Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Payment details.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.868517558888531
Filename:	Payment details.exe
Filesize:	722944
MD5:	d88a9970ec7a11ade4a6dfc3d8150496
SHA1:	90e72afbb1eed4c0f20fbc8a7ef5e3069ece0eef
SHA256:	c159014c79f8dc4d7888b0c092286f9b47fb2b1497dfbfa7c0620d78257127e2
SHA512:	54596967f17980e34528c20a2b284edcd03c02dd105d904600cb4e48816b560c201371b2f202db962a1df37dca310dd4a82ed08ab12683ccde74dd404d0a1af2
SSDEEP:	12288:GTn3D0uf8+u0wrXN/HoX18jyU0rOcKdIXxIlmQockPZS+/I6YtMl0:Az0uf8+1wriF8grBkIhIlmQocz+/TmM
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....&f................................. ........@.. .......................`............@................................

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation
.NET source code contains very large array initializations	System Summary	Disable or Modify Tools
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)	Malware Analysis System Evasion
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information	Credentials in Registry
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information
Tries to harvest and steal ftp login credentials	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation Virtualization/Sandbox Evasion Security Software Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary	System Information Discovery
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment details.exe.log

ASCII text, with CRLF line terminators

modified

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment details.exe.log
Category:	modified
Dump:	Payment details.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Payment details.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Payment details.exe

"C:\Users\user\Desktop\Payment details.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4200
Target ID:	0
Parent PID:	4084
Name:	Payment details.exe
Path:	C:\Users\user\Desktop\Payment details.exe
Commandline:	"C:\Users\user\Desktop\Payment details.exe"
Size:	722944
MD5:	D88A9970EC7A11ADE4A6DFC3D8150496
Time:	11:09:15
Date:	26/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x1b0000
Modulesize:	745472
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Initial sample is a PE file and has a suspicious name	System Summary
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\Payment details.exe

"C:\Users\user\Desktop\Payment details.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6372
Target ID:	3
Parent PID:	4200
Name:	Payment details.exe
Path:	C:\Users\user\Desktop\Payment details.exe
Commandline:	"C:\Users\user\Desktop\Payment details.exe"
Size:	722944
MD5:	D88A9970EC7A11ADE4A6DFC3D8150496
Time:	11:09:18
Date:	26/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xd50000
Modulesize:	745472
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Initial sample is a PE file and has a suspicious name	System Summary
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

https://api.ipify.org/

104.26.13.205

http://r3.o.lencr.org0

unknown

https://api.ipify.org

unknown

https://account.dyn.com/

unknown

https://api.ipify.org/t

unknown

http://mail.teddyjnr.com

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://x1.c.lencr.org/0

unknown

http://x1.i.lencr.org/0

unknown

http://r3.i.lencr.org/0

unknown

Domains

Name

Malicious

mail.teddyjnr.com

50.87.145.190

Details

Name:	mail.teddyjnr.com
IP:	50.87.145.190
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

api.ipify.org

104.26.13.205

Details

Name:	api.ipify.org
IP:	104.26.13.205
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

50.87.145.190

mail.teddyjnr.com

United States

Details

IP:	50.87.145.190
TargetID:	3
Current Path:	C:\Users\user\Desktop\Payment details.exe
Country:	United States
Countrycode:	USA
ASN number:	46606
ASN name:	UNIFIEDLAYER-AS-1US
Private:	false
Domain:	mail.teddyjnr.com

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

104.26.13.205

api.ipify.org

United States

Details

IP:	104.26.13.205
TargetID:	3
Current Path:	C:\Users\user\Desktop\Payment details.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Payment details_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Payment details_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Payment details_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Payment details_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Payment details_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Payment details_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Payment details_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Payment details_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Payment details_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Payment details_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Payment details_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Payment details_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Payment details_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Payment details_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

30C4000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

3091000

trusted library allocation

page read and write

30BC000

trusted library allocation

page read and write

36B7000

trusted library allocation

page read and write

4EAD000

stack

page read and write

40A7000

trusted library allocation

page read and write

7260000

trusted library allocation

page read and write

2FA000

stack

page read and write

3EA7000

trusted library allocation

page read and write

30B6000

trusted library allocation

page read and write

8DA000

heap

page read and write

846000

trusted library allocation

page execute and read and write

517E000

stack

page read and write

83D0000

heap

page read and write

984000

heap

page read and write

25AB000

trusted library allocation

page read and write

6BE000

stack

page read and write

25F0000

heap

page execute and read and write

8BE000

stack

page read and write

402E000

trusted library allocation

page read and write

6D9E000

stack

page read and write

3081000

trusted library allocation

page read and write

4F35000

heap

page read and write

4BCD000

trusted library allocation

page read and write

5C50000

trusted library allocation

page read and write

980000

heap

page read and write

577D000

stack

page read and write

4D80000

trusted library section

page read and write

13E6000

trusted library allocation

page execute and read and write

2600000

trusted library allocation

page read and write

4A90000

trusted library allocation

page read and write

3EF5000

trusted library allocation

page read and write

30B8000

trusted library allocation

page read and write

2640000

heap

page read and write

F99000

stack

page read and write

820000

trusted library allocation

page read and write

1B0000

unkown

page readonly

15D5000

trusted library allocation

page execute and read and write

5532000

trusted library allocation

page read and write

57B0000

heap

page execute and read and write

97C000

heap

page read and write

15D0000

trusted library allocation

page read and write

15F0000

trusted library allocation

page read and write

863E000

stack

page read and write

904000

heap

page read and write

2620000

trusted library allocation

page read and write

135E000

heap

page read and write

90F000

heap

page read and write

6BCE000

stack

page read and write

2B52000

trusted library allocation

page read and write

840000

trusted library allocation

page read and write

4F40000

trusted library allocation

page execute and read and write

7F510000

trusted library allocation

page execute and read and write

30D6000

trusted library allocation

page read and write

13EA000

trusted library allocation

page execute and read and write

13E0000

trusted library allocation

page read and write

842000

trusted library allocation

page read and write

1867000

heap

page read and write

870000

trusted library allocation

page read and write

24EE000

stack

page read and write

474C000

stack

page read and write

5780000

heap

page read and write

68DE000

stack

page read and write

4B23000

heap

page read and write

6DF0000

trusted library allocation

page execute and read and write

1644000

trusted library allocation

page read and write

4B7B000

stack

page read and write

6E8E000

stack

page read and write

1610000

trusted library allocation

page read and write

4AF0000

trusted library allocation

page execute and read and write

978000

heap

page read and write

2615000

trusted library allocation

page read and write

4FB0000

heap

page read and write

12F3000

heap

page read and write

6BA6000

heap

page read and write

85B000

trusted library allocation

page execute and read and write

4AD0000

heap

page read and write

857000

trusted library allocation

page execute and read and write

59BC000

stack

page read and write

6AE0000

trusted library allocation

page execute and read and write

5512000

trusted library allocation

page read and write

1860000

heap

page read and write

4041000

trusted library allocation

page read and write

67CE000

stack

page read and write

13F5000

heap

page read and write

3041000

trusted library allocation

page read and write

6C9E000

stack

page read and write

13CD000

trusted library allocation

page execute and read and write

6A1F000

stack

page read and write

67DD000

stack

page read and write

830000

trusted library allocation

page read and write

552D000

trusted library allocation

page read and write

4BCB000

trusted library allocation

page read and write

1280000

heap

page read and write

6B6C000

heap

page read and write

98DF000

stack

page read and write

6ED0000

trusted library allocation

page read and write

4BA0000

heap

page read and write

13E2000

trusted library allocation

page read and write

252E000

stack

page read and write

303E000

stack

page read and write

6DDD000

stack

page read and write

99DE000

stack

page read and write

25C6000

trusted library allocation

page read and write

6D92000

trusted library allocation

page read and write

72A0000

heap

page read and write

7270000

heap

page read and write

1660000

heap

page read and write

8DE000

heap

page read and write

6EE7000

trusted library allocation

page read and write

AF0000

heap

page read and write

2695000

trusted library allocation

page read and write

6C30000

trusted library allocation

page read and write

7480000

trusted library allocation

page execute and read and write

25D2000

trusted library allocation

page read and write

4F90000

heap

page read and write

6A5E000

stack

page read and write

660000

heap

page read and write

15D7000

trusted library allocation

page execute and read and write

705000

heap

page read and write

1250000

heap

page read and write

2776000

trusted library allocation

page read and write

68CE000

stack

page read and write

2F30000

heap

page execute and read and write

9C1E000

stack

page read and write

12F6000

heap

page read and write

2610000

trusted library allocation

page read and write

57C0000

heap

page read and write

A718000

trusted library allocation

page read and write

4F50000

trusted library allocation

page read and write

25A0000

trusted library allocation

page read and write

1640000

trusted library allocation

page read and write

551A000

trusted library allocation

page read and write

7250000

trusted library allocation

page read and write

5BBF000

stack

page read and write

6C7D000

stack

page read and write

13C0000

trusted library allocation

page read and write

6B60000

heap

page read and write

50D0000

trusted library section

page read and write

4B20000

heap

page read and write

4AE0000

trusted library allocation

page read and write

30CE000

trusted library allocation

page read and write

1630000

trusted library allocation

page read and write

5526000

trusted library allocation

page read and write

550E000

trusted library allocation

page read and write

4BC0000

trusted library allocation

page read and write

6FE000

stack

page read and write

5C60000

heap

page read and write

4F30000

heap

page read and write

670000

heap

page read and write

3F6000

stack

page read and write

6B5E000

stack

page read and write

824000

trusted library allocation

page read and write

12C0000

heap

page read and write

2651000

trusted library allocation

page read and write

4B00000

trusted library allocation

page read and write

691D000

stack

page read and write

6AD0000

trusted library allocation

page read and write

1B2000

unkown

page readonly

4F80000

heap

page read and write

3679000

trusted library allocation

page read and write

2530000

trusted library allocation

page read and write

823000

trusted library allocation

page execute and read and write

3F43000

trusted library allocation

page read and write

7FD00000

trusted library allocation

page execute and read and write

2692000

trusted library allocation

page read and write

50C0000

trusted library section

page read and write

13DD000

trusted library allocation

page execute and read and write

1650000

trusted library allocation

page read and write

5C40000

trusted library allocation

page read and write

2532000

trusted library allocation

page read and write

9AE0000

heap

page read and write

12EA000

heap

page read and write

183E000

stack

page read and write

50BE000

stack

page read and write

669E000

stack

page read and write

9ADD000

stack

page read and write

5521000

trusted library allocation

page read and write

15DB000

trusted library allocation

page execute and read and write

4B80000

trusted library section

page readonly

13C3000

trusted library allocation

page execute and read and write

400000

remote allocation

page execute and read and write

911000

heap

page read and write

3659000

trusted library allocation

page read and write

ACF000

stack

page read and write

5C57000

trusted library allocation

page read and write

30BA000

trusted library allocation

page read and write

2E88000

trusted library allocation

page read and write

84A000

trusted library allocation

page execute and read and write

6BE0000

heap

page read and write

8C0000

trusted library allocation

page execute and read and write

307F000

trusted library allocation

page read and write

97DE000

stack

page read and write

679F000

stack

page read and write

13C4000

trusted library allocation

page read and write

BFE000

stack

page read and write

6C38000

trusted library allocation

page read and write

308D000

trusted library allocation

page read and write

13F0000

heap

page read and write

9B6000

heap

page read and write

669E000

heap

page read and write

810000

trusted library allocation

page read and write

5ABE000

stack

page read and write

4D60000

trusted library allocation

page read and write

8640000

trusted library section

page read and write

D07000

heap

page read and write

4BB0000

trusted library allocation

page execute and read and write

134F000

heap

page read and write

28AE000

trusted library allocation

page read and write

5C4D000

trusted library allocation

page read and write

507C000

stack

page read and write

1600000

trusted library allocation

page execute and read and write

9D5E000

stack

page read and write

4069000

trusted library allocation

page read and write

6BE0000

trusted library allocation

page execute and read and write

4F70000

heap

page read and write

AC80000

trusted library section

page read and write

56FE000

stack

page read and write

12B0000

trusted library allocation

page read and write

55B0000

heap

page read and write

6690000

heap

page read and write

550B000

trusted library allocation

page read and write

25C1000

trusted library allocation

page read and write

83D000

trusted library allocation

page execute and read and write

25E0000

trusted library allocation

page read and write

13D0000

trusted library allocation

page read and write

D00000

heap

page read and write

4B90000

heap

page read and write

700000

heap

page read and write

557C000

stack

page read and write

852000

trusted library allocation

page read and write

134A000

heap

page read and write

3077000

trusted library allocation

page read and write

5506000

trusted library allocation

page read and write

12C8000

heap

page read and write

6C20000

trusted library allocation

page read and write

258B000

stack

page read and write

55B3000

heap

page read and write

AD0000

heap

page read and write

6DE0000

trusted library allocation

page execute and read and write

631F000

stack

page read and write

5500000

trusted library allocation

page read and write

4DA0000

heap

page execute and read and write

15D2000

trusted library allocation

page read and write

57A8000

trusted library allocation

page read and write

1620000

heap

page read and write

2590000

trusted library allocation

page read and write

573E000

stack

page read and write

8D0000

heap

page read and write

6EE0000

trusted library allocation

page read and write

1200000

heap

page read and write

57A0000

trusted library allocation

page read and write

3651000

trusted library allocation

page read and write

E99000

stack

page read and write

9E5E000

stack

page read and write

9D1E000

stack

page read and write

CFE000

stack

page read and write

82D000

trusted library allocation

page execute and read and write

841D000

heap

page read and write

25BE000

trusted library allocation

page read and write

551E000

trusted library allocation

page read and write

25CD000

trusted library allocation

page read and write

There are 253 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Payment details.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportPayment details.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
Payment details.exe