Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Comprobante9404638600.pdf.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.952787946949966
Filename:	Comprobante9404638600.pdf.exe
Filesize:	1048064
MD5:	5f731c605373e3d531daaf6f90070806
SHA1:	6c1a44be89024ffbf1c895dfdba695ecb3f66f44
SHA256:	81d09835289b7c6466a5321f39e0081a6c905614d303f79e15f0f6bcbf993fee
SHA512:	0c498e630d6b6af3114420603c66987be5fe33530294eea91de434b8564ba837a66400d1f214b9567cc01a521605cec2a4c17efef558aabde066da31c34f47f9
SSDEEP:	24576:lAHnh+eWsN3skA4RV1Hom2KXMmHa9PF53D8RJnqA5:Uh+ZkldoPK8Ya9953A7F
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary	System Information Discovery
Multi AV Scanner detection for submitted file	AV Detection
Binary is likely a compiled AutoIt script file	System Summary
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Valid Accounts
Contains functionality to launch a process as a different user	System Summary	Native API
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation Access Token Manipulation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Access Token Manipulation Process Discovery
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging	Access Token Manipulation
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Access Token Manipulation System Time Discovery Process Discovery Encrypted Channel
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found large amount of non-executed APIs	Malware Analysis System Evasion	Access Token Manipulation System Time Discovery
Found potential string decryption / allocating functions	System Summary
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information	Access Token Manipulation System Shutdown/Reboot
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
Contains functionality for error logging	System Summary	Access Token Manipulation
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to check free disk space	System Summary
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion	Access Token Manipulation
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enum processes or threads	System Summary	Access Token Manipulation Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Contains functionality to instantiate COM classes	System Summary	Access Token Manipulation
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation
Contains functionality to query system information	Malware Analysis System Evasion	System Information Discovery
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Program exit points	Malware Analysis System Evasion
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\Users\user\AppData\Local\Temp\atule

ASCII text, with very long lines (29732), with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\atule
Category:	dropped
Dump:	atule.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\Comprobante9404638600.pdf.exe
Type:	ASCII text, with very long lines (29732), with no line terminators
Entropy:	3.5540183199792557
Encrypted:	false
Ssdeep:	768:ciTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbeE+IH6w54vfF3if6gyG:ciTZ+2QoioGRk6ZklputwjpjBkCiw2RP
Size:	29732
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\aut2E3C.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut2E3C.tmp
Category:	dropped
Dump:	aut2E3C.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Comprobante9404638600.pdf.exe
Type:	data
Entropy:	7.922540687252335
Encrypted:	false
Ssdeep:	3072:o7yQSWFzvimEJNuJmExreiPSVcIPAvJmWfSwL/wGkGy5u6:8ybWJDE36mExKiPuRPeIG7y5u6
Size:	157920
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\aut2ED9.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut2ED9.tmp
Category:	dropped
Dump:	aut2ED9.tmp.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\Comprobante9404638600.pdf.exe
Type:	data
Entropy:	7.588327881962505
Encrypted:	false
Ssdeep:	192:9fDyaFcK3QWLatF8+sVVNxIx4/wVfoYqyy2EB4/8N2TuC:95F733WTqN00wVfoYJEBCuC
Size:	9962
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\nonplacental

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\nonplacental
Category:	dropped
Dump:	nonplacental.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\Comprobante9404638600.pdf.exe
Type:	data
Entropy:	6.774305751927982
Encrypted:	false
Ssdeep:	6144:v1vKliMPLd4+bzt1kc3Lf+m+E2KJFyYcGRhCoMZCBumL4Lh7d/MBV:v5KliMPLd4+Prjz2KJF7fRjUcDFBV
Size:	240640
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Comprobante9404638600.pdf.exe

"C:\Users\user\Desktop\Comprobante9404638600.pdf.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6832
Target ID:	0
Parent PID:	2580
Name:	Comprobante9404638600.pdf.exe
Path:	C:\Users\user\Desktop\Comprobante9404638600.pdf.exe
Commandline:	"C:\Users\user\Desktop\Comprobante9404638600.pdf.exe"
Size:	1048064
MD5:	5F731C605373E3D531DAAF6F90070806
Time:	17:11:56
Date:	16/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x420000
Modulesize:	1073152
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Sigma detected: Suspicious Double Extension File Execution	System Summary
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Binary is likely a compiled AutoIt script file	System Summary
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Uses an obfuscated file name to hide its real file extension (double extension)	Hooking and other Techniques for Hiding and Protection	Masquerading Obfuscated Files or Information
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\Comprobante9404638600.pdf.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6880
Target ID:	1
Parent PID:	6832
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\Comprobante9404638600.pdf.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	17:11:57
Date:	16/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xee0000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://r3.i.lencr.org/0/

unknown

Details

Name:	http://r3.i.lencr.org/0/
TargetID:	1
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000001.00000002.2885050903.000000000320A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2884344936.0000000001585000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2886771112.00000000064E0000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://r3.o.lencr.org0

unknown

Details

Name:	http://r3.o.lencr.org0
TargetID:	1
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000001.00000002.2885050903.000000000320A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2884344936.0000000001585000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2886771112.00000000064E0000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://itzayanaland.com

unknown

http://mail.itzayanaland.com

unknown

Details

Name:	http://mail.itzayanaland.com
TargetID:	1
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000001.00000002.2885050903.000000000320A000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for domain / URL	AV Detection
URLs found in memory or binary data	Networking

https://account.dyn.com/

unknown

Details

Name:	https://account.dyn.com/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\Comprobante9404638600.pdf.exe
Source:	Comprobante9404638600.pdf.exe, 00000000.00000002.1636614688.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2883498269.0000000000402000.00000040.80000000.00040000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://x1.c.lencr.org/0

unknown

Details

Name:	http://x1.c.lencr.org/0
TargetID:	1
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000001.00000002.2884536099.00000000015EA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2885050903.000000000320A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2884344936.0000000001585000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2886771112.00000000064E0000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://x1.i.lencr.org/0

unknown

Details

Name:	http://x1.i.lencr.org/0
TargetID:	1
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000001.00000002.2884536099.00000000015EA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2885050903.000000000320A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2884344936.0000000001585000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2886771112.00000000064E0000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

mail.itzayanaland.com

unknown

Details

Name:	mail.itzayanaland.com
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

itzayanaland.com

107.161.75.133

Details

Name:	itzayanaland.com
IP:	107.161.75.133
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

107.161.75.133

itzayanaland.com

Canada

Details

IP:	107.161.75.133
TargetID:	1
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	Canada
Countrycode:	CAN
ASN number:	32613
ASN name:	IWEB-ASCA
Private:	false
Domain:	itzayanaland.com

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

Memdumps

Base Address

Regiontype

Protect

Malicious

402000

system

page execute and read and write

3C70000

direct allocation

page read and write

31B1000

trusted library allocation

page read and write

322C000

trusted library allocation

page read and write

3202000

trusted library allocation

page read and write

5710000

heap

page read and write

5D98000

trusted library allocation

page read and write

15EA000

heap

page read and write

4190000

direct allocation

page read and write

5E17000

trusted library allocation

page read and write

2FF0000

trusted library allocation

page read and write

3028000

trusted library allocation

page read and write

1730000

heap

page read and write

3D54000

heap

page read and write

1892000

heap

page read and write

320A000

trusted library allocation

page read and write

FAA000

stack

page read and write

190A000

heap

page read and write

52AE000

stack

page read and write

1909000

heap

page read and write

14BA000

trusted library allocation

page execute and read and write

1858000

heap

page read and write

1893000

heap

page read and write

1883000

heap

page read and write

190A000

heap

page read and write

1800000

heap

page read and write

1585000

heap

page read and write

18AF000

heap

page read and write

1909000

heap

page read and write

1893000

heap

page read and write

2FEE000

stack

page read and write

318D000

trusted library allocation

page read and write

14C0000

trusted library allocation

page read and write

1460000

heap

page read and write

1494000

trusted library allocation

page read and write

597C000

stack

page read and write

18AF000

heap

page read and write

1909000

heap

page read and write

1893000

heap

page read and write

5DD0000

trusted library allocation

page read and write

4D5000

unkown

page readonly

4DF000

unkown

page read and write

14C7000

trusted library allocation

page execute and read and write

1909000

heap

page read and write

42B3000

direct allocation

page read and write

1966000

heap

page read and write

4190000

direct allocation

page read and write

1883000

heap

page read and write

18B3000

heap

page read and write

1956000

heap

page read and write

1909000

heap

page read and write

2EEE000

stack

page read and write

653F000

heap

page read and write

4459000

direct allocation

page read and write

1892000

heap

page read and write

445D000

direct allocation

page read and write

421000

unkown

page execute read

7F610000

trusted library allocation

page execute and read and write

42B3000

direct allocation

page read and write

187F000

heap

page read and write

15D5000

heap

page read and write

5DE6000

trusted library allocation

page read and write

153A000

heap

page read and write

1892000

heap

page read and write

5AFE000

stack

page read and write

3234000

trusted library allocation

page read and write

584C000

stack

page read and write

18AF000

heap

page read and write

14A0000

trusted library allocation

page read and write

F7A000

stack

page read and write

FF0000

heap

page read and write

15DB000

stack

page read and write

445D000

direct allocation

page read and write

3000000

trusted library allocation

page read and write

316E000

trusted library allocation

page read and write

1937000

heap

page read and write

64E0000

heap

page read and write

4459000

direct allocation

page read and write

4AF000

unkown

page readonly

3153000

heap

page read and write

1892000

heap

page read and write

6CFE000

stack

page read and write

1966000

heap

page read and write

1881000

heap

page read and write

1919000

heap

page read and write

68BD000

stack

page read and write

1518000

heap

page read and write

5E10000

trusted library allocation

page read and write

3140000

trusted library allocation

page read and write

400000

system

page execute and read and write

3160000

trusted library allocation

page read and write

323C000

trusted library allocation

page read and write

5E00000

trusted library allocation

page execute and read and write

1493000

trusted library allocation

page execute and read and write

187E000

heap

page read and write

4E3000

unkown

page write copy

1956000

heap

page read and write

1410000

heap

page read and write

42B3000

direct allocation

page read and write

1877000

heap

page read and write

1510000

heap

page read and write

6620000

trusted library allocation

page read and write

18AF000

heap

page read and write

445D000

direct allocation

page read and write

18AF000

heap

page read and write

3172000

trusted library allocation

page read and write

1850000

heap

page read and write

6D00000

heap

page read and write

44CE000

direct allocation

page read and write

1966000

heap

page read and write

15BF000

stack

page read and write

1544000

heap

page read and write

1881000

heap

page read and write

14B0000

trusted library allocation

page read and write

17E0000

heap

page read and write

14C2000

trusted library allocation

page read and write

445D000

direct allocation

page read and write

5ABE000

stack

page read and write

66FD000

stack

page read and write

43E000

system

page execute and read and write

187F000

heap

page read and write

5D3E000

stack

page read and write

5E20000

trusted library allocation

page read and write

421000

unkown

page execute read

1480000

trusted library allocation

page read and write

4217000

trusted library allocation

page read and write

1881000

heap

page read and write

4E8000

unkown

page readonly

18A2000

heap

page read and write

1881000

heap

page read and write

1909000

heap

page read and write

5DE0000

trusted library allocation

page read and write

6D10000

trusted library allocation

page execute and read and write

4190000

direct allocation

page read and write

FE0000

heap

page read and write

3010000

heap

page read and write

12F9000

stack

page read and write

42B3000

direct allocation

page read and write

14F0000

trusted library allocation

page read and write

18AF000

heap

page read and write

4190000

direct allocation

page read and write

4330000

direct allocation

page read and write

4190000

direct allocation

page read and write

1490000

trusted library allocation

page read and write

1909000

heap

page read and write

661D000

stack

page read and write

420000

unkown

page readonly

190A000

heap

page read and write

30FC000

stack

page read and write

14E0000

heap

page read and write

1909000

heap

page read and write

1909000

heap

page read and write

18A2000

heap

page read and write

56F0000

trusted library allocation

page read and write

1877000

heap

page read and write

5C3E000

stack

page read and write

1415000

heap

page read and write

1546000

heap

page read and write

1892000

heap

page read and write

187E000

heap

page read and write

4E8000

unkown

page readonly

31A0000

heap

page execute and read and write

4AF000

unkown

page readonly

17AE000

stack

page read and write

5DF0000

trusted library allocation

page execute and read and write

14AD000

trusted library allocation

page execute and read and write

44CE000

direct allocation

page read and write

4330000

direct allocation

page read and write

1909000

heap

page read and write

445D000

direct allocation

page read and write

44CE000

direct allocation

page read and write

44CE000

direct allocation

page read and write

1820000

direct allocation

page execute and read and write

4459000

direct allocation

page read and write

159A000

heap

page read and write

445D000

direct allocation

page read and write

4DF000

unkown

page write copy

5870000

heap

page execute and read and write

15FC000

stack

page read and write

3228000

trusted library allocation

page read and write

41D9000

trusted library allocation

page read and write

44CE000

direct allocation

page read and write

15CE000

stack

page read and write

1892000

heap

page read and write

42B3000

direct allocation

page read and write

5DC0000

trusted library allocation

page read and write

204F000

stack

page read and write

1873000

heap

page read and write

44CE000

direct allocation

page read and write

6BFE000

stack

page read and write

5D90000

trusted library allocation

page read and write

190A000

heap

page read and write

1881000

heap

page read and write

17F0000

heap

page read and write

4459000

direct allocation

page read and write

4330000

direct allocation

page read and write

5DCC000

trusted library allocation

page read and write

3186000

trusted library allocation

page read and write

3181000

trusted library allocation

page read and write

1881000

heap

page read and write

187E000

heap

page read and write

18AF000

heap

page read and write

1881000

heap

page read and write

3D50000

heap

page read and write

1500000

trusted library allocation

page execute and read and write

18AF000

heap

page read and write

3BEE000

stack

page read and write

317A000

trusted library allocation

page read and write

4190000

direct allocation

page read and write

1610000

heap

page read and write

42B3000

direct allocation

page read and write

317E000

trusted library allocation

page read and write

652F000

heap

page read and write

14B6000

trusted library allocation

page execute and read and write

321B000

trusted library allocation

page read and write

316B000

trusted library allocation

page read and write

4459000

direct allocation

page read and write

149D000

trusted library allocation

page execute and read and write

5BFE000

stack

page read and write

1909000

heap

page read and write

172E000

stack

page read and write

3200000

trusted library allocation

page read and write

66BE000

stack

page read and write

3150000

heap

page read and write

18AF000

heap

page read and write

14CB000

trusted library allocation

page execute and read and write

4459000

direct allocation

page read and write

14C5000

trusted library allocation

page execute and read and write

59BE000

stack

page read and write

1966000

heap

page read and write

7000000

heap

page read and write

13F0000

heap

page read and write

4330000

direct allocation

page read and write

420000

unkown

page readonly

4330000

direct allocation

page read and write

14B2000

trusted library allocation

page read and write

4D5000

unkown

page readonly

1883000

heap

page read and write

1937000

heap

page read and write

41B1000

trusted library allocation

page read and write

1956000

heap

page read and write

4330000

direct allocation

page read and write

1892000

heap

page read and write

There are 233 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Comprobante9404638600.pdf.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportComprobante9404638600.pdf.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
Comprobante9404638600.pdf.exe