Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Payment.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.975842962714193
Filename:	Payment.exe
Filesize:	1062912
MD5:	872fc876d25908a93236dcf98e09e3de
SHA1:	06da1381d9aaa978ace25c409a59c3d6560975c0
SHA256:	a6cd55461ca16e33b153c509417d91eec660cc6d447764c9a312a0ad871ca9c5
SHA512:	4f1750c69221ecea05d66a5eb92c2cf821fcc080c3593ac7a3874d7cc9fc8f2ce1d9263329f419cc43188dda09bdbdbb412a5c6bb370aec70a9830588b07d586
SSDEEP:	24576:0AHnh+eWsN3skA4RV1Hom2KXMmHaF+CoEFoTiy5:Dh+ZkldoPK8YaF+DH
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection	Disable or Modify Tools
Binary is likely a compiled AutoIt script file	System Summary
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging	Disable or Modify Tools
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Contains functionality to launch a process as a different user	System Summary	Valid Accounts Native API Access Token Manipulation
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Process Discovery Clipboard Data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	Disable or Modify Tools
Contains functionality to read the PEB	Anti Debugging
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Disable or Modify Tools
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Contains functionality to shutdown / reboot the system	System Summary	System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Detected potential crypto function	System Summary	Process Discovery
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information	Disable or Modify Tools System Shutdown/Reboot
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Disable or Modify Tools
Sample file is different than original file name gathered from version info	System Summary	System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary	Disable or Modify Tools
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary	Disable or Modify Tools
.NET source code contains calls to encryption/decryption functions	System Summary	Deobfuscate/Decode Files or Information Archive Collected Data
Contains functionality for error logging	System Summary	Disable or Modify Tools
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary
Contains functionality to check free disk space	System Summary
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to download additional files from the internet	Networking
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery System Information Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Disable or Modify Tools
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion	Disable or Modify Tools
Reads software policies	System Summary
Sample is known by Antivirus	System Summary	Disable or Modify Tools
Tries to load missing DLLs	System Summary	DLL Side-Loading Disable or Modify Tools
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary	Disable or Modify Tools

C:\Users\user\AppData\Local\Temp\aut29F3.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut29F3.tmp
Category:	dropped
Dump:	aut29F3.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Payment.exe
Type:	data
Entropy:	7.912451959234274
Encrypted:	false
Ssdeep:	3072:klowTzZsW2bcfOoYwabKblNLHmQRQGcdsWG7BMdxufUIzEo7o0a8Vt86l27K0nM5:k1f+7EUb4PLG67cdshOxaUIUgVtBPJH
Size:	151716
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\aut2A9F.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut2A9F.tmp
Category:	dropped
Dump:	aut2A9F.tmp.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\Payment.exe
Type:	data
Entropy:	7.589420241366998
Encrypted:	false
Ssdeep:	192:C+cK50L02Jtyl2ftvwmziMVC6baopzBvq5xQtxfChACTtobpcqzLrOOnsqQE+R:h750LRJtyl2ftLCghBmgx6hrTeVcyXOP
Size:	9902
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\outbluffed

ASCII text, with very long lines (28720), with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\outbluffed
Category:	dropped
Dump:	outbluffed.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\Payment.exe
Type:	ASCII text, with very long lines (28720), with no line terminators
Entropy:	3.5971472643342133
Encrypted:	false
Ssdeep:	768:wiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNboE+I026c024vfF3if6L:wiTZ+2QoioGRk6ZklputwjpjBkCiw2Rk
Size:	28720
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\pensum

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\pensum
Category:	dropped
Dump:	pensum.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\Payment.exe
Type:	data
Entropy:	6.75581145510075
Encrypted:	false
Ssdeep:	6144:e01xYm6nIN/nn5Ui9DVMzWaZBHgM+HUE4WaJEYRxP5dJAT+iu:pJhn5p9DAWPb4vEY93AT+iu
Size:	240128
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Payment.exe

"C:\Users\user\Desktop\Payment.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3924
Target ID:	0
Parent PID:	1028
Name:	Payment.exe
Path:	C:\Users\user\Desktop\Payment.exe
Commandline:	"C:\Users\user\Desktop\Payment.exe"
Size:	1062912
MD5:	872FC876D25908A93236DCF98E09E3DE
Time:	10:06:13
Date:	26/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xad0000
Modulesize:	1089536
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Binary is likely a compiled AutoIt script file	System Summary
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\Payment.exe"

Details

Is windows:	true
Is dropped:	false
PID:	5648
Target ID:	2
Parent PID:	3924
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\Payment.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	10:06:14
Date:	26/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xea0000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://api.ipify.org/

104.26.12.205

Details

Name:	https://api.ipify.org/
IP:	104.26.12.205
TargetID:	2
From Memory:	false
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://api.ipify.org

unknown

Details

Name:	https://api.ipify.org
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\Payment.exe
Source:	Payment.exe, 00000000.00000002.2157047386.0000000002150000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3388297817.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3389464276.00000000032F1000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://account.dyn.com/

unknown

Details

Name:	https://account.dyn.com/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\Payment.exe
Source:	Payment.exe, 00000000.00000002.2157047386.0000000002150000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3388297817.0000000000402000.00000040.80000000.00040000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://smtp.italiacanda-it.com

unknown

https://api.ipify.org/t

unknown

Details

Name:	https://api.ipify.org/t
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000002.00000002.3389464276.00000000032F1000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://us2.smtp.mailhostbox.com

unknown

Details

Name:	http://us2.smtp.mailhostbox.com
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000002.00000002.3389464276.0000000003367000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000002.00000002.3389464276.00000000032F1000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

smtp.italiacanda-it.com

unknown

Details

Name:	smtp.italiacanda-it.com
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

bg.microsoft.map.fastly.net

199.232.214.172

us2.smtp.mailhostbox.com

208.91.198.143

Details

Name:	us2.smtp.mailhostbox.com
IP:	208.91.198.143
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
URLs found in memory or binary data	Networking

api.ipify.org

104.26.12.205

Details

Name:	api.ipify.org
IP:	104.26.12.205
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

fp2e7a.wpc.phicdn.net

192.229.211.108

IPs

Domain

Country

Malicious

208.91.198.143

us2.smtp.mailhostbox.com

United States

Details

IP:	208.91.198.143
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	United States
Countrycode:	USA
ASN number:	394695
ASN name:	PUBLIC-DOMAIN-REGISTRYUS
Private:	false
Domain:	us2.smtp.mailhostbox.com

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

104.26.12.205

api.ipify.org

United States

Details

IP:	104.26.12.205
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

2150000

direct allocation

page read and write

402000

system

page execute and read and write

3341000

trusted library allocation

page read and write

3367000

trusted library allocation

page read and write

14A3000

heap

page read and write

3EC3000

direct allocation

page read and write

14DE000

heap

page read and write

123B000

stack

page read and write

14FC000

heap

page read and write

3F80000

direct allocation

page read and write

17E0000

trusted library allocation

page execute and read and write

3140000

trusted library allocation

page read and write

3DE0000

direct allocation

page read and write

6BF0000

trusted library allocation

page read and write

1605000

heap

page read and write

B8F000

unkown

page read and write

B5F000

unkown

page readonly

12F0000

heap

page read and write

411E000

direct allocation

page read and write

3326000

trusted library allocation

page read and write

1630000

heap

page read and write

125C000

stack

page read and write

6BEE000

stack

page read and write

14AF000

heap

page read and write

1790000

trusted library allocation

page read and write

70B0000

trusted library allocation

page execute and read and write

40DE000

direct allocation

page read and write

FA0000

heap

page read and write

6B6F000

stack

page read and write

14CE000

heap

page read and write

3150000

trusted library allocation

page read and write

68CE000

stack

page read and write

5910000

heap

page execute and read and write

411E000

direct allocation

page read and write

17BB000

trusted library allocation

page execute and read and write

312D000

trusted library allocation

page read and write

6B80000

trusted library allocation

page read and write

58ED000

stack

page read and write

14EF000

heap

page read and write

B85000

unkown

page readonly

12B0000

heap

page read and write

1625000

heap

page read and write

333D000

trusted library allocation

page read and write

1595000

heap

page read and write

AD1000

unkown

page execute read

3106000

trusted library allocation

page read and write

638E000

stack

page read and write

12C0000

heap

page read and write

1649000

heap

page read and write

12F8000

stack

page read and write

15D8000

heap

page read and write

14FB000

heap

page read and write

14DE000

heap

page read and write

6A6E000

stack

page read and write

411E000

direct allocation

page read and write

3DA0000

direct allocation

page read and write

14F0000

heap

page read and write

6630000

heap

page read and write

70C0000

heap

page read and write

14AF000

heap

page read and write

14A3000

heap

page read and write

40DE000

direct allocation

page read and write

40AD000

direct allocation

page read and write

4069000

direct allocation

page read and write

1435000

heap

page read and write

AD0000

unkown

page readonly

17B0000

trusted library allocation

page read and write

3F80000

direct allocation

page read and write

6CAF000

stack

page read and write

6B9D000

trusted library allocation

page read and write

1430000

heap

page read and write

7070000

trusted library allocation

page read and write

42F1000

trusted library allocation

page read and write

15F6000

heap

page read and write

3DE0000

direct allocation

page read and write

311E000

trusted library allocation

page read and write

17B5000

trusted library allocation

page execute and read and write

40A9000

direct allocation

page read and write

6C10000

trusted library allocation

page execute and read and write

40A9000

direct allocation

page read and write

3F40000

direct allocation

page read and write

30E0000

heap

page read and write

1784000

trusted library allocation

page read and write

17A6000

trusted library allocation

page execute and read and write

6D00000

trusted library allocation

page read and write

435B000

trusted library allocation

page read and write

21C0000

heap

page read and write

40DE000

direct allocation

page read and write

6C00000

trusted library allocation

page execute and read and write

14AF000

heap

page read and write

1780000

trusted library allocation

page read and write

3F40000

direct allocation

page read and write

F3A000

stack

page read and write

5B1E000

stack

page read and write

3DA0000

direct allocation

page read and write

144E000

stack

page read and write

1560000

heap

page read and write

31AC000

stack

page read and write

3100000

trusted library allocation

page read and write

3126000

trusted library allocation

page read and write

17F0000

trusted library allocation

page read and write

17B7000

trusted library allocation

page execute and read and write

1568000

heap

page read and write

179D000

trusted library allocation

page execute and read and write

B93000

unkown

page write copy

14FB000

heap

page read and write

178D000

trusted library allocation

page execute and read and write

3F40000

direct allocation

page read and write

14FB000

heap

page read and write

4319000

trusted library allocation

page read and write

151B000

heap

page read and write

1807000

heap

page read and write

14FB000

heap

page read and write

5CDD000

stack

page read and write

6BA7000

trusted library allocation

page read and write

1800000

heap

page read and write

FF0000

heap

page read and write

3DA0000

direct allocation

page read and write

400000

system

page execute and read and write

6A0E000

stack

page read and write

53EE000

stack

page read and write

6CF7000

trusted library allocation

page read and write

1632000

heap

page read and write

2120000

heap

page read and write

14EE000

heap

page read and write

17AA000

trusted library allocation

page execute and read and write

3F80000

direct allocation

page read and write

310B000

trusted library allocation

page read and write

17D0000

trusted library allocation

page read and write

586E000

stack

page read and write

4069000

direct allocation

page read and write

3008000

trusted library allocation

page read and write

15F6000

heap

page read and write

6CF0000

trusted library allocation

page read and write

332F000

trusted library allocation

page read and write

6BA0000

trusted library allocation

page read and write

30F0000

trusted library allocation

page read and write

5A1C000

stack

page read and write

E5A000

stack

page read and write

4069000

direct allocation

page read and write

31B3000

heap

page read and write

206E000

stack

page read and write

3382000

trusted library allocation

page read and write

406D000

direct allocation

page read and write

160A000

heap

page read and write

14FB000

heap

page read and write

70A0000

heap

page read and write

15E7000

heap

page read and write

3F03000

direct allocation

page read and write

40AD000

direct allocation

page read and write

1598000

heap

page read and write

158B000

heap

page read and write

15CF000

heap

page read and write

1850000

heap

page read and write

B98000

unkown

page readonly

14FB000

heap

page read and write

343C000

trusted library allocation

page read and write

2110000

heap

page read and write

1470000

heap

page read and write

B5F000

unkown

page readonly

14FB000

heap

page read and write

184E000

stack

page read and write

B85000

unkown

page readonly

32F1000

trusted library allocation

page read and write

3DE0000

direct allocation

page read and write

1494000

heap

page read and write

14EE000

heap

page read and write

310E000

trusted library allocation

page read and write

690E000

stack

page read and write

1570000

heap

page read and write

121F000

stack

page read and write

3F03000

direct allocation

page read and write

406D000

direct allocation

page read and write

2124000

heap

page read and write

140D000

stack

page read and write

337B000

trusted library allocation

page read and write

17A2000

trusted library allocation

page read and write

3132000

trusted library allocation

page read and write

1540000

heap

page read and write

17A0000

trusted library allocation

page read and write

15E6000

heap

page read and write

406D000

direct allocation

page read and write

5730000

heap

page read and write

5900000

heap

page read and write

14CE000

heap

page read and write

311A000

trusted library allocation

page read and write

32EF000

stack

page read and write

6B88000

trusted library allocation

page read and write

6590000

heap

page read and write

B8F000

unkown

page write copy

1477000

heap

page read and write

2140000

direct allocation

page execute and read and write

1605000

heap

page read and write

40AD000

direct allocation

page read and write

AD1000

unkown

page execute read

5C1F000

stack

page read and write

58AE000

stack

page read and write

31B0000

heap

page read and write

3121000

trusted library allocation

page read and write

1C6E000

stack

page read and write

661E000

heap

page read and write

1770000

trusted library allocation

page read and write

3F03000

direct allocation

page read and write

6B90000

trusted library allocation

page read and write

3EC3000

direct allocation

page read and write

122F000

stack

page read and write

40A9000

direct allocation

page read and write

3112000

trusted library allocation

page read and write

3EC3000

direct allocation

page read and write

1783000

trusted library allocation

page execute and read and write

30DC000

stack

page read and write

7F220000

trusted library allocation

page execute and read and write

17B2000

trusted library allocation

page read and write

31E0000

heap

page execute and read and write

AD0000

unkown

page readonly

B98000

unkown

page readonly

There are 206 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Payment.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportPayment.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
Payment.exe