Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Remittance_copy.pdf.scr.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	6.940989799123395
Filename:	Remittance_copy.pdf.scr.exe
Filesize:	980992
MD5:	c52c8f03c7a947a1f84657f2c3283494
SHA1:	6834be8e80716d9cea18d10bcca6aabfdb23572b
SHA256:	39b5db919a6e2320e74753b6fafa6950e8b9a313340345a2eb0f9abf8cd43372
SHA512:	ded8fc22a5616df365bdb40d9ff483afa8d6bc57893fcc082eba54a249c35d1149e1912012e26edc2744867625dbc47446ed8bf4ea5a4c4a434ebfd5414eff65
SSDEEP:	24576:W2q2Fi8ek23cTBRQMBbZxsGualRrwvYh:W2Bi8ek234RZ8balRrwvYh
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a.O...............0.................. ........@.. .......................@............@................................

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation
.NET source code references suspicious native API functions	HIPS / PFW / Operating System Protection Evasion	Native API
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Software Packing
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
.NET source code contains functionality to register a task	System Summary	Scheduled Task/Job Disable or Modify Tools
.NET source code contains long base64-encoded strings	System Summary	Disable or Modify Tools Obfuscated Files or Information
Binary contains paths to development resources	System Summary
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary	System Information Discovery
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Remittance_copy.pdf.scr.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Remittance_copy.pdf.scr.exe.log
Category:	dropped
Dump:	Remittance_copy.pdf.scr.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.349842958726647
Encrypted:	false
Ssdeep:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKharkvoDLI4MWuCq1KDLI4Mq92n4M6:ML9E4KlKDE4KhKiKhIE4Kx1qE4x84j
Size:	706
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
Binary contains paths to development resources	System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe

"C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6632
Target ID:	0
Parent PID:	2580
Name:	Remittance_copy.pdf.scr.exe
Path:	C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe
Commandline:	"C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe"
Size:	980992
MD5:	C52C8F03C7A947A1F84657F2C3283494
Time:	15:54:56
Date:	07/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xe80000
Modulesize:	999424
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Initial sample is a PE file and has a suspicious name	System Summary
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Uses an obfuscated file name to hide its real file extension (double extension)	Hooking and other Techniques for Hiding and Protection	Masquerading Obfuscated Files or Information
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
Binary contains paths to development resources	System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe

"C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4020
Target ID:	1
Parent PID:	6632
Name:	Remittance_copy.pdf.scr.exe
Path:	C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe
Commandline:	"C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe"
Size:	980992
MD5:	C52C8F03C7A947A1F84657F2C3283494
Time:	15:54:57
Date:	07/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xca0000
Modulesize:	999424
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Initial sample is a PE file and has a suspicious name	System Summary
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Uses an obfuscated file name to hide its real file extension (double extension)	Hooking and other Techniques for Hiding and Protection	Masquerading Obfuscated Files or Information
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
Binary contains paths to development resources	System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

https://scratchdreams.tk/_send_.php?TS

104.21.27.85

https://reallyfreegeoip.org

unknown

http://checkip.dyndns.org

unknown

http://checkip.dyndns.org/

132.226.247.73

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://reallyfreegeoip.org/xml/102.129.152.231$

unknown

http://checkip.dyndns.org/q

unknown

https://reallyfreegeoip.org(

unknown

https://scratchdreams.tk

unknown

https://reallyfreegeoip.org/xml/102.129.152.231

172.67.177.134

http://mail.qoldenfrontier.com

unknown

https://reallyfreegeoip.org/xml/

unknown

There are 2 hidden URLs, click here to show them.

Domains

Name

Malicious

mail.qoldenfrontier.com

108.167.142.65

Details

Name:	mail.qoldenfrontier.com
IP:	108.167.142.65
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

reallyfreegeoip.org

172.67.177.134

Details

Name:	reallyfreegeoip.org
IP:	172.67.177.134
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

scratchdreams.tk

104.21.27.85

Details

Name:	scratchdreams.tk
IP:	104.21.27.85
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

checkip.dyndns.com

132.226.247.73

IPs

Domain

Country

Malicious

108.167.142.65

mail.qoldenfrontier.com

United States

Details

IP:	108.167.142.65
TargetID:	1
Current Path:	C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe
Country:	United States
Countrycode:	USA
ASN number:	46606
ASN name:	UNIFIEDLAYER-AS-1US
Private:	false
Domain:	mail.qoldenfrontier.com

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

172.67.177.134

reallyfreegeoip.org

United States

Details

IP:	172.67.177.134
TargetID:	1
Current Path:	C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	reallyfreegeoip.org

Signature Hits	Behavior Group	Mitre Attack
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

104.21.27.85

scratchdreams.tk

United States

Details

IP:	104.21.27.85
TargetID:	1
Current Path:	C:\Users\user\Desktop\Remittance_copy.pdf.scr.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	scratchdreams.tk

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

132.226.247.73

checkip.dyndns.com

United States

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Remittance_copy_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Remittance_copy_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Remittance_copy_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Remittance_copy_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Remittance_copy_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Remittance_copy_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Remittance_copy_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Remittance_copy_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Remittance_copy_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Remittance_copy_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Remittance_copy_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Remittance_copy_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Remittance_copy_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Remittance_copy_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

317A000

trusted library allocation

page read and write

3071000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

4464000

trusted library allocation

page read and write

331D000

trusted library allocation

page read and write

347B000

trusted library allocation

page read and write

34BF000

trusted library allocation

page read and write

5850000

trusted library section

page read and write

330B000

trusted library allocation

page read and write

31FF000

trusted library allocation

page read and write

690A000

heap

page read and write

1595000

heap

page read and write

32DE000

trusted library allocation

page read and write

5C10000

trusted library allocation

page read and write

1A30000

trusted library allocation

page read and write

3020000

trusted library allocation

page read and write

3340000

trusted library allocation

page read and write

1650000

trusted library allocation

page read and write

3060000

heap

page read and write

3046000

trusted library allocation

page read and write

6D64000

trusted library allocation

page read and write

1448000

heap

page read and write

1767000

trusted library allocation

page execute and read and write

31C1000

trusted library allocation

page read and write

3355000

trusted library allocation

page read and write

6E40000

trusted library allocation

page read and write

5870000

heap

page read and write

590D000

stack

page read and write

168A000

trusted library allocation

page execute and read and write

57E0000

trusted library allocation

page read and write

1337000

stack

page read and write

327C000

trusted library allocation

page read and write

17F0000

trusted library allocation

page read and write

32C0000

trusted library allocation

page read and write

1670000

trusted library allocation

page read and write

152E000

heap

page read and write

15A1000

heap

page read and write

31F5000

trusted library allocation

page read and write

1682000

trusted library allocation

page read and write

3391000

trusted library allocation

page read and write

6E30000

trusted library allocation

page read and write

1528000

heap

page read and write

1520000

heap

page read and write

3157000

trusted library allocation

page read and write

3119000

trusted library allocation

page read and write

3115000

trusted library allocation

page read and write

582E000

stack

page read and write

6DF6000

trusted library allocation

page read and write

303A000

trusted library allocation

page read and write

5AF5000

trusted library allocation

page read and write

5AE1000

trusted library allocation

page read and write

3360000

heap

page read and write

321E000

trusted library allocation

page read and write

5AC2000

trusted library allocation

page read and write

1430000

trusted library allocation

page execute and read and write

30C1000

trusted library allocation

page read and write

4371000

trusted library allocation

page read and write

30EB000

trusted library allocation

page read and write

3317000

trusted library allocation

page read and write

6D80000

trusted library allocation

page read and write

33A4000

trusted library allocation

page read and write

315A000

trusted library allocation

page read and write

34C8000

trusted library allocation

page read and write

32C5000

trusted library allocation

page read and write

6B6D000

stack

page read and write

336A000

trusted library allocation

page read and write

40F5000

trusted library allocation

page read and write

167D000

trusted library allocation

page execute and read and write

339B000

trusted library allocation

page read and write

3374000

trusted library allocation

page read and write

17CE000

stack

page read and write

67AE000

stack

page read and write

34E5000

trusted library allocation

page read and write

31EB000

trusted library allocation

page read and write

1690000

trusted library allocation

page read and write

5C0E000

stack

page read and write

3350000

trusted library allocation

page read and write

1697000

trusted library allocation

page execute and read and write

5683000

heap

page read and write

1660000

trusted library allocation

page read and write

1A40000

heap

page read and write

166D000

trusted library allocation

page execute and read and write

1450000

heap

page read and write

57D0000

trusted library allocation

page read and write

103A000

stack

page read and write

6D39000

trusted library allocation

page read and write

303E000

trusted library allocation

page read and write

3348000

trusted library allocation

page read and write

34B5000

trusted library allocation

page read and write

5078000

trusted library allocation

page read and write

1137000

stack

page read and write

1664000

trusted library allocation

page read and write

57C9000

trusted library allocation

page read and write

3121000

trusted library allocation

page read and write

5AC0000

trusted library allocation

page read and write

6D50000

trusted library allocation

page read and write

34D2000

trusted library allocation

page read and write

1695000

trusted library allocation

page execute and read and write

1531000

heap

page read and write

520E000

stack

page read and write

1470000

heap

page read and write

3407000

trusted library allocation

page read and write

1400000

trusted library allocation

page read and write

40FF000

trusted library allocation

page read and write

5C3E000

trusted library allocation

page read and write

6E50000

trusted library allocation

page execute and read and write

6A2E000

stack

page read and write

33D3000

trusted library allocation

page read and write

5554000

trusted library allocation

page read and write

30E7000

trusted library allocation

page read and write

68B0000

heap

page read and write

173D000

trusted library allocation

page execute and read and write

57B0000

trusted library allocation

page read and write

6D3C000

trusted library allocation

page read and write

3285000

trusted library allocation

page read and write

1580000

heap

page read and write

3312000

trusted library allocation

page read and write

1A36000

trusted library allocation

page read and write

5570000

heap

page read and write

3472000

trusted library allocation

page read and write

320B000

trusted library allocation

page read and write

1A0E000

stack

page read and write

3125000

trusted library allocation

page read and write

3387000

trusted library allocation

page read and write

16FE000

stack

page read and write

14BE000

stack

page read and write

3485000

trusted library allocation

page read and write

3424000

trusted library allocation

page read and write

31B3000

trusted library allocation

page read and write

33DD000

trusted library allocation

page read and write

57CE000

trusted library allocation

page read and write

15CE000

heap

page read and write

6D2D000

stack

page read and write

3359000

trusted library allocation

page read and write

5A6E000

stack

page read and write

6D70000

trusted library allocation

page execute and read and write

3268000

trusted library allocation

page read and write

3178000

trusted library allocation

page read and write

322D000

trusted library allocation

page read and write

302E000

trusted library allocation

page read and write

1734000

trusted library allocation

page read and write

16B0000

trusted library allocation

page read and write

6D90000

trusted library allocation

page read and write

31A0000

trusted library allocation

page read and write

312D000

trusted library allocation

page read and write

1756000

trusted library allocation

page execute and read and write

31B9000

trusted library allocation

page read and write

30D9000

trusted library allocation

page read and write

345E000

trusted library allocation

page read and write

33F3000

trusted library allocation

page read and write

5ADE000

trusted library allocation

page read and write

4071000

trusted library allocation

page read and write

145F000

heap

page read and write

69EE000

stack

page read and write

1370000

heap

page read and write

337E000

trusted library allocation

page read and write

13FD000

stack

page read and write

5C20000

trusted library allocation

page execute and read and write

5885000

heap

page read and write

676E000

stack

page read and write

171F000

stack

page read and write

3206000

trusted library allocation

page read and write

302B000

trusted library allocation

page read and write

1680000

trusted library allocation

page read and write

30E3000

trusted library allocation

page read and write

2FEE000

stack

page read and write

32E7000

trusted library allocation

page read and write

5B8E000

stack

page read and write

62EF000

stack

page read and write

173C000

stack

page read and write

1780000

trusted library allocation

page read and write

1563000

heap

page read and write

5A70000

trusted library section

page read and write

325F000

trusted library allocation

page read and write

33B8000

trusted library allocation

page read and write

5780000

heap

page execute and read and write

1556000

heap

page read and write

1760000

trusted library allocation

page read and write

5550000

trusted library allocation

page read and write

17D0000

heap

page execute and read and write

5A0F000

stack

page read and write

6D30000

trusted library allocation

page read and write

33FD000

trusted library allocation

page read and write

1190000

heap

page read and write

1270000

heap

page read and write

17F5000

trusted library allocation

page read and write

691F000

heap

page read and write

5AE6000

trusted library allocation

page read and write

31A9000

trusted library allocation

page read and write

34EF000

trusted library allocation

page read and write

1800000

heap

page read and write

323D000

trusted library allocation

page read and write

33C9000

trusted library allocation

page read and write

15AD000

heap

page read and write

1740000

heap

page read and write

341A000

trusted library allocation

page read and write

68AE000

stack

page read and write

17E0000

trusted library allocation

page execute and read and write

159B000

heap

page read and write

6E27000

trusted library allocation

page read and write

5A4E000

stack

page read and write

33B6000

trusted library allocation

page read and write

3454000

trusted library allocation

page read and write

31E2000

trusted library allocation

page read and write

30CD000

trusted library allocation

page read and write

1290000

heap

page read and write

5ACB000

trusted library allocation

page read and write

1591000

heap

page read and write

1692000

trusted library allocation

page read and write

176B000

trusted library allocation

page execute and read and write

1720000

trusted library allocation

page read and write

5B4E000

stack

page read and write

5560000

trusted library allocation

page read and write

190E000

stack

page read and write

33E6000

trusted library allocation

page read and write

32CE000

stack

page read and write

5730000

trusted library allocation

page read and write

32E3000

trusted library allocation

page read and write

6C2D000

stack

page read and write

3272000

trusted library allocation

page read and write

335D000

trusted library allocation

page read and write

348E000

trusted library allocation

page read and write

1663000

trusted library allocation

page execute and read and write

328C000

trusted library allocation

page read and write

3041000

trusted library allocation

page read and write

31D5000

trusted library allocation

page read and write

57C0000

trusted library allocation

page read and write

E80000

unkown

page readonly

40DB000

trusted library allocation

page read and write

33AE000

trusted library allocation

page read and write

1730000

trusted library allocation

page read and write

E82000

unkown

page readonly

1469000

heap

page read and write

12FD000

stack

page read and write

6D37000

trusted library allocation

page read and write

4099000

trusted library allocation

page read and write

1440000

heap

page read and write

3371000

trusted library allocation

page read and write

1750000

trusted library allocation

page read and write

34A2000

trusted library allocation

page read and write

3411000

trusted library allocation

page read and write

12B0000

heap

page read and write

1615000

heap

page read and write

3010000

trusted library allocation

page read and write

546E000

stack

page read and write

6D85000

trusted library allocation

page read and write

147B000

heap

page read and write

1744000

trusted library allocation

page read and write

14D9000

heap

page read and write

123C000

stack

page read and write

5840000

trusted library allocation

page read and write

5680000

heap

page read and write

3214000

trusted library allocation

page read and write

34DC000

trusted library allocation

page read and write

5BCE000

stack

page read and write

5845000

trusted library allocation

page read and write

5C30000

trusted library allocation

page read and write

324C000

trusted library allocation

page read and write

3247000

trusted library allocation

page read and write

6A6D000

stack

page read and write

3498000

trusted library allocation

page read and write

4102000

trusted library allocation

page read and write

3131000

trusted library allocation

page read and write

3361000

trusted library allocation

page read and write

2FF0000

heap

page execute and read and write

14FE000

stack

page read and write

6D82000

trusted library allocation

page read and write

34F6000

trusted library allocation

page read and write

666E000

stack

page read and write

5860000

heap

page execute and read and write

6D40000

trusted library allocation

page execute and read and write

342E000

trusted library allocation

page read and write

3000000

trusted library allocation

page execute and read and write

311D000

trusted library allocation

page read and write

3233000

trusted library allocation

page read and write

3129000

trusted library allocation

page read and write

3352000

trusted library allocation

page read and write

32CB000

trusted library allocation

page read and write

1540000

heap

page read and write

1A10000

trusted library allocation

page read and write

57C4000

trusted library allocation

page read and write

3255000

trusted library allocation

page read and write

642F000

stack

page read and write

3228000

trusted library allocation

page read and write

34AB000

trusted library allocation

page read and write

4113000

trusted library allocation

page read and write

3468000

trusted library allocation

page read and write

169B000

trusted library allocation

page execute and read and write

5AC4000

trusted library allocation

page read and write

3437000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

161E000

heap

page read and write

344A000

trusted library allocation

page read and write

32D4000

trusted library allocation

page read and write

304D000

trusted library allocation

page read and write

31CB000

trusted library allocation

page read and write

63EE000

stack

page read and write

3441000

trusted library allocation

page read and write

33C0000

trusted library allocation

page read and write

175A000

trusted library allocation

page execute and read and write

6E20000

trusted library allocation

page read and write

319A000

trusted library allocation

page read and write

1733000

trusted library allocation

page execute and read and write

34FB000

trusted library allocation

page read and write

1686000

trusted library allocation

page execute and read and write

There are 295 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Remittance_copy.pdf.scr.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportRemittance_copy.pdf.scr.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
Remittance_copy.pdf.scr.exe