Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Payment 23832 Proforma INV Bank Confirmation.exe

PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy:	7.922011842190505
Filename:	Payment 23832 Proforma INV Bank Confirmation.exe
Filesize:	557056
MD5:	8b3b3ed278e65b96d71837e6f3eb929e
SHA1:	05c4b9758039065014ad6fc38b87f29cafa0c357
SHA256:	694510429baee227b94e5a0614b349c003acda14807ab07caaa2ec2a8562c465
SHA512:	fcc44e56acbc33e9df6f7da0c25385b88dd5ea467f63d65cde09c638f34ecf5592ae86bc1dd787cec8432fe9d351fc98b289ec34d07851f5ad60201436041537
SSDEEP:	12288:RYV6MorX7qzuC3QHO9FQVHPF51jgcrAklT3FXPLyqGXN9Ep:mBXu9HGaVHX9tlOPEp
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection	Exploitation for Privilege Escalation
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection	Disable or Modify Tools
Binary is likely a compiled AutoIt script file	System Summary
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Switches to a custom stack to bypass stack traces	Malware Analysis System Evasion
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging	Disable or Modify Tools
Contains functionality to call native functions	System Summary
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Contains functionality to launch a process as a different user	System Summary	Valid Accounts Native API Access Token Manipulation
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Process Discovery Clipboard Data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	Disable or Modify Tools
Contains functionality to read the PEB	Anti Debugging
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Disable or Modify Tools
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Contains functionality to shutdown / reboot the system	System Summary	System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Creates processes with suspicious names	Persistence and Installation Behavior
Detected potential crypto function	System Summary	System Time Discovery Process Discovery Archive Collected Data Encrypted Channel
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found evasive API chain (date check)	Malware Analysis System Evasion
Found large amount of non-executed APIs	Malware Analysis System Evasion	System Time Discovery
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information	Disable or Modify Tools System Shutdown/Reboot
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Disable or Modify Tools
Sample file is different than original file name gathered from version info	System Summary	System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary	Disable or Modify Tools
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary	Disable or Modify Tools
.NET source code contains calls to encryption/decryption functions	System Summary
Contains functionality for error logging	System Summary	Disable or Modify Tools
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary
Contains functionality to check free disk space	System Summary	System Information Discovery
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Disable or Modify Tools
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion
Program exit points	Malware Analysis System Evasion	Disable or Modify Tools
Reads software policies	System Summary
Sample is known by Antivirus	System Summary	Disable or Modify Tools
Tries to load missing DLLs	System Summary	DLL Side-Loading Disable or Modify Tools

C:\Users\user\AppData\Local\Temp\aut2F74.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut2F74.tmp
Category:	dropped
Dump:	aut2F74.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe
Type:	data
Entropy:	7.934564520965479
Encrypted:	false
Ssdeep:	3072:8LWvm7j8n5dxBD9WL4Tio/CfRtqtIr5ZHuuiOFMrwUkrC+:8V25dQuio/YRotIvliOFEwUkrC+
Size:	142830
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\aut2FF2.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut2FF2.tmp
Category:	dropped
Dump:	aut2FF2.tmp.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe
Type:	data
Entropy:	7.6012931767698
Encrypted:	false
Ssdeep:	192:65jwEiqEH1WgUJuzJkecGgJo7xocBkJLDPutbW7pvXyUCswX:I6qEHYV0eecGGo7xocBmLDPutqpLCBX
Size:	9808
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\dews

ASCII text, with very long lines (28756), with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\dews
Category:	dropped
Dump:	dews.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe
Type:	ASCII text, with very long lines (28756), with no line terminators
Entropy:	3.5868943154659036
Encrypted:	false
Ssdeep:	768:miTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbd+IH6B34vfF3if6gyCW:miTZ+2QoioGRk6ZklputwjpjBkCiw2RR
Size:	28756
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\syphilous

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\syphilous
Category:	dropped
Dump:	syphilous.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe
Type:	data
Entropy:	6.569493979329327
Encrypted:	false
Ssdeep:	6144:4kGW1uxnzJA+NSzWWbMtX65S4YhzzTMeXi3yNuGurdLabqdzcvvy:4kb1uxnzJA+NubO65S4YhHoeXmyTWhau
Size:	240128
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe

"C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5492
Target ID:	0
Parent PID:	1028
Name:	Payment 23832 Proforma INV Bank Confirmation.exe
Path:	C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe
Commandline:	"C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe"
Size:	557056
MD5:	8B3B3ED278E65B96D71837E6F3EB929E
Time:	13:03:51
Date:	03/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xdf0000
Modulesize:	1298432
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Binary is likely a compiled AutoIt script file	System Summary
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6688
Target ID:	2
Parent PID:	5492
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	13:03:52
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x860000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://r3.o.lencr.org0

unknown

Details

Name:	http://r3.o.lencr.org0
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000002.00000002.3227421201.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3227771380.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3229205264.0000000005E70000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://kxnlaos.com

unknown

https://account.dyn.com/

unknown

Details

Name:	https://account.dyn.com/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\Payment 23832 Proforma INV Bank Confirmation.exe
Source:	Payment 23832 Proforma INV Bank Confirmation.exe, 00000000.00000002.2001660401.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226977191.0000000000402000.00000040.80000000.00040000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://mail.kxnlaos.com

unknown

http://x1.c.lencr.org/0

unknown

Details

Name:	http://x1.c.lencr.org/0
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000002.00000002.3227421201.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3227771380.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3229205264.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3229205264.0000000005ED3000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://x1.i.lencr.org/0

unknown

Details

Name:	http://x1.i.lencr.org/0
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000002.00000002.3227421201.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3227771380.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3229205264.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3229205264.0000000005ED3000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://r3.i.lencr.org/0%

unknown

Details

Name:	http://r3.i.lencr.org/0%
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000002.00000002.3227421201.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3227771380.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3229205264.0000000005E70000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

kxnlaos.com

192.185.113.233

Details

Name:	kxnlaos.com
IP:	192.185.113.233
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

mail.kxnlaos.com

unknown

Details

Name:	mail.kxnlaos.com
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

192.185.113.233

kxnlaos.com

United States

Details

IP:	192.185.113.233
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	United States
Countrycode:	USA
ASN number:	46606
ASN name:	UNIFIEDLAYER-AS-1US
Private:	false
Domain:	kxnlaos.com

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Suspicious Outbound SMTP Connections	System Summary

Memdumps

Base Address

Regiontype

Protect

Malicious

2AAE000

trusted library allocation

page read and write

2A61000

trusted library allocation

page read and write

14D0000

direct allocation

page read and write

402000

system

page execute and read and write

2AD9000

trusted library allocation

page read and write

3AB0000

direct allocation

page read and write

1561000

heap

page read and write

DF0000

unkown

page readonly

5100000

heap

page read and write

12EF000

stack

page read and write

C70000

heap

page read and write

1528000

heap

page read and write

DFC000

heap

page read and write

E0C000

heap

page read and write

504D000

trusted library allocation

page read and write

1593000

heap

page read and write

3ACA000

trusted library allocation

page read and write

5052000

trusted library allocation

page read and write

1570000

heap

page read and write

3DAE000

direct allocation

page read and write

1070000

trusted library allocation

page read and write

101B000

trusted library allocation

page execute and read and write

D1D000

trusted library allocation

page execute and read and write

D05000

heap

page read and write

5110000

heap

page read and write

1570000

heap

page read and write

D10000

trusted library allocation

page read and write

5666000

trusted library allocation

page read and write

1629000

heap

page read and write

1592000

heap

page read and write

6790000

trusted library allocation

page read and write

EBE000

unkown

page execute and read and write

564C000

trusted library allocation

page read and write

1629000

heap

page read and write

5060000

trusted library allocation

page read and write

3D79000

direct allocation

page read and write

D64000

heap

page read and write

AAE000

stack

page read and write

5041000

trusted library allocation

page read and write

D20000

trusted library allocation

page read and write

1629000

heap

page read and write

1012000

trusted library allocation

page read and write

1571000

heap

page read and write

5026000

trusted library allocation

page read and write

155B000

heap

page read and write

604D000

stack

page read and write

1572000

heap

page read and write

544E000

stack

page read and write

502E000

trusted library allocation

page read and write

1571000

heap

page read and write

5032000

trusted library allocation

page read and write

2AAC000

trusted library allocation

page read and write

3D39000

direct allocation

page read and write

6097000

trusted library allocation

page read and write

D13000

trusted library allocation

page execute and read and write

400000

system

page execute and read and write

1000000

trusted library allocation

page read and write

1570000

heap

page read and write

534E000

stack

page read and write

664E000

stack

page read and write

1592000

heap

page read and write

50DC000

stack

page read and write

AF0000

heap

page read and write

5024000

trusted library allocation

page read and write

211E000

stack

page read and write

D14000

trusted library allocation

page read and write

D38000

heap

page read and write

D00000

heap

page read and write

C60000

heap

page read and write

8FA000

stack

page read and write

100A000

trusted library allocation

page execute and read and write

3DAE000

direct allocation

page read and write

5E70000

heap

page read and write

2AD5000

trusted library allocation

page read and write

EA4000

unkown

page execute and write copy

CF0000

trusted library allocation

page read and write

3D3D000

direct allocation

page read and write

DF0000

unkown

page readonly

157E000

heap

page read and write

654E000

stack

page read and write

3AB0000

direct allocation

page read and write

1571000

heap

page read and write

9F9000

stack

page read and write

503A000

trusted library allocation

page read and write

D30000

heap

page read and write

2A5F000

stack

page read and write

10F8000

trusted library allocation

page read and write

15FE000

heap

page read and write

2AC7000

trusted library allocation

page read and write

C50000

heap

page read and write

5670000

trusted library allocation

page execute and read and write

530C000

stack

page read and write

C34000

heap

page read and write

1592000

heap

page read and write

5610000

trusted library allocation

page read and write

67D0000

trusted library allocation

page execute and read and write

DCA000

heap

page read and write

1554000

heap

page read and write

1592000

heap

page read and write

55CD000

stack

page read and write

1520000

heap

page read and write

5ED3000

heap

page read and write

558F000

stack

page read and write

1592000

heap

page read and write

1030000

trusted library allocation

page read and write

503E000

trusted library allocation

page read and write

1190000

heap

page read and write

5FAF000

stack

page read and write

3D3D000

direct allocation

page read and write

1015000

trusted library allocation

page execute and read and write

2AE1000

trusted library allocation

page read and write

5090000

heap

page execute and read and write

1628000

heap

page read and write

3D3D000

direct allocation

page read and write

5618000

trusted library allocation

page read and write

3C50000

direct allocation

page read and write

3DEE000

direct allocation

page read and write

D2D000

trusted library allocation

page execute and read and write

DF1000

unkown

page execute and read and write

3D79000

direct allocation

page read and write

130B000

stack

page read and write

EA5000

unkown

page execute and read and write

157E000

heap

page read and write

5046000

trusted library allocation

page read and write

EFB000

unkown

page read and write

3B93000

direct allocation

page read and write

D5A000

heap

page read and write

3A70000

direct allocation

page read and write

EFA000

unkown

page execute and write copy

C30000

heap

page read and write

6090000

trusted library allocation

page read and write

1629000

heap

page read and write

1591000

heap

page read and write

EFB000

unkown

page write copy

7FA000

stack

page read and write

E03000

heap

page read and write

3A89000

trusted library allocation

page read and write

60A0000

trusted library allocation

page read and write

3D7D000

direct allocation

page read and write

1561000

heap

page read and write

D4E000

heap

page read and write

1592000

heap

page read and write

EAF000

unkown

page execute and read and write

3BD3000

direct allocation

page read and write

3D7D000

direct allocation

page read and write

3D39000

direct allocation

page read and write

502B000

trusted library allocation

page read and write

5650000

trusted library allocation

page read and write

3B93000

direct allocation

page read and write

1002000

trusted library allocation

page read and write

5020000

trusted library allocation

page read and write

1D1E000

stack

page read and write

CB0000

heap

page read and write

1571000

heap

page read and write

1628000

heap

page read and write

1050000

heap

page execute and read and write

14C0000

direct allocation

page execute and read and write

1080000

heap

page read and write

7F860000

trusted library allocation

page execute and read and write

69B0000

heap

page read and write

5D6E000

stack

page read and write

AEE000

stack

page read and write

5103000

heap

page read and write

3D79000

direct allocation

page read and write

10EE000

stack

page read and write

EF4000

unkown

page execute and read and write

12FF000

stack

page read and write

4B9D000

stack

page read and write

15FE000

heap

page read and write

A60000

heap

page read and write

3C10000

direct allocation

page read and write

1571000

heap

page read and write

67C0000

heap

page read and write

3D39000

direct allocation

page read and write

3A70000

direct allocation

page read and write

624D000

stack

page read and write

E22000

heap

page read and write

D66000

heap

page read and write

1060000

trusted library allocation

page read and write

3C10000

direct allocation

page read and write

11B0000

heap

page read and write

E2D000

heap

page read and write

1090000

trusted library allocation

page read and write

3D7D000

direct allocation

page read and write

10A0000

heap

page read and write

3AB0000

direct allocation

page read and write

3BD3000

direct allocation

page read and write

3C50000

direct allocation

page read and write

1552000

heap

page read and write

3DEE000

direct allocation

page read and write

1040000

trusted library allocation

page execute and read and write

3A61000

trusted library allocation

page read and write

3DAE000

direct allocation

page read and write

4A9C000

stack

page read and write

5FB0000

trusted library allocation

page execute and read and write

1006000

trusted library allocation

page execute and read and write

56BD000

stack

page read and write

1580000

heap

page read and write

B00000

heap

page read and write

548E000

stack

page read and write

3BD3000

direct allocation

page read and write

157E000

heap

page read and write

162A000

heap

page read and write

5640000

trusted library allocation

page read and write

5EB6000

heap

page read and write

155B000

heap

page read and write

3A70000

direct allocation

page read and write

1592000

heap

page read and write

3B93000

direct allocation

page read and write

3DEE000

direct allocation

page read and write

132D000

stack

page read and write

5660000

trusted library allocation

page read and write

3C50000

direct allocation

page read and write

3C10000

direct allocation

page read and write

1017000

trusted library allocation

page execute and read and write

There are 205 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Payment 23832 Proforma INV Bank Confirmation.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportPayment 23832 Proforma INV Bank Confirmation.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
Payment 23832 Proforma INV Bank Confirmation.exe