PE file and has a suspicious name	System Summary
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

http://r3.o.lencr.org0

unknown

Details

Name:	http://r3.o.lencr.org0
TargetID:	2
From Memory:	true
Current Path:	C:\Users\user\Desktop\Arrival Notice CIA INV.exe
Source:	Arrival Notice CIA INV.exe, 00000002.00000002.4523380175.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, Arrival Notice CIA INV.exe, 00000002.00000002.4522317494.0000000000F86000.00000004.00000020.00020000.00000000.sdmp, Arrival Notice CIA INV.exe, 00000002.00000002.4522317494.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://account.dyn.com/

unknown

Details

Name:	https://account.dyn.com/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\Arrival Notice CIA INV.exe
Source:	Arrival Notice CIA INV.exe, 00000000.00000002.2065862174.0000000003AEE000.00000004.00000800.00020000.00000000.sdmp, Arrival Notice CIA INV.exe, 00000002.00000002.4521841177.0000000000402000.00000040.00000400.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://fedcraw.org.za

unknown

http://mail.fedcraw.org.za

unknown

http://x1.c.lencr.org/0

unknown

Details

Name:	http://x1.c.lencr.org/0
TargetID:	2
From Memory:	true
Current Path:	C:\Users\user\Desktop\Arrival Notice CIA INV.exe
Source:	Arrival Notice CIA INV.exe, 00000002.00000002.4523380175.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, Arrival Notice CIA INV.exe, 00000002.00000002.4522317494.0000000000F86000.00000004.00000020.00020000.00000000.sdmp, Arrival Notice CIA INV.exe, 00000002.00000002.4526322993.00000000066E2000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://x1.i.lencr.org/0

unknown

Details

Name:	http://x1.i.lencr.org/0
TargetID:	2
From Memory:	true
Current Path:	C:\Users\user\Desktop\Arrival Notice CIA INV.exe
Source:	Arrival Notice CIA INV.exe, 00000002.00000002.4523380175.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, Arrival Notice CIA INV.exe, 00000002.00000002.4522317494.0000000000F86000.00000004.00000020.00020000.00000000.sdmp, Arrival Notice CIA INV.exe, 00000002.00000002.4526322993.00000000066E2000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://cps.root-x1.letsencrypt.org0

unknown

Details

Name:	http://cps.root-x1.letsencrypt.org0
TargetID:	2
From Memory:	true
Current Path:	C:\Users\user\Desktop\Arrival Notice CIA INV.exe
Source:	Arrival Notice CIA INV.exe, 00000002.00000002.4523380175.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, Arrival Notice CIA INV.exe, 00000002.00000002.4522317494.0000000000F62000.00000004.00000020.00020000.00000000.sdmp, Arrival Notice CIA INV.exe, 00000002.00000002.4522317494.0000000000F86000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://r3.i.lencr.org/0

unknown

Details

Name:	http://r3.i.lencr.org/0
TargetID:	2
From Memory:	true
Current Path:	C:\Users\user\Desktop\Arrival Notice CIA INV.exe
Source:	Arrival Notice CIA INV.exe, 00000002.00000002.4523380175.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, Arrival Notice CIA INV.exe, 00000002.00000002.4522317494.0000000000F86000.00000004.00000020.00020000.00000000.sdmp, Arrival Notice CIA INV.exe, 00000002.00000002.4522317494.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

mail.fedcraw.org.za

unknown

Details

Name:	mail.fedcraw.org.za
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

fedcraw.org.za

65.181.111.239

Details

Name:	fedcraw.org.za
IP:	65.181.111.239
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

65.181.111.239

fedcraw.org.za

United States

Details

IP:	65.181.111.239
TargetID:	2
Current Path:	C:\Users\user\Desktop\Arrival Notice CIA INV.exe
Country:	United States
Countrycode:	USA
ASN number:	25653
ASN name:	FORTRESSITXUS
Private:	false
Domain:	fedcraw.org.za

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

Memdumps

Base Address

Regiontype

Protect

Malicious

402000

remote allocation

page execute and read and write

3AEE000

trusted library allocation

page read and write

2CC1000

trusted library allocation

page read and write

2D10000

trusted library allocation

page read and write

2D3B000

trusted library allocation

page read and write

2B18000

trusted library allocation

page read and write

F60000

trusted library allocation

page read and write

12BE000

stack

page read and write

64DD000

stack

page read and write

106F000

stack

page read and write

2AB0000

trusted library allocation

page execute and read and write

2AC0000

heap

page read and write

4DFE000

stack

page read and write

6D91000

trusted library allocation

page read and write

A9E000

stack

page read and write

2881000

trusted library allocation

page read and write

61F0000

trusted library allocation

page execute and read and write

2A60000

trusted library allocation

page read and write

6320000

trusted library allocation

page execute and read and write

D17000

trusted library allocation

page execute and read and write

2900000

heap

page execute and read and write

2D37000

trusted library allocation

page read and write

AE4000

trusted library allocation

page read and write

61E0000

trusted library allocation

page read and write

3CC1000

trusted library allocation

page read and write

2892000

trusted library allocation

page read and write

3919000

trusted library allocation

page read and write

2A85000

trusted library allocation

page execute and read and write

5191000

trusted library allocation

page read and write

5440000

trusted library allocation

page read and write

B36000

heap

page read and write

661E000

stack

page read and write

51B4000

trusted library allocation

page read and write

61D0000

trusted library allocation

page read and write

6CD0000

heap

page read and write

D69000

stack

page read and write

2A76000

trusted library allocation

page execute and read and write

D1B000

trusted library allocation

page execute and read and write

3D27000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

62DE000

stack

page read and write

2911000

trusted library allocation

page read and write

55DC000

stack

page read and write

F70000

heap

page read and write

4EF3000

heap

page read and write

6A60000

trusted library allocation

page execute and read and write

5300000

heap

page read and write

2A8B000

trusted library allocation

page execute and read and write

517B000

trusted library allocation

page read and write

631E000

stack

page read and write

50C0000

heap

page read and write

5290000

heap

page execute and read and write

AF3000

trusted library allocation

page read and write

2D18000

trusted library allocation

page read and write

50F8000

heap

page read and write

28E0000

trusted library allocation

page read and write

5B9000

stack

page read and write

A10000

heap

page read and write

651E000

stack

page read and write

5020000

heap

page execute and read and write

F27000

heap

page read and write

AE3000

trusted library allocation

page execute and read and write

61E6000

trusted library allocation

page read and write

517E000

trusted library allocation

page read and write

F19000

heap

page read and write

548E000

stack

page read and write

52F0000

trusted library allocation

page read and write

4CFC000

stack

page read and write

B90000

heap

page read and write

DA0000

heap

page read and write

521C000

stack

page read and write

F00000

trusted library allocation

page read and write

D06000

trusted library allocation

page execute and read and write

4FF0000

trusted library allocation

page execute and read and write

866F000

stack

page read and write

B7E000

heap

page read and write

F20000

trusted library allocation

page execute and read and write

B2C000

heap

page read and write

2A6D000

trusted library allocation

page execute and read and write

490000

unkown

page readonly

86AE000

stack

page read and write

3911000

trusted library allocation

page read and write

B43000

heap

page read and write

66A8000

heap

page read and write

5D00000

trusted library section

page read and write

2BB0000

heap

page execute and read and write

5010000

trusted library allocation

page read and write

5154000

heap

page read and write

28C0000

trusted library allocation

page read and write

281E000

stack

page read and write

8F7000

stack

page read and write

5170000

trusted library allocation

page read and write

68DE000

stack

page read and write

EBE000

stack

page read and write

2B0E000

stack

page read and write

EF0000

heap

page read and write

B00000

heap

page read and write

D00000

trusted library allocation

page read and write

D90000

trusted library allocation

page read and write

DE0000

heap

page read and write

286B000

trusted library allocation

page read and write

B45000

heap

page read and write

D0A000

trusted library allocation

page execute and read and write

492000

unkown

page readonly

2886000

trusted library allocation

page read and write

28B0000

trusted library allocation

page read and write

540D000

stack

page read and write

52A0000

heap

page read and write

6A50000

trusted library allocation

page read and write

4ED0000

trusted library allocation

page read and write

66A0000

heap

page read and write

CFF000

stack

page read and write

82AE000

stack

page read and write

D80000

trusted library allocation

page execute and read and write

4D82000

trusted library allocation

page read and write

39B5000

trusted library allocation

page read and write

2CBE000

stack

page read and write

D12000

trusted library allocation

page read and write

2860000

trusted library allocation

page read and write

B0E000

heap

page read and write

AFD000

trusted library allocation

page execute and read and write

4DC0000

heap

page read and write

2A72000

trusted library allocation

page read and write

2D4E000

trusted library allocation

page read and write

6240000

trusted library allocation

page read and write

2864000

trusted library allocation

page read and write

2D43000

trusted library allocation

page read and write

DC5000

heap

page read and write

4DD0000

trusted library section

page read and write

67DE000

stack

page read and write

6A1D000

stack

page read and write

AD0000

trusted library allocation

page read and write

4DE0000

heap

page read and write

2D52000

trusted library allocation

page read and write

286E000

trusted library allocation

page read and write

51C0000

trusted library allocation

page read and write

2D0E000

trusted library allocation

page read and write

102E000

stack

page read and write

11A0000

heap

page read and write

518E000

trusted library allocation

page read and write

EF8000

heap

page read and write

51A2000

trusted library allocation

page read and write

AED000

trusted library allocation

page execute and read and write

D30000

trusted library allocation

page read and write

AF0000

trusted library allocation

page read and write

B08000

heap

page read and write

61C0000

trusted library allocation

page read and write

AE0000

trusted library allocation

page read and write

52EB000

stack

page read and write

623E000

stack

page read and write

826E000

stack

page read and write

1190000

trusted library allocation

page read and write

5196000

trusted library allocation

page read and write

519D000

trusted library allocation

page read and write

6330000

trusted library allocation

page read and write

2A82000

trusted library allocation

page read and write

61D7000

trusted library allocation

page read and write

5182000

trusted library allocation

page read and write

EFE000

stack

page read and write

F62000

heap

page read and write

4ECE000

stack

page read and write

1194000

trusted library allocation

page read and write

28A0000

trusted library allocation

page read and write

856F000

stack

page read and write

7F080000

trusted library allocation

page execute and read and write

87AE000

stack

page read and write

56DE000

stack

page read and write

3CE9000

trusted library allocation

page read and write

10AE000

stack

page read and write

2960000

trusted library allocation

page read and write

EC0000

heap

page read and write

3A03000

trusted library allocation

page read and write

A00000

heap

page read and write

28B5000

trusted library allocation

page read and write

633B000

trusted library allocation

page read and write

1180000

trusted library allocation

page read and write

28AF000

trusted library allocation

page read and write

DB0000

heap

page read and write

F0E000

trusted library allocation

page read and write

10FE000

stack

page read and write

51B0000

trusted library allocation

page read and write

2A7A000

trusted library allocation

page execute and read and write

1193000

trusted library allocation

page execute and read and write

6A70000

heap

page read and write

F24000

heap

page read and write

5140000

trusted library allocation

page read and write

285B000

stack

page read and write

2A80000

trusted library allocation

page read and write

119D000

trusted library allocation

page execute and read and write

4EF0000

heap

page read and write

5820000

trusted library allocation

page read and write

4A0C000

stack

page read and write

61CC000

trusted library allocation

page read and write

2D29000

trusted library allocation

page read and write

2A87000

trusted library allocation

page execute and read and write

F86000

heap

page read and write

2997000

trusted library allocation

page read and write

C6A000

stack

page read and write

2941000

trusted library allocation

page read and write

2969000

trusted library allocation

page read and write

6A40000

heap

page read and write

11B0000

heap

page read and write

66E2000

heap

page read and write

FD9000

heap

page read and write

4EE0000

trusted library section

page read and write

DA8000

heap

page read and write

287E000

trusted library allocation

page read and write

5160000

trusted library allocation

page read and write

A5E000

stack

page read and write

2A70000

trusted library allocation

page read and write

3967000

trusted library allocation

page read and write

846E000

stack

page read and write

288D000

trusted library allocation

page read and write

D7E000

stack

page read and write

6FBE000

stack

page read and write

F05000

trusted library allocation

page read and write

2AA0000

trusted library allocation

page read and write

4D70000

heap

page read and write

DC0000

heap

page read and write

BCA000

heap

page read and write

529F000

stack

page read and write

2980000

trusted library allocation

page read and write

5828000

trusted library allocation

page read and write

4D90000

trusted library allocation

page execute and read and write

5000000

trusted library allocation

page execute and read and write

4D80000

trusted library allocation

page read and write

920000

heap

page read and write

5150000

heap

page read and write

691E000

stack

page read and write

There are 219 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Arrival Notice CIA INV.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportArrival Notice CIA INV.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
Arrival Notice CIA INV.exe