Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

shipping documents.exe

PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy:	7.969366771382698
Filename:	shipping documents.exe
Filesize:	814485
MD5:	7805fa9669d8eee949ec8ae59ab595f0
SHA1:	69dcb0498aaf2176629a4d516056e95ede493b8c
SHA256:	637e96ec91a77bc1a8bd1b8ff7f0fc027ce9c6ad579980ad7bda632cf500a3d8
SHA512:	8ee5fe77a2e415848440acad2d11decca6b8a8e46de89cf7a865b3c9774d072a8bb01fdc81296fe894124c940181c741f9cdb3c33da938a404c07f9630780c81
SSDEEP:	24576:tthEVaPqLqx/VZSJRoQKl4+qxwzZdeP8XQs:VEVUcq3ZKRYl4+iUXQs
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Switches to a custom stack to bypass stack traces	Malware Analysis System Evasion	Access Token Manipulation Security Software Discovery
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging
Contains functionality to call native functions	System Summary
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Masquerading Application Window Discovery
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Valid Accounts
Contains functionality to launch a process as a different user	System Summary
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation Access Token Manipulation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Access Token Manipulation
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to read the PEB	Anti Debugging	Access Token Manipulation
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion	Masquerading
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Access Token Manipulation Encrypted Channel
Found evasive API chain (date check)	Malware Analysis System Evasion	Native API Access Token Manipulation
Found large amount of non-executed APIs	Malware Analysis System Evasion	Access Token Manipulation
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information	Access Token Manipulation System Shutdown/Reboot
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
Contains functionality for error logging	System Summary	Access Token Manipulation
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to check free disk space	System Summary
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enum processes or threads	System Summary	Access Token Manipulation
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary	Access Token Manipulation
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery System Information Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection	Access Token Manipulation
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Discovery
Reads ini files	System Summary
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Sample reads its own file content	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\boqXv.exe.log

ASCII text, with CRLF line terminators

modified

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\boqXv.exe.log
Category:	modified
Dump:	boqXv.exe.log.2.dr
ID:	dr_3
Target ID:	2
Process:	C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.090621108356562
Encrypted:	false
Ssdeep:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
Size:	142
Whitelisted:	false
Reputation:	high

C:\Users\user\AppData\Local\Temp\nonplacental

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\nonplacental
Category:	dropped
Dump:	nonplacental.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\shipping documents.exe
Type:	data
Entropy:	6.7720043307131785
Encrypted:	false
Ssdeep:	6144:mhMTsqfXsU0IfS0r7Sgqv1L0J5Zr1YAr0KIw:PLfh0Ob7Sz9LI11YAB
Size:	241664
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Roaming\boqXv\boqXv.exe

PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

modified

Details

File:	C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
Category:	modified
Dump:	boqXv.exe.1.dr
ID:	dr_1
Target ID:	1
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	6.16795797263964
Encrypted:	false
Ssdeep:	768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
Size:	45984
Whitelisted:	true
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses Microsoft Silverlight	System Summary

\Device\ConDrv

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.7.dr
ID:	dr_4
Target ID:	7
Process:	C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.442398121585593
Encrypted:	false
Ssdeep:	24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
Size:	1141
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\shipping documents.exe

"C:\Users\user\Desktop\shipping documents.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7280
Target ID:	0
Parent PID:	2580
Name:	shipping documents.exe
Path:	C:\Users\user\Desktop\shipping documents.exe
Commandline:	"C:\Users\user\Desktop\shipping documents.exe"
Size:	814485
MD5:	7805FA9669D8EEE949EC8AE59AB595F0
Time:	02:59:59
Date:	26/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	794624
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\shipping documents.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7336
Target ID:	1
Parent PID:	7280
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\shipping documents.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	03:00:02
Date:	26/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xc30000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\boqXv\boqXv.exe

"C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"

Details

Is windows:	false
Is dropped:	true
PID:	7508
Target ID:	2
Parent PID:	2580
Name:	boqXv.exe
Path:	C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
Commandline:	"C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	03:00:12
Date:	26/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x8d0000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Users\user\AppData\Roaming\boqXv\boqXv.exe

"C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"

Details

Is windows:	false
Is dropped:	true
PID:	7776
Target ID:	7
Parent PID:	2580
Name:	boqXv.exe
Path:	C:\Users\user\AppData\Roaming\boqXv\boqXv.exe
Commandline:	"C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	03:00:20
Date:	26/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0xc00000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7520
Target ID:	3
Parent PID:	7508
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	03:00:12
Date:	26/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7788
Target ID:	8
Parent PID:	7776
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	03:00:20
Date:	26/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://account.dyn.com/

unknown

Details

Name:	https://account.dyn.com/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\shipping documents.exe
Source:	shipping documents.exe, 00000000.00000002.1723625302.0000000002FE0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2932240868.0000000000402000.00000040.80000000.00040000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://mail.naveentour.com

unknown

Domains

Name

Malicious

mail.naveentour.com

162.214.80.31

Details

Name:	mail.naveentour.com
IP:	162.214.80.31
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

162.214.80.31

mail.naveentour.com

United States

Details

IP:	162.214.80.31
TargetID:	1
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	United States
Countrycode:	USA
ASN number:	46606
ASN name:	UNIFIEDLAYER-AS-1US
Private:	false
Domain:	mail.naveentour.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

boqXv

Details

TargetID:	1
Path:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value name:	boqXv
Value data:	C:\Users\user\AppData\Roaming\boqXv\boqXv.exe

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder

Memdumps

Base Address

Regiontype

Protect

Malicious

30E2000

trusted library allocation

page read and write

3091000

trusted library allocation

page read and write

402000

system

page execute and read and write

2FE0000

direct allocation

page read and write

30EA000

trusted library allocation

page read and write

3F36000

heap

page read and write

6CD0000

heap

page read and write

3EF1000

heap

page read and write

5BE0000

trusted library allocation

page read and write

400000

unkown

page readonly

43CC000

heap

page read and write

3F6F000

heap

page read and write

3ED0000

heap

page read and write

47A9000

direct allocation

page read and write

1100000

trusted library allocation

page read and write

542E000

stack

page read and write

3EC6000

heap

page read and write

47A9000

direct allocation

page read and write

53EF000

stack

page read and write

1155000

heap

page read and write

65D7000

trusted library allocation

page read and write

65D0000

trusted library allocation

page read and write

146D000

trusted library allocation

page execute and read and write

143F000

stack

page read and write

44E0000

direct allocation

page read and write

10E0000

trusted library allocation

page read and write

9E0000

heap

page read and write

47AD000

direct allocation

page read and write

4603000

direct allocation

page read and write

51E0000

heap

page execute and read and write

1330000

heap

page read and write

5552000

trusted library allocation

page read and write

3E86000

heap

page read and write

3CD1000

trusted library allocation

page read and write

3EF1000

heap

page read and write

4680000

direct allocation

page read and write

2FDE000

stack

page read and write

CFA000

stack

page read and write

1120000

trusted library allocation

page read and write

12C3000

trusted library allocation

page execute and read and write

10E7000

trusted library allocation

page execute and read and write

2F31000

trusted library allocation

page read and write

4B5000

unkown

page execute and read and write

3F40000

heap

page read and write

1277000

heap

page read and write

43E000

system

page execute and read and write

401000

unkown

page execute and read and write

656C000

trusted library allocation

page read and write

1B0000

heap

page read and write

19E000

stack

page read and write

12D4000

trusted library allocation

page read and write

2FEC000

heap

page read and write

2EF6000

heap

page read and write

116E000

stack

page read and write

1130000

trusted library allocation

page read and write

5546000

trusted library allocation

page read and write

4680000

direct allocation

page read and write

37EE000

stack

page read and write

552B000

trusted library allocation

page read and write

1000000

heap

page read and write

44E0000

direct allocation

page read and write

5510000

trusted library allocation

page read and write

3F6E000

heap

page read and write

1820000

heap

page read and write

3EF1000

heap

page read and write

47A9000

direct allocation

page read and write

6580000

trusted library allocation

page execute and read and write

53E0000

trusted library allocation

page execute and read and write

1098000

heap

page read and write

4603000

direct allocation

page read and write

6CE0000

trusted library allocation

page execute and read and write

1030000

heap

page read and write

10A0000

trusted library allocation

page read and write

3E82000

heap

page read and write

47AD000

direct allocation

page read and write

3F4C000

heap

page read and write

481E000

direct allocation

page read and write

10B4000

trusted library allocation

page read and write

3F6E000

heap

page read and write

10CD000

trusted library allocation

page execute and read and write

1330000

trusted library allocation

page execute and read and write

6547000

trusted library allocation

page read and write

3F38000

heap

page read and write

66C0000

trusted library allocation

page read and write

4680000

direct allocation

page read and write

1350000

heap

page read and write

44E0000

direct allocation

page read and write

1490000

heap

page read and write

3EF1000

heap

page read and write

1310000

trusted library allocation

page read and write

4F6C000

stack

page read and write

8D2000

unkown

page readonly

2BC0000

heap

page execute and read and write

51CE000

stack

page read and write

4603000

direct allocation

page read and write

100000

heap

page read and write

10C0000

trusted library allocation

page read and write

4091000

trusted library allocation

page read and write

65CD000

stack

page read and write

4603000

direct allocation

page read and write

5560000

trusted library allocation

page read and write

1140000

heap

page read and write

1450000

trusted library allocation

page read and write

5541000

trusted library allocation

page read and write

5BDE000

stack

page read and write

4B1000

unkown

page execute and read and write

D99000

stack

page read and write

55B0000

heap

page execute and read and write

3EF1000

heap

page read and write

90E000

stack

page read and write

6560000

trusted library allocation

page read and write

3DEF000

heap

page read and write

104E000

heap

page read and write

3BF0000

heap

page read and write

109F000

stack

page read and write

3EF1000

heap

page read and write

595F000

stack

page read and write

2EB0000

trusted library allocation

page execute and read and write

11E8000

heap

page read and write

E9E000

stack

page read and write

E5E000

stack

page read and write

666F000

stack

page read and write

9D0000

heap

page read and write

3E76000

heap

page read and write

2E60000

trusted library allocation

page read and write

10EB000

trusted library allocation

page execute and read and write

55AE000

stack

page read and write

2E4B000

trusted library allocation

page execute and read and write

518E000

stack

page read and write

3F6C000

heap

page read and write

3DDC000

heap

page read and write

477000

unkown

page execute and write copy

3BEF000

stack

page read and write

1239000

heap

page read and write

3E76000

heap

page read and write

44E0000

direct allocation

page read and write

481E000

direct allocation

page read and write

2ED0000

heap

page read and write

30F6000

trusted library allocation

page read and write

3EF1000

heap

page read and write

2E42000

trusted library allocation

page read and write

47AD000

direct allocation

page read and write

481E000

direct allocation

page read and write

3CF0000

heap

page read and write

124F000

stack

page read and write

3E38000

heap

page read and write

10C4000

trusted library allocation

page read and write

9A000

stack

page read and write

3EB7000

heap

page read and write

2EC0000

trusted library allocation

page read and write

5526000

trusted library allocation

page read and write

4BA000

unkown

page read and write

3DE6000

heap

page read and write

1160000

heap

page read and write

571F000

stack

page read and write

DC9000

stack

page read and write

3F6D000

heap

page read and write

1C0000

heap

page read and write

50CC000

stack

page read and write

6540000

trusted library allocation

page read and write

552F000

stack

page read and write

47A9000

direct allocation

page read and write

1486000

trusted library allocation

page execute and read and write

94E000

stack

page read and write

2E47000

trusted library allocation

page execute and read and write

1453000

trusted library allocation

page execute and read and write

D00000

heap

page read and write

128E000

stack

page read and write

4603000

direct allocation

page read and write

3F6F000

heap

page read and write

552E000

trusted library allocation

page read and write

1030000

heap

page read and write

11AE000

stack

page read and write

3EF1000

heap

page read and write

3EF1000

heap

page read and write

D20000

heap

page read and write

3EF1000

heap

page read and write

481E000

direct allocation

page read and write

3EC7000

heap

page execute and read and write

2EE5000

heap

page read and write

55FC000

stack

page read and write

51CE000

stack

page read and write

3EF1000

heap

page read and write

3E76000

heap

page read and write

3EF1000

heap

page read and write

1059000

heap

page read and write

D96000

heap

page read and write

12B0000

trusted library allocation

page read and write

12DD000

trusted library allocation

page execute and read and write

4DCD000

stack

page read and write

3F66000

heap

page read and write

148A000

trusted library allocation

page execute and read and write

2EFF000

stack

page read and write

3F6F000

heap

page read and write

42FB000

heap

page read and write

3F6E000

heap

page read and write

3EF1000

heap

page read and write

66AE000

stack

page read and write

47AD000

direct allocation

page read and write

4680000

direct allocation

page read and write

D28000

heap

page read and write

506E000

stack

page read and write

3F01000

heap

page read and write

490000

unkown

page execute and read and write

7FDF0000

trusted library allocation

page execute and read and write

553A000

trusted library allocation

page read and write

3C8D000

heap

page read and write

3E85000

heap

page read and write

1440000

trusted library allocation

page read and write

12F7000

trusted library allocation

page execute and read and write

1065000

heap

page read and write

145D000

trusted library allocation

page execute and read and write

2D2E000

stack

page read and write

12CC000

stack

page read and write

2F10000

trusted library allocation

page read and write

1460000

trusted library allocation

page read and write

11E5000

heap

page read and write

2F00000

trusted library allocation

page read and write

8BF000

stack

page read and write

3EF1000

heap

page read and write

6300000

heap

page read and write

17F0000

heap

page read and write

2E45000

trusted library allocation

page execute and read and write

2FE8000

trusted library allocation

page read and write

97A000

heap

page read and write

40B9000

trusted library allocation

page read and write

10B3000

trusted library allocation

page execute and read and write

128C000

heap

page read and write

66B0000

trusted library allocation

page read and write

2DF0000

heap

page read and write

97E000

heap

page read and write

3EF1000

heap

page read and write

30A0000

heap

page read and write

D57000

heap

page read and write

52EE000

stack

page read and write

2DD0000

heap

page read and write

8D0000

unkown

page readonly

110000

heap

page read and write

1300000

heap

page read and write

EC0000

heap

page read and write

3EF0000

heap

page read and write

47AD000

direct allocation

page read and write

585E000

stack

page read and write

2CCE000

stack

page read and write

4B8000

unkown

page execute and write copy

EC5000

heap

page read and write

4680000

direct allocation

page read and write

1400000

heap

page read and write

D4A000

heap

page read and write

6CF0000

heap

page read and write

3BF1000

heap

page read and write

686E000

stack

page read and write

153F000

stack

page read and write

11B0000

heap

page read and write

96C000

stack

page read and write

5570000

trusted library allocation

page read and write

3F6E000

heap

page read and write

11B0000

heap

page read and write

400000

system

page execute and read and write

55EE000

stack

page read and write

123F000

stack

page read and write

2CD1000

trusted library allocation

page read and write

1482000

trusted library allocation

page read and write

2E40000

trusted library allocation

page read and write

1470000

heap

page read and write

3E76000

heap

page read and write

1150000

heap

page read and write

575E000

stack

page read and write

3F6E000

heap

page read and write

1454000

trusted library allocation

page read and write

3F6F000

heap

page read and write

3ED0000

heap

page read and write

970000

heap

page read and write

44E0000

direct allocation

page read and write

8DA000

unkown

page readonly

2EE0000

heap

page read and write

D43000

heap

page read and write

481E000

direct allocation

page read and write

6550000

trusted library allocation

page read and write

D3E000

heap

page read and write

11B5000

heap

page read and write

599E000

stack

page read and write

6570000

trusted library allocation

page execute and read and write

553E000

trusted library allocation

page read and write

15E000

stack

page read and write

1110000

trusted library allocation

page execute and read and write

3E71000

heap

page read and write

5660000

heap

page read and write

5A9E000

stack

page read and write

5653000

heap

page read and write

3EF1000

heap

page read and write

563E000

stack

page read and write

400000

unkown

page readonly

30E0000

trusted library allocation

page read and write

CCA000

stack

page read and write

585C000

stack

page read and write

5520000

trusted library allocation

page read and write

4680000

direct allocation

page read and write

3FE5000

heap

page read and write

47A9000

direct allocation

page read and write

3F31000

trusted library allocation

page read and write

12CD000

trusted library allocation

page execute and read and write

C9C000

stack

page read and write

47A9000

direct allocation

page read and write

3E76000

heap

page read and write

3FE4000

heap

page read and write

12D0000

trusted library allocation

page read and write

30A4000

heap

page read and write

4603000

direct allocation

page read and write

3E81000

heap

page read and write

1540000

heap

page read and write

3F6E000

heap

page read and write

3080000

heap

page execute and read and write

5650000

heap

page read and write

481E000

direct allocation

page read and write

12F0000

trusted library allocation

page read and write

3E1F000

heap

page read and write

2F20000

heap

page execute and read and write

10BD000

trusted library allocation

page execute and read and write

554D000

trusted library allocation

page read and write

12FB000

trusted library allocation

page execute and read and write

5532000

trusted library allocation

page read and write

1480000

trusted library allocation

page read and write

3ECB000

heap

page read and write

2EAE000

stack

page read and write

44E0000

direct allocation

page read and write

4BA000

unkown

page write copy

54AE000

stack

page read and write

1053000

heap

page read and write

11CE000

heap

page read and write

11DA000

heap

page read and write

9A9000

heap

page read and write

1010000

heap

page read and write

11B8000

heap

page read and write

4A7000

unkown

page execute and read and write

1320000

trusted library allocation

page execute and read and write

12C4000

trusted library allocation

page read and write

3F5E000

heap

page read and write

3DEA000

heap

page read and write

5BE9000

trusted library allocation

page read and write

12AB000

heap

page read and write

3C6E000

heap

page read and write

47AD000

direct allocation

page read and write

163F000

stack

page read and write

5610000

heap

page execute and read and write

1038000

heap

page read and write

40FB000

trusted library allocation

page read and write

3F6E000

heap

page read and write

5ADD000

stack

page read and write

There are 339 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
shipping documents.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportshipping documents.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
shipping documents.exe