Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

M.V TBN - VESSEL'S DETAILS.docx.scr.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.804922237700636
Filename:	M.V TBN - VESSEL'S DETAILS.docx.scr.exe
Filesize:	734720
MD5:	856076a266bf66744428123e379d6e54
SHA1:	88e2e194d5944b748671fefa67c61d3c48af7cf6
SHA256:	c09cba9da1f8a6c8fbda87ce1c29455118eb13876286388a7d768ba98585aa78
SHA512:	a5aeb1f440fb332eb5c8cac0ac2c2a5027984acf87c16716e5e96620fd4e379e0a07776e35c2099221ae21ad440d83ec98ca6f6bcd7bc163d6c56d91e52458da
SSDEEP:	12288:4cxbJytLuL+vKDrPvBMVe/CPMvLM2isPhGCMQJ46Bh7zl:4cxbJnHegVTHisJYjUhN
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....yf.................,..........>J... ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)	Malware Analysis System Evasion
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information	Credentials in Registry
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information
Tries to harvest and steal ftp login credentials	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Abnormal high CPU Usage	System Summary	Process Injection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation Virtualization/Sandbox Evasion Security Software Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary	System Information Discovery
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\M.V TBN - VESSEL'S DETAILS.docx.scr.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\M.V TBN - VESSEL'S DETAILS.docx.scr.exe.log
Category:	dropped
Dump:	M.V TBN - VESSEL'S DETAILS.docx.scr.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLV1qE4jE4K5E4KlKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:Mp1qHjHK5HKlYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe

"C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5528
Target ID:	0
Parent PID:	1028
Name:	M.V TBN - VESSEL'S DETAILS.docx.scr.exe
Path:	C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe
Commandline:	"C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe"
Size:	734720
MD5:	856076A266BF66744428123E379D6E54
Time:	17:38:47
Date:	04/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x4a0000
Modulesize:	761856
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe

"C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3472
Target ID:	3
Parent PID:	5528
Name:	M.V TBN - VESSEL'S DETAILS.docx.scr.exe
Path:	C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe
Commandline:	"C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe"
Size:	734720
MD5:	856076A266BF66744428123E379D6E54
Time:	17:38:48
Date:	04/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x1c0000
Modulesize:	761856
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe

"C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe"

Details

Is windows:	false
Is dropped:	false
PID:	1080
Target ID:	4
Parent PID:	5528
Name:	M.V TBN - VESSEL'S DETAILS.docx.scr.exe
Path:	C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe
Commandline:	"C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe"
Size:	734720
MD5:	856076A266BF66744428123E379D6E54
Time:	17:38:48
Date:	04/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x3c0000
Modulesize:	761856
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe

"C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe"

Details

Is windows:	false
Is dropped:	false
PID:	1480
Target ID:	5
Parent PID:	5528
Name:	M.V TBN - VESSEL'S DETAILS.docx.scr.exe
Path:	C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe
Commandline:	"C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe"
Size:	734720
MD5:	856076A266BF66744428123E379D6E54
Time:	17:38:48
Date:	04/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xfc0000
Modulesize:	761856
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

https://api.ipify.org/

104.26.13.205

Details

Name:	https://api.ipify.org/
IP:	104.26.13.205
TargetID:	5
From Memory:	false
Current Path:	C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://api.ipify.org

unknown

Details

Name:	https://api.ipify.org
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe
Source:	M.V TBN - VESSEL'S DETAILS.docx.scr.exe, 00000000.00000002.1993289609.00000000038C1000.00000004.00000800.00020000.00000000.sdmp, M.V TBN - VESSEL'S DETAILS.docx.scr.exe, 00000005.00000002.4438476357.0000000000402000.00000040.00000400.00020000.00000000.sdmp, M.V TBN - VESSEL'S DETAILS.docx.scr.exe, 00000005.00000002.4440040719.0000000003351000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://account.dyn.com/

unknown

Details

Name:	https://account.dyn.com/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe
Source:	M.V TBN - VESSEL'S DETAILS.docx.scr.exe, 00000000.00000002.1993289609.00000000038C1000.00000004.00000800.00020000.00000000.sdmp, M.V TBN - VESSEL'S DETAILS.docx.scr.exe, 00000005.00000002.4438476357.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://api.ipify.org/t

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://beirutrest.com

unknown

Domains

Name

Malicious

beirutrest.com

50.87.144.157

Details

Name:	beirutrest.com
IP:	50.87.144.157
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

api.ipify.org

104.26.13.205

Details

Name:	api.ipify.org
IP:	104.26.13.205
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

50.87.144.157

beirutrest.com

United States

104.26.13.205

api.ipify.org

United States

Details

IP:	104.26.13.205
TargetID:	5
Current Path:	C:\Users\user\Desktop\M.V TBN - VESSEL'S DETAILS.docx.scr.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\M_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\M_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\M_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\M_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\M_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\M_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\M_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\M_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\M_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\M_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\M_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\M_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\M_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\M_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

402000

remote allocation

page execute and read and write

33CC000

trusted library allocation

page read and write

33A1000

trusted library allocation

page read and write

38C1000

trusted library allocation

page read and write

4DDD000

trusted library allocation

page read and write

517E000

stack

page read and write

49BC000

stack

page read and write

A3AE000

stack

page read and write

68BD000

stack

page read and write

4A2000

unkown

page readonly

B2D000

trusted library allocation

page execute and read and write

7142000

trusted library allocation

page read and write

72FE000

stack

page read and write

1856000

trusted library allocation

page execute and read and write

5FC0000

heap

page read and write

5440000

trusted library allocation

page execute and read and write

70FE000

stack

page read and write

BA3000

heap

page read and write

6EA0000

trusted library allocation

page execute and read and write

4F80000

trusted library allocation

page read and write

B52000

trusted library allocation

page read and write

73B0000

heap

page read and write

5190000

trusted library allocation

page read and write

4A0000

unkown

page readonly

400000

remote allocation

page execute and read and write

B00000

trusted library allocation

page read and write

771E000

stack

page read and write

556000

unkown

page readonly

1850000

trusted library allocation

page read and write

B6E000

heap

page read and write

1560000

heap

page read and write

338F000

trusted library allocation

page read and write

52D0000

heap

page read and write

5874000

trusted library allocation

page read and write

4D32000

trusted library allocation

page read and write

73C0000

trusted library allocation

page execute and read and write

5480000

trusted library section

page read and write

B1D000

trusted library allocation

page execute and read and write

15CF000

heap

page read and write

1589000

heap

page read and write

7014000

trusted library allocation

page read and write

4D40000

trusted library allocation

page read and write

183D000

trusted library allocation

page execute and read and write

271E000

stack

page read and write

1852000

trusted library allocation

page read and write

28C1000

trusted library allocation

page read and write

52C0000

heap

page read and write

4FC0000

heap

page execute and read and write

950000

heap

page read and write

6FBF000

stack

page read and write

1865000

trusted library allocation

page execute and read and write

1880000

trusted library allocation

page read and write

5856000

trusted library allocation

page read and write

1170000

heap

page read and write

584A000

trusted library allocation

page read and write

69BE000

stack

page read and write

110A000

stack

page read and write

1910000

heap

page read and write

1600000

heap

page read and write

B4A000

trusted library allocation

page execute and read and write

713E000

stack

page read and write

7050000

trusted library allocation

page execute and read and write

7610000

heap

page read and write

B14000

trusted library allocation

page read and write

583B000

trusted library allocation

page read and write

4D1E000

trusted library allocation

page read and write

28B0000

heap

page read and write

3351000

trusted library allocation

page read and write

1596000

heap

page read and write

15D7000

heap

page read and write

BA0000

heap

page read and write

4379000

trusted library allocation

page read and write

583E000

trusted library allocation

page read and write

D5F000

stack

page read and write

ACE000

stack

page read and write

153E000

stack

page read and write

5830000

trusted library allocation

page read and write

4F50000

heap

page read and write

184D000

trusted library allocation

page execute and read and write

4F90000

trusted library allocation

page read and write

1917000

heap

page read and write

182E000

stack

page read and write

6BE4000

heap

page read and write

1860000

trusted library allocation

page read and write

733E000

stack

page read and write

6EBE000

stack

page read and write

2790000

heap

page execute and read and write

1830000

trusted library allocation

page read and write

5842000

trusted library allocation

page read and write

737E000

stack

page read and write

4F60000

heap

page read and write

39B3000

trusted library allocation

page read and write

771F000

stack

page read and write

B46000

trusted library allocation

page execute and read and write

4FA0000

trusted library allocation

page execute and read and write

18B0000

heap

page read and write

1862000

trusted library allocation

page read and write

E5F000

stack

page read and write

4D21000

trusted library allocation

page read and write

E70000

trusted library allocation

page read and write

185A000

trusted library allocation

page execute and read and write

F20000

trusted library allocation

page execute and read and write

6E7E000

stack

page read and write

6FF0000

trusted library allocation

page read and write

B96000

heap

page read and write

162B000

heap

page read and write

2780000

trusted library allocation

page read and write

5EA000

stack

page read and write

334E000

stack

page read and write

4DDF000

trusted library allocation

page read and write

33C6000

trusted library allocation

page read and write

3220000

heap

page read and write

5C5C000

stack

page read and write

1867000

trusted library allocation

page execute and read and write

7380000

trusted library allocation

page read and write

3A9E000

trusted library allocation

page read and write

6A40000

heap

page read and write

6FD0000

trusted library allocation

page read and write

1840000

trusted library allocation

page read and write

59DC000

stack

page read and write

18A0000

trusted library allocation

page execute and read and write

B60000

heap

page read and write

4E10000

trusted library allocation

page read and write

B13000

trusted library allocation

page execute and read and write

6FE0000

trusted library allocation

page read and write

4D26000

trusted library allocation

page read and write

6E90000

trusted library allocation

page read and write

4D90000

trusted library allocation

page read and write

75B0000

heap

page read and write

4D60000

trusted library allocation

page read and write

5862000

trusted library allocation

page read and write

11C0000

heap

page read and write

54EE000

stack

page read and write

1568000

heap

page read and write

58A0000

heap

page read and write

B10000

trusted library allocation

page read and write

1A1E000

stack

page read and write

B30000

heap

page read and write

4E33000

heap

page read and write

51A0000

trusted library allocation

page read and write

B42000

trusted library allocation

page read and write

7010000

trusted library allocation

page read and write

EFC000

stack

page read and write

975000

heap

page read and write

3386000

trusted library allocation

page read and write

B5B000

trusted library allocation

page execute and read and write

3240000

heap

page execute and read and write

B20000

trusted library allocation

page read and write

BDD000

heap

page read and write

8CFF000

stack

page read and write

289E000

stack

page read and write

4F70000

heap

page read and write

6C58000

heap

page read and write

6FF0000

trusted library allocation

page read and write

5180000

trusted library allocation

page read and write

1833000

trusted library allocation

page execute and read and write

A1B0000

heap

page read and write

7147000

trusted library allocation

page read and write

8A58000

trusted library allocation

page read and write

C46000

heap

page read and write

43BB000

trusted library allocation

page read and write

4DE0000

trusted library allocation

page execute and read and write

4E21000

trusted library allocation

page read and write

1834000

trusted library allocation

page read and write

4EE0000

trusted library allocation

page read and write

A8E000

stack

page read and write

761E000

stack

page read and write

7000000

trusted library allocation

page execute and read and write

6FF7000

trusted library allocation

page read and write

6CBA000

heap

page read and write

321C000

stack

page read and write

6EB0000

trusted library section

page read and write

6D7E000

stack

page read and write

8F7000

stack

page read and write

28A0000

trusted library allocation

page read and write

B57000

trusted library allocation

page execute and read and write

4DF0000

trusted library allocation

page execute and read and write

157E000

heap

page read and write

4E30000

heap

page read and write

4D00000

trusted library allocation

page read and write

6CC5000

heap

page read and write

52BD000

stack

page read and write

5A10000

heap

page execute and read and write

7F340000

trusted library allocation

page execute and read and write

F37000

heap

page read and write

4D50000

trusted library allocation

page read and write

703D000

stack

page read and write

2923000

trusted library allocation

page read and write

186B000

trusted library allocation

page execute and read and write

5851000

trusted library allocation

page read and write

1A30000

heap

page read and write

1593000

heap

page read and write

15EC000

heap

page read and write

741E000

stack

page read and write

7040000

trusted library allocation

page read and write

18FE000

stack

page read and write

1A37000

heap

page read and write

B40000

trusted library allocation

page read and write

6CBC000

heap

page read and write

6C85000

heap

page read and write

2770000

trusted library allocation

page read and write

EBE000

stack

page read and write

1893000

heap

page read and write

F00000

heap

page read and write

6BB0000

heap

page read and write

7060000

trusted library allocation

page execute and read and write

B69000

heap

page read and write

6FD8000

trusted library allocation

page read and write

33D2000

trusted library allocation

page read and write

51B0000

heap

page read and write

14F9000

stack

page read and write

5880000

trusted library allocation

page read and write

4351000

trusted library allocation

page read and write

53FE000

stack

page read and write

275E000

stack

page read and write

4F3B000

stack

page read and write

7140000

trusted library allocation

page read and write

4DC0000

heap

page read and write

11BE000

stack

page read and write

3391000

trusted library allocation

page read and write

11E5000

heap

page read and write

7FC90000

trusted library allocation

page execute and read and write

C4C000

heap

page read and write

11E0000

heap

page read and write

79C0000

trusted library section

page read and write

7150000

trusted library allocation

page read and write

960000

heap

page read and write

5870000

trusted library allocation

page read and write

5836000

trusted library allocation

page read and write

6DF0000

trusted library section

page read and write

33C8000

trusted library allocation

page read and write

781F000

stack

page read and write

58BA000

heap

page read and write

1900000

trusted library allocation

page read and write

543E000

stack

page read and write

970000

heap

page read and write

4DD0000

trusted library allocation

page read and write

4FB0000

trusted library allocation

page execute and read and write

33CA000

trusted library allocation

page read and write

339D000

trusted library allocation

page read and write

1631000

heap

page read and write

585D000

trusted library allocation

page read and write

4F84000

trusted library allocation

page read and write

1890000

heap

page read and write

1550000

trusted library allocation

page read and write

584E000

trusted library allocation

page read and write

4F40000

trusted library section

page readonly

5358000

trusted library allocation

page read and write

33DE000

trusted library allocation

page read and write

F30000

heap

page read and write

4F55000

heap

page read and write

6FED000

trusted library allocation

page read and write

1A20000

trusted library allocation

page read and write

6CEE000

stack

page read and write

6C40000

heap

page read and write

4D2C000

trusted library allocation

page read and write

52F0000

heap

page read and write

6DEF000

stack

page read and write

There are 248 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
M.V TBN - VESSEL'S DETAILS.docx.scr.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportM.V TBN - VESSEL'S DETAILS.docx.scr.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
M.V TBN - VESSEL'S DETAILS.docx.scr.exe