Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

DRAWING_SHEET_P02405912916 .exe

PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy:	7.790001715501068
Filename:	DRAWING_SHEET_P02405912916 .exe
Filesize:	811981
MD5:	55ec2edc07564f96fadc8681055baf07
SHA1:	76c6df27f51e184509b81812589a59e9aa552f9c
SHA256:	e6bb64329e3641fc55e523d5778edeae726d41e3481e26fd0855e1710508cc7b
SHA512:	e608b0e0533095390c1502237a2520a47a73c22f44ec770053c0696517b366192f95eb678314c0ff23c4d25e4553ecc06328e5663c60fd310c408480b02917ba
SSDEEP:	12288:JDkAKHUnZJWA1m70Z/bil4pOgpU9v3JD7ORS/EMpxeW:JtK0nZJWumwFa47pU9/wUp
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...#G............"...0..g..\............ ....@...... ....................................`................................

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Encrypted Channel
Enables debug privileges	Anti Debugging
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities	Obfuscated Files or Information
One or more processes crash	System Summary
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_DRAWING_SHEET_P0_b088b2a1ea814e2a8d34d4abad448ba01bd6d55_a0fac049_8c9e2797-37ac-4a2f-8c4c-14b00a3cae93\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_DRAWING_SHEET_P0_b088b2a1ea814e2a8d34d4abad448ba01bd6d55_a0fac049_8c9e2797-37ac-4a2f-8c4c-14b00a3cae93\Report.wer
Category:	dropped
Dump:	Report.wer.6.dr
ID:	dr_3
Target ID:	6
Process:	C:\Windows\System32\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	1.008734203284085
Encrypted:	false
Ssdeep:	192:dfI+T/havE0UnUVaWBHpSszuiFaZ24lO8un:mCha/UnUVamHcszuiFaY4lO8m
Size:	65536
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC8A7.tmp.dmp

Mini DuMP crash report, 16 streams, Mon May 27 10:26:35 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERC8A7.tmp.dmp
Category:	dropped
Dump:	WERC8A7.tmp.dmp.6.dr
ID:	dr_0
Target ID:	6
Process:	C:\Windows\System32\WerFault.exe
Type:	Mini DuMP crash report, 16 streams, Mon May 27 10:26:35 2024, 0x1205a4 type
Entropy:	3.2910056862527832
Encrypted:	false
Ssdeep:	3072:6CHX0PQVcSrg1vAKij81CCq+h3+vvwFgoc4ipL:6V0sRiGqs3QSWZp
Size:	391458
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC9E0.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERC9E0.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WERC9E0.tmp.WERInternalMetadata.xml.6.dr
ID:	dr_1
Target ID:	6
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.716205473846341
Encrypted:	false
Ssdeep:	192:R6l7wVeJHku6YSLwVFgmf4MrprH89bFNAfy3m:R6lXJEu6Y+wVFgmf4MeF6f7
Size:	8666
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA10.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA10.tmp.xml
Category:	dropped
Dump:	WERCA10.tmp.xml.6.dr
ID:	dr_2
Target ID:	6
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.577948559647039
Encrypted:	false
Ssdeep:	48:cvIwWl8zsUJg771I97wWpW8VYMYm8M4JA/vQFKcyq85sIc5K3wItIcPd:uIjfSI78J7VoJA/Dclc3wItI8d
Size:	4844
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.6.dr
ID:	dr_4
Target ID:	6
Process:	C:\Windows\System32\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.372398453063531
Encrypted:	false
Ssdeep:	6144:qFVfpi6ceLP/9skLmb0nyWWSPtaJG8nAge35OlMMhA2AX4WABlguNmiL:CV19yWWI/glMM6kF7oq
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exe

"C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exe"

Details

Is windows:	false
Is dropped:	false
PID:	4028
Target ID:	0
Parent PID:	4084
Name:	DRAWING_SHEET_P02405912916 .exe
Path:	C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exe
Commandline:	"C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exe"
Size:	811981
MD5:	55EC2EDC07564F96FADC8681055BAF07
Time:	06:26:30
Date:	27/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x1dfc92f0000
Modulesize:	245760
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected UAC Bypass using CMSTP	Exploits
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

Details

Is windows:	true
Is dropped:	false
PID:	4708
Target ID:	2
Parent PID:	4028
Name:	MSBuild.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Size:	262432
MD5:	8FDF47E0FF70C40ED3A17014AEEA4232
Time:	06:26:34
Date:	27/05/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x910000
Modulesize:	262144
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: MSBuild connects to smtp port	Networking
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7140
Target ID:	3
Parent PID:	4028
Name:	MSBuild.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Size:	262432
MD5:	8FDF47E0FF70C40ED3A17014AEEA4232
Time:	06:26:34
Date:	27/05/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xd40000
Modulesize:	262144
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: MSBuild connects to smtp port	Networking
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4028 -s 1016

Details

Is windows:	true
Is dropped:	false
PID:	1144
Target ID:	6
Parent PID:	4028
Name:	WerFault.exe
Path:	C:\Windows\System32\WerFault.exe
Commandline:	C:\Windows\system32\WerFault.exe -u -p 4028 -s 1016
Size:	570736
MD5:	FD27D9F6D02763BDE32511B5DF7FF7A0
Time:	06:26:35
Date:	27/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6f7470000
Modulesize:	581632
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://api.ipify.org/

172.67.74.152

Details

Name:	https://api.ipify.org/
IP:	172.67.74.152
TargetID:	2
From Memory:	false
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://api.ipify.org

unknown

Details

Name:	https://api.ipify.org
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exe
Source:	DRAWING_SHEET_P02405912916 .exe, 00000000.00000002.1461004297.000001DFDB0E7000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2625649867.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2620865574.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://upx.sf.net

unknown

http://mail.officeemailbackup.com

unknown

https://sectigo.com/CPS0

unknown

Details

Name:	https://sectigo.com/CPS0
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source:	MSBuild.exe, 00000002.00000002.2629786574.0000000005EE1000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2625649867.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2622599305.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2629786574.0000000005F71000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://account.dyn.com/

unknown

Details

Name:	https://account.dyn.com/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\DRAWING_SHEET_P02405912916 .exe
Source:	DRAWING_SHEET_P02405912916 .exe, 00000000.00000002.1461004297.000001DFDB0E7000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2620865574.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://api.ipify.org/t

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://officeemailbackup.com

unknown

Domains

Name

Malicious

officeemailbackup.com

179.43.183.46

Details

Name:	officeemailbackup.com
IP:	179.43.183.46
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Sigma detected: MSBuild connects to smtp port	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Uses SMTP (mail sending)	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

api.ipify.org

172.67.74.152

Details

Name:	api.ipify.org
IP:	172.67.74.152
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

mail.officeemailbackup.com

unknown

Details

Name:	mail.officeemailbackup.com
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

fp2e7a.wpc.phicdn.net

192.229.221.95

IPs

Domain

Country

Malicious

179.43.183.46

officeemailbackup.com

Panama

Details

IP:	179.43.183.46
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Country:	Panama
Countrycode:	PAN
ASN number:	51852
ASN name:	PLI-ASCH
Private:	false
Domain:	officeemailbackup.com

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: MSBuild connects to smtp port	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Uses SMTP (mail sending)	Networking	Application Layer Protocol

172.67.74.152

api.ipify.org

United States

Details

IP:	172.67.74.152
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\msbuild_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\msbuild_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\msbuild_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\msbuild_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\msbuild_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\msbuild_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\msbuild_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\msbuild_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\msbuild_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\msbuild_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\msbuild_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\msbuild_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\msbuild_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\msbuild_RASMANCS

FileDirectory

\REGISTRY\A\{d244e630-be26-66a0-b388-4b6f83627edb}\Root\InventoryApplicationFile\drawing_sheet_p0|83122db914e787e4

ProgramId

\REGISTRY\A\{d244e630-be26-66a0-b388-4b6f83627edb}\Root\InventoryApplicationFile\drawing_sheet_p0|83122db914e787e4

FileId

\REGISTRY\A\{d244e630-be26-66a0-b388-4b6f83627edb}\Root\InventoryApplicationFile\drawing_sheet_p0|83122db914e787e4

LowerCaseLongPath

\REGISTRY\A\{d244e630-be26-66a0-b388-4b6f83627edb}\Root\InventoryApplicationFile\drawing_sheet_p0|83122db914e787e4

LongPathHash

\REGISTRY\A\{d244e630-be26-66a0-b388-4b6f83627edb}\Root\InventoryApplicationFile\drawing_sheet_p0|83122db914e787e4

Name

\REGISTRY\A\{d244e630-be26-66a0-b388-4b6f83627edb}\Root\InventoryApplicationFile\drawing_sheet_p0|83122db914e787e4

OriginalFileName

\REGISTRY\A\{d244e630-be26-66a0-b388-4b6f83627edb}\Root\InventoryApplicationFile\drawing_sheet_p0|83122db914e787e4

Publisher

\REGISTRY\A\{d244e630-be26-66a0-b388-4b6f83627edb}\Root\InventoryApplicationFile\drawing_sheet_p0|83122db914e787e4

Version

\REGISTRY\A\{d244e630-be26-66a0-b388-4b6f83627edb}\Root\InventoryApplicationFile\drawing_sheet_p0|83122db914e787e4

BinFileVersion

\REGISTRY\A\{d244e630-be26-66a0-b388-4b6f83627edb}\Root\InventoryApplicationFile\drawing_sheet_p0|83122db914e787e4

BinaryType

\REGISTRY\A\{d244e630-be26-66a0-b388-4b6f83627edb}\Root\InventoryApplicationFile\drawing_sheet_p0|83122db914e787e4

ProductName

\REGISTRY\A\{d244e630-be26-66a0-b388-4b6f83627edb}\Root\InventoryApplicationFile\drawing_sheet_p0|83122db914e787e4

ProductVersion

\REGISTRY\A\{d244e630-be26-66a0-b388-4b6f83627edb}\Root\InventoryApplicationFile\drawing_sheet_p0|83122db914e787e4

LinkDate

\REGISTRY\A\{d244e630-be26-66a0-b388-4b6f83627edb}\Root\InventoryApplicationFile\drawing_sheet_p0|83122db914e787e4

BinProductVersion

\REGISTRY\A\{d244e630-be26-66a0-b388-4b6f83627edb}\Root\InventoryApplicationFile\drawing_sheet_p0|83122db914e787e4

AppxPackageFullName

\REGISTRY\A\{d244e630-be26-66a0-b388-4b6f83627edb}\Root\InventoryApplicationFile\drawing_sheet_p0|83122db914e787e4

AppxPackageRelativeId

\REGISTRY\A\{d244e630-be26-66a0-b388-4b6f83627edb}\Root\InventoryApplicationFile\drawing_sheet_p0|83122db914e787e4

Size

\REGISTRY\A\{d244e630-be26-66a0-b388-4b6f83627edb}\Root\InventoryApplicationFile\drawing_sheet_p0|83122db914e787e4

Language

\REGISTRY\A\{d244e630-be26-66a0-b388-4b6f83627edb}\Root\InventoryApplicationFile\drawing_sheet_p0|83122db914e787e4

Usn

There are 24 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

2D9C000

trusted library allocation

page read and write

1DFDB0E7000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

2DA4000

trusted library allocation

page read and write

2D71000

trusted library allocation

page read and write

1DFCB43B000

trusted library allocation

page read and write

13DD000

trusted library allocation

page execute and read and write

CF9000

stack

page read and write

1DFCB13D000

trusted library allocation

page read and write

661E000

stack

page read and write

64D9000

trusted library allocation

page read and write

569E000

stack

page read and write

5160000

heap

page read and write

1DFC9636000

heap

page read and write

793AFFE000

stack

page read and write

13EA000

trusted library allocation

page execute and read and write

2D57000

trusted library allocation

page read and write

579F000

stack

page read and write

6690000

trusted library allocation

page read and write

1DFC9594000

heap

page read and write

2DBC000

trusted library allocation

page read and write

2D21000

trusted library allocation

page read and write

2C28000

trusted library allocation

page read and write

6640000

trusted library allocation

page read and write

66B0000

trusted library allocation

page execute and read and write

66A0000

trusted library allocation

page read and write

FF590000

trusted library allocation

page execute and read and write

7FFB4B270000

trusted library allocation

page read and write

793B6FD000

stack

page read and write

1077000

heap

page read and write

2AD0000

trusted library allocation

page read and write

7FFB4B14C000

trusted library allocation

page execute and read and write

1DFC95BB000

heap

page read and write

651E000

stack

page read and write

1DFC9591000

heap

page read and write

5354000

heap

page read and write

1DFC93A0000

heap

page read and write

2B00000

trusted library allocation

page read and write

7FFB4B280000

trusted library allocation

page read and write

2CED000

trusted library allocation

page read and write

1410000

trusted library allocation

page read and write

1035000

heap

page read and write

400000

remote allocation

page execute and read and write

10A7000

heap

page read and write

1DFC958E000

heap

page read and write

7FFB4B2B0000

trusted library allocation

page read and write

13F5000

trusted library allocation

page execute and read and write

6DC0000

heap

page read and write

5EE1000

heap

page read and write

2D5F000

trusted library allocation

page read and write

1DFC9480000

heap

page read and write

793AB33000

stack

page read and write

555E000

stack

page read and write

FF3000

trusted library allocation

page execute and read and write

7FFB4B0BD000

trusted library allocation

page execute and read and write

7FFB4B090000

trusted library allocation

page read and write

FF0000

trusted library allocation

page read and write

1436000

heap

page read and write

1DFC92F2000

unkown

page readonly

1000000

heap

page read and write

7FFB4B230000

trusted library allocation

page read and write

6B30000

trusted library allocation

page read and write

13F2000

trusted library allocation

page read and write

7FFB4B0EC000

trusted library allocation

page execute and read and write

7FFB4B250000

trusted library allocation

page read and write

1430000

heap

page read and write

1DFC9935000

heap

page read and write

E55000

heap

page read and write

7FFB4B249000

trusted library allocation

page read and write

1DFC98C0000

heap

page execute and read and write

7FFB4B290000

trusted library allocation

page read and write

1DFC97A5000

heap

page read and write

793B2FC000

stack

page read and write

1DFC94A0000

heap

page read and write

1DFDB0E1000

trusted library allocation

page read and write

7FFB4B150000

trusted library allocation

page execute and read and write

2B10000

heap

page read and write

D40000

heap

page read and write

1038000

heap

page read and write

2CE1000

trusted library allocation

page read and write

545C000

stack

page read and write

7FFB4B1B0000

trusted library allocation

page execute and read and write

1DFE37A0000

heap

page read and write

7FFB4B140000

trusted library allocation

page read and write

7FFB4B0A0000

trusted library allocation

page read and write

7FFB4B240000

trusted library allocation

page read and write

1DFC95BD000

heap

page read and write

2ACC000

stack

page read and write

6B50000

heap

page read and write

7FFB4B2A0000

trusted library allocation

page execute and read and write

64BD000

stack

page read and write

668D000

stack

page read and write

13E0000

trusted library allocation

page read and write

7FF4AA0F0000

trusted library allocation

page execute and read and write

6B0D000

stack

page read and write

1DFC955C000

heap

page read and write

674E000

stack

page read and write

FE0000

trusted library allocation

page read and write

6A0E000

stack

page read and write

67AB000

trusted library allocation

page read and write

6630000

trusted library allocation

page read and write

1DFC95C7000

heap

page read and write

793B4FE000

stack

page read and write

13E6000

trusted library allocation

page execute and read and write

E20000

heap

page read and write

3D21000

trusted library allocation

page read and write

7FFB4B094000

trusted library allocation

page read and write

7FFB4B0B0000

trusted library allocation

page read and write

FF4000

trusted library allocation

page read and write

13F0000

trusted library allocation

page read and write

637E000

stack

page read and write

793B1FF000

stack

page read and write

64D0000

trusted library allocation

page read and write

1420000

trusted library allocation

page execute and read and write

7FFB4B23A000

trusted library allocation

page read and write

FFD000

trusted library allocation

page execute and read and write

2D10000

heap

page execute and read and write

2CDE000

trusted library allocation

page read and write

7FFB4B176000

trusted library allocation

page execute and read and write

67A0000

trusted library allocation

page read and write

11FE000

stack

page read and write

1DFC9530000

trusted library allocation

page read and write

1097000

heap

page read and write

13F7000

trusted library allocation

page execute and read and write

4E1E000

stack

page read and write

5ECC000

heap

page read and write

7FFB4B24E000

trusted library allocation

page read and write

793B0FF000

stack

page read and write

530E000

stack

page read and write

E9E000

stack

page read and write

EA0000

heap

page read and write

5350000

heap

page read and write

7FFB4B0AD000

trusted library allocation

page execute and read and write

F5E000

stack

page read and write

2D6D000

trusted library allocation

page read and write

793AEFE000

stack

page read and write

2DB0000

trusted library allocation

page read and write

7FFB4B288000

trusted library allocation

page read and write

1DFC9597000

heap

page read and write

6B40000

trusted library allocation

page execute and read and write

793B5FE000

stack

page read and write

1DFC9680000

heap

page execute and read and write

6697000

trusted library allocation

page read and write

9DA000

stack

page read and write

13FB000

trusted library allocation

page execute and read and write

6790000

trusted library allocation

page execute and read and write

7FFB4B09D000

trusted library allocation

page execute and read and write

ED0000

heap

page read and write

1DFC92F0000

unkown

page readonly

529C000

stack

page read and write

5F0B000

heap

page read and write

6647000

trusted library allocation

page read and write

F1E000

stack

page read and write

793B3FE000

stack

page read and write

52C0000

heap

page execute and read and write

565E000

stack

page read and write

5EC0000

heap

page read and write

10AB000

heap

page read and write

63BE000

stack

page read and write

7FFB4B0BB000

trusted library allocation

page execute and read and write

5EC8000

heap

page read and write

7FFB4B260000

trusted library allocation

page read and write

1DFC9550000

heap

page read and write

13E2000

trusted library allocation

page read and write

678E000

stack

page read and write

7FFB4B146000

trusted library allocation

page read and write

2AE0000

trusted library allocation

page read and write

2CCB000

trusted library allocation

page read and write

1DFE37E1000

heap

page read and write

2CCE000

trusted library allocation

page read and write

2CD2000

trusted library allocation

page read and write

7FFB4B092000

trusted library allocation

page read and write

2A8E000

stack

page read and write

64C0000

heap

page read and write

1DFC9930000

heap

page read and write

3D87000

trusted library allocation

page read and write

1DFC97A0000

heap

page read and write

3D49000

trusted library allocation

page read and write

13D0000

trusted library allocation

page read and write

1DFC9670000

trusted library section

page read and write

663D000

trusted library allocation

page read and write

2CE6000

trusted library allocation

page read and write

1008000

heap

page read and write

2D9A000

trusted library allocation

page read and write

2D96000

trusted library allocation

page read and write

627D000

stack

page read and write

7FFB4B093000

trusted library allocation

page execute and read and write

E50000

heap

page read and write

534D000

stack

page read and write

1DFC9710000

trusted library section

page read and write

1DFCB0E1000

trusted library allocation

page read and write

10D1000

heap

page read and write

5F67000

heap

page read and write

1DFC9540000

trusted library allocation

page read and write

5F71000

heap

page read and write

7FFB4B0B4000

trusted library allocation

page read and write

694E000

stack

page read and write

1DFC94C0000

heap

page read and write

1DFC9690000

heap

page read and write

1DFC9543000

trusted library allocation

page read and write

1DFC9510000

trusted library allocation

page read and write

2CC0000

trusted library allocation

page read and write

1DFE3110000

trusted library allocation

page read and write

2AF0000

trusted library allocation

page read and write

1DFC932A000

unkown

page readonly

1DFC9579000

heap

page read and write

2C1F000

stack

page read and write

There are 197 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
DRAWING_SHEET_P02405912916 .exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportDRAWING_SHEET_P02405912916 .exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
DRAWING_SHEET_P02405912916 .exe