Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

z30ProofofPaymentAttached.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.96748319435055
Filename:	z30ProofofPaymentAttached.exe
Filesize:	1073152
MD5:	a2c61107b1d0bd03a8133c81b02fe6d8
SHA1:	b27273c26424a5ab644440485196b506ed5e4ee7
SHA256:	f0e637afd17905703f31d1efa7b5c847687560311ecec72b7f84352b4e3c66fc
SHA512:	02dafffd91ebf5860535f1cd3d815a93bb2953d77e1e0d4f4507867f91dbde60bf993982f201de5b7e586bf94a50a7c466ee07dfa8cc3ae4305c921c3f41009d
SSDEEP:	24576:rtb20pkaCqT5TBWgNQ7aU3pfLv+GTnn25/6A:oVg5tQ7aU3Fpn2x5
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection	Disable or Modify Tools
Binary is likely a compiled AutoIt script file	System Summary
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection Disable or Modify Tools
Switches to a custom stack to bypass stack traces	Malware Analysis System Evasion	System Information Discovery Security Software Discovery
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging	Disable or Modify Tools
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Application Window Discovery
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Valid Accounts Access Token Manipulation Disable or Modify Tools
Contains functionality to launch a process as a different user	System Summary
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	Disable or Modify Tools
Contains functionality to read the PEB	Anti Debugging
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Disable or Modify Tools
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to shutdown / reboot the system	System Summary	System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Detected potential crypto function	System Summary	System Time Discovery
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found evaded block containing many API calls	Malware Analysis System Evasion	Disable or Modify Tools
Found evasive API chain (date check)	Malware Analysis System Evasion	Native API
Found large amount of non-executed APIs	Malware Analysis System Evasion	System Time Discovery
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information	Disable or Modify Tools System Shutdown/Reboot
Sample file is different than original file name gathered from version info	System Summary	System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary	Disable or Modify Tools
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary	Disable or Modify Tools
.NET source code contains calls to encryption/decryption functions	System Summary	Archive Collected Data
Contains functionality for error logging	System Summary	Disable or Modify Tools
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary
Contains functionality to check free disk space	System Summary
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enum processes or threads	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Disable or Modify Tools
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion	Disable or Modify Tools
Reads software policies	System Summary
Sample is known by Antivirus	System Summary	Disable or Modify Tools
Tries to load missing DLLs	System Summary	DLL Side-Loading Disable or Modify Tools
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary	Disable or Modify Tools

C:\Users\user\AppData\Local\Temp\aut719C.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut719C.tmp
Category:	dropped
Dump:	aut719C.tmp.1.dr
ID:	dr_0
Target ID:	1
Process:	C:\Users\user\Desktop\z30ProofofPaymentAttached.exe
Type:	data
Entropy:	7.952850631769685
Encrypted:	false
Ssdeep:	3072:iQ11th1R7v+TJv05+mzGv0AGY4WsZWQfSw6z3dea2PeAh:iQDth1Rj+TJOGv10MTdea2WAh
Size:	144504
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\murky

data

modified

Details

File:	C:\Users\user\AppData\Local\Temp\murky
Category:	modified
Dump:	murky.1.dr
ID:	dr_1
Target ID:	1
Process:	C:\Users\user\Desktop\z30ProofofPaymentAttached.exe
Type:	data
Entropy:	6.955326163403382
Encrypted:	false
Ssdeep:	6144:TucClIHy9liBfp2I0MqroUTNtorr+txuRqRcO86xSxM5xvnx+4xTihH4C9df8wmZ:TFtqroUTNtorr+txuR4cO808MrvnxhTr
Size:	280064
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\z30ProofofPaymentAttached.exe

"C:\Users\user\Desktop\z30ProofofPaymentAttached.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7304
Target ID:	1
Parent PID:	4056
Name:	z30ProofofPaymentAttached.exe
Path:	C:\Users\user\Desktop\z30ProofofPaymentAttached.exe
Commandline:	"C:\Users\user\Desktop\z30ProofofPaymentAttached.exe"
Size:	1073152
MD5:	A2C61107B1D0BD03A8133C81B02FE6D8
Time:	10:32:25
Date:	18/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xfb0000
Modulesize:	1097728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Yara detected VIP Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Binary is likely a compiled AutoIt script file	System Summary
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\z30ProofofPaymentAttached.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7712
Target ID:	7
Parent PID:	7304
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\z30ProofofPaymentAttached.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	10:32:26
Date:	18/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xa80000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Yara detected VIP Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://www.office.com/

unknown

https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:648351%0D%0ADate%20a

unknown

https://duckduckgo.com/chrome_newtab

unknown

https://duckduckgo.com/ac/?q=

unknown

https://api.telegram.org

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

https://api.telegram.org/bot

unknown

https://www.office.com/lB

unknown

http://mzgold.ir

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

http://r10.o.lencr.org0#

unknown

http://checkip.dyndns.org

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:648351%0D%0ADate%20and%20Time:%2019/11/2024%20/%2005:20:42%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20648351%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D

149.154.167.220

https://api.telegram.org/bot/sendMessage?chat_id=&text=

unknown

https://chrome.google.com/webstore?hl=en

unknown

https://www.ecosia.org/newtab/

unknown

https://chrome.google.com/webstore?hl=en8

unknown

http://varders.kozow.com:8081

unknown

http://aborters.duckdns.org:8081

unknown

https://ac.ecosia.org/autocomplete?q=

unknown

https://www.office.com/8

unknown

http://checkip.dyndns.org/

193.122.6.168

http://51.38.247.67:8081/_send_.php?L

unknown

http://anotherarmy.dns.army:8081

unknown

http://x1.c.lencr.org/0

unknown

http://x1.i.lencr.org/0

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

http://checkip.dyndns.org/q

unknown

https://chrome.google.com/webstore?hl=enlB

unknown

https://reallyfreegeoip.org

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

https://reallyfreegeoip.org/xml/155.94.241.187$

unknown

https://reallyfreegeoip.org/xml/155.94.241.187

188.114.97.3

http://r10.i.lencr.org/0

unknown

http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded

unknown

https://reallyfreegeoip.org/xml/

unknown

There are 28 hidden URLs, click here to show them.

Domains

Name

Malicious

mzgold.ir

217.144.107.148

Details

Name:	mzgold.ir
IP:	217.144.107.148
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

reallyfreegeoip.org

188.114.97.3

Details

Name:	reallyfreegeoip.org
IP:	188.114.97.3
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Tries to detect the country of the analysis system (by using the IP)	Location Tracking
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Suricata IDS alerts with low severity for network traffic	Networking
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

api.telegram.org

149.154.167.220

Details

Name:	api.telegram.org
IP:	149.154.167.220
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Uses the Telegram API (likely for C&C communication)	Networking	Web Service
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

checkip.dyndns.com

193.122.6.168

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	-1
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

217.144.107.148

mzgold.ir

Iran (ISLAMIC Republic Of)

Details

IP:	217.144.107.148
TargetID:	7
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	Iran (ISLAMIC Republic Of)
Countrycode:	IRN
ASN number:	204213
ASN name:	NETMIHANIR
Private:	false
Domain:	mzgold.ir

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

149.154.167.220

api.telegram.org

United Kingdom

Details

IP:	149.154.167.220
TargetID:	7
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	62041
ASN name:	TELEGRAMRU
Private:	false
Domain:	api.telegram.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

188.114.97.3

reallyfreegeoip.org

European Union

Details

IP:	188.114.97.3
TargetID:	7
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	reallyfreegeoip.org

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

193.122.6.168

checkip.dyndns.com

United States

Details

IP:	193.122.6.168
TargetID:	7
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	United States
Countrycode:	USA
ASN number:	31898
ASN name:	ORACLE-BMC-31898US
Private:	false
Domain:	checkip.dyndns.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

2E21000

trusted library allocation

page read and write

3019000

trusted library allocation

page read and write

F60000

direct allocation

page read and write

402000

system

page execute and read and write

103D000

unkown

page readonly

5260000

trusted library allocation

page read and write

36DD000

direct allocation

page read and write

7DB000

stack

page read and write

40D8000

trusted library allocation

page read and write

BE0000

trusted library allocation

page execute and read and write

36D9000

direct allocation

page read and write

65EE000

stack

page read and write

2EE2000

trusted library allocation

page read and write

54E0000

heap

page read and write

1000000

heap

page read and write

B26000

heap

page read and write

FD0000

trusted library allocation

page read and write

30AC000

trusted library allocation

page read and write

379E000

direct allocation

page read and write

5281000

trusted library allocation

page read and write

C0C000

heap

page read and write

2FB0000

trusted library allocation

page read and write

A18000

heap

page read and write

4007000

trusted library allocation

page read and write

374E000

direct allocation

page read and write

6830000

trusted library allocation

page execute and read and write

419D000

trusted library allocation

page read and write

1040000

heap

page read and write

A17000

heap

page read and write

312E000

trusted library allocation

page read and write

1360000

trusted library allocation

page read and write

2E72000

trusted library allocation

page read and write

4140000

trusted library allocation

page read and write

2CB0000

heap

page execute and read and write

ABA000

heap

page read and write

2FA8000

trusted library allocation

page read and write

18BF000

stack

page read and write

3E8D000

trusted library allocation

page read and write

13C0000

trusted library allocation

page read and write

5295000

trusted library allocation

page read and write

2FAC000

trusted library allocation

page read and write

41EF000

trusted library allocation

page read and write

4032000

trusted library allocation

page read and write

A1E000

heap

page read and write

2ECA000

trusted library allocation

page read and write

35B0000

direct allocation

page read and write

319B000

trusted library allocation

page read and write

1191000

heap

page read and write

36D9000

direct allocation

page read and write

BC0000

trusted library allocation

page read and write

40B1000

trusted library allocation

page read and write

6820000

trusted library allocation

page execute and read and write

2BE8000

trusted library allocation

page read and write

2ED2000

trusted library allocation

page read and write

117A000

heap

page read and write

3600000

direct allocation

page read and write

6800000

trusted library allocation

page execute and read and write

31C3000

trusted library allocation

page read and write

528D000

trusted library allocation

page read and write

2C90000

trusted library allocation

page read and write

7FC000

stack

page read and write

3044000

trusted library allocation

page read and write

9D0000

heap

page read and write

5400000

heap

page read and write

6900000

trusted library allocation

page read and write

3410000

direct allocation

page read and write

1396000

trusted library allocation

page execute and read and write

30E9000

trusted library allocation

page read and write

1380000

trusted library allocation

page read and write

30A2000

trusted library allocation

page read and write

3E21000

trusted library allocation

page read and write

3E34000

trusted library allocation

page read and write

6810000

trusted library allocation

page execute and read and write

1150000

heap

page read and write

2FE7000

trusted library allocation

page read and write

1236000

heap

page read and write

138D000

trusted library allocation

page execute and read and write

3533000

direct allocation

page read and write

40E9000

trusted library allocation

page read and write

2FAE000

trusted library allocation

page read and write

68F4000

trusted library allocation

page read and write

106A000

unkown

page write copy

2E95000

trusted library allocation

page read and write

ACC000

heap

page read and write

313D000

trusted library allocation

page read and write

374E000

direct allocation

page read and write

BA0000

heap

page read and write

3099000

trusted library allocation

page read and write

B90000

heap

page read and write

2F2E000

trusted library allocation

page read and write

1045000

heap

page read and write

BD0000

trusted library allocation

page read and write

372D000

direct allocation

page read and write

9DE000

heap

page read and write

527A000

trusted library allocation

page read and write

ABA000

heap

page read and write

67B0000

trusted library allocation

page read and write

3583000

direct allocation

page read and write

2FDF000

trusted library allocation

page read and write

35B0000

direct allocation

page read and write

13A2000

trusted library allocation

page read and write

3583000

direct allocation

page read and write

3583000

direct allocation

page read and write

3EDD000

trusted library allocation

page read and write

B80000

heap

page read and write

4051000

trusted library allocation

page read and write

B26000

heap

page read and write

35B0000

direct allocation

page read and write

581E000

stack

page read and write

2FEC000

trusted library allocation

page read and write

41F3000

trusted library allocation

page read and write

52FD000

stack

page read and write

960000

heap

page read and write

3139000

trusted library allocation

page read and write

1010000

heap

page read and write

599D000

stack

page read and write

400000

system

page execute and read and write

67E0000

trusted library allocation

page execute and read and write

3035000

trusted library allocation

page read and write

1AB0000

heap

page read and write

3F4C000

trusted library allocation

page read and write

1A08000

heap

page read and write

59B6000

trusted library allocation

page read and write

2E8A000

trusted library allocation

page read and write

30B5000

trusted library allocation

page read and write

666E000

stack

page read and write

3133000

trusted library allocation

page read and write

2C80000

trusted library allocation

page read and write

30B1000

trusted library allocation

page read and write

14BE000

stack

page read and write

64AE000

stack

page read and write

2EC2000

trusted library allocation

page read and write

54D0000

heap

page execute and read and write

139A000

trusted library allocation

page execute and read and write

67C0000

trusted library allocation

page execute and read and write

379E000

direct allocation

page read and write

412A000

trusted library allocation

page read and write

3E41000

trusted library allocation

page read and write

63AA000

heap

page read and write

3460000

direct allocation

page read and write

68A0000

trusted library allocation

page execute and read and write

19F4000

heap

page read and write

2FE1000

trusted library allocation

page read and write

4085000

trusted library allocation

page read and write

67F0000

trusted library allocation

page read and write

3E3B000

trusted library allocation

page read and write

2CFC000

stack

page read and write

BAC000

heap

page read and write

3460000

direct allocation

page read and write

446000

system

page execute and read and write

1392000

trusted library allocation

page read and write

5403000

heap

page read and write

A0E000

heap

page read and write

BC7000

trusted library allocation

page read and write

137D000

trusted library allocation

page execute and read and write

105E000

unkown

page readonly

2FBB000

trusted library allocation

page read and write

1374000

trusted library allocation

page read and write

3EF3000

trusted library allocation

page read and write

3F6C000

trusted library allocation

page read and write

2E9D000

trusted library allocation

page read and write

626E000

stack

page read and write

13AB000

trusted library allocation

page execute and read and write

FB1000

unkown

page execute read

87E000

stack

page read and write

312A000

trusted library allocation

page read and write

2F0A000

trusted library allocation

page read and write

526E000

trusted library allocation

page read and write

31C1000

trusted library allocation

page read and write

2E1E000

stack

page read and write

A1E000

heap

page read and write

595E000

stack

page read and write

3600000

direct allocation

page read and write

2EDE000

trusted library allocation

page read and write

3729000

direct allocation

page read and write

67BD000

trusted library allocation

page read and write

3533000

direct allocation

page read and write

3F20000

trusted library allocation

page read and write

BAC000

heap

page read and write

6C70000

heap

page read and write

6378000

heap

page read and write

19F0000

heap

page read and write

106A000

unkown

page read and write

A82000

heap

page read and write

64EE000

stack

page read and write

591E000

stack

page read and write

67AE000

stack

page read and write

3E49000

trusted library allocation

page read and write

606E000

stack

page read and write

41C5000

trusted library allocation

page read and write

13A5000

trusted library allocation

page execute and read and write

636E000

stack

page read and write

5286000

trusted library allocation

page read and write

B1A000

stack

page read and write

A9000

stack

page read and write

662E000

stack

page read and write

67D0000

trusted library allocation

page read and write

63E1000

heap

page read and write

A18000

heap

page read and write

A1F000

heap

page read and write

68C6000

trusted library allocation

page read and write

2EDA000

trusted library allocation

page read and write

106F000

unkown

page write copy

1430000

heap

page read and write

1373000

trusted library allocation

page execute and read and write

3E2F000

trusted library allocation

page read and write

6890000

trusted library allocation

page read and write

36DD000

direct allocation

page read and write

A28000

heap

page read and write

59A0000

trusted library allocation

page read and write

3410000

direct allocation

page read and write

54CE000

stack

page read and write

83D000

stack

page read and write

1390000

trusted library allocation

page read and write

5266000

trusted library allocation

page read and write

A19000

heap

page execute and read and write

6902000

trusted library allocation

page read and write

133E000

stack

page read and write

9DA000

heap

page read and write

B26000

heap

page read and write

6905000

trusted library allocation

page read and write

36DD000

direct allocation

page read and write

2FB6000

trusted library allocation

page read and write

7BC000

stack

page read and write

1187000

heap

page read and write

30DE000

trusted library allocation

page read and write

AA2000

heap

page read and write

374E000

direct allocation

page read and write

3137000

trusted library allocation

page read and write

31CE000

trusted library allocation

page read and write

3729000

direct allocation

page read and write

31BB000

trusted library allocation

page read and write

2FDD000

trusted library allocation

page read and write

3060000

trusted library allocation

page read and write

3600000

direct allocation

page read and write

AEB000

heap

page read and write

3FF4000

trusted library allocation

page read and write

ABB000

heap

page read and write

13A0000

trusted library allocation

page read and write

A0B000

heap

page read and write

1F0000

heap

page read and write

105E000

unkown

page readonly

BB0000

trusted library allocation

page read and write

103D000

unkown

page readonly

3410000

direct allocation

page read and write

526B000

trusted library allocation

page read and write

FB1000

unkown

page execute read

A18000

heap

page read and write

3F82000

trusted library allocation

page read and write

316E000

trusted library allocation

page read and write

3460000

direct allocation

page read and write

2E7F000

trusted library allocation

page read and write

9A0000

heap

page read and write

3054000

trusted library allocation

page read and write

2E99000

trusted library allocation

page read and write

1420000

trusted library allocation

page read and write

110000

heap

page read and write

63EC000

heap

page read and write

30E2000

trusted library allocation

page read and write

372D000

direct allocation

page read and write

59BA000

trusted library allocation

page read and write

6910000

trusted library allocation

page read and write

1074000

unkown

page readonly

40E7000

trusted library allocation

page read and write

13A7000

trusted library allocation

page execute and read and write

2FD9000

trusted library allocation

page read and write

A42000

heap

page read and write

308E000

trusted library allocation

page read and write

40EF000

trusted library allocation

page read and write

140E000

stack

page read and write

3029000

trusted library allocation

page read and write

2D10000

heap

page read and write

FB0000

unkown

page readonly

31C5000

trusted library allocation

page read and write

40DB000

trusted library allocation

page read and write

4035000

trusted library allocation

page read and write

3F0B000

trusted library allocation

page read and write

2ED6000

trusted library allocation

page read and write

30DC000

trusted library allocation

page read and write

533E000

stack

page read and write

1410000

trusted library allocation

page execute and read and write

2ECE000

trusted library allocation

page read and write

1158000

heap

page read and write

1189000

heap

page read and write

372D000

direct allocation

page read and write

379E000

direct allocation

page read and write

3533000

direct allocation

page read and write

31CA000

trusted library allocation

page read and write

1074000

unkown

page readonly

EF7000

stack

page read and write

40E1000

trusted library allocation

page read and write

41B2000

trusted library allocation

page read and write

4F1E000

stack

page read and write

FB0000

unkown

page readonly

3FDF000

trusted library allocation

page read and write

A63000

heap

page read and write

3729000

direct allocation

page read and write

2CA0000

trusted library allocation

page read and write

1370000

trusted library allocation

page read and write

59B4000

trusted library allocation

page read and write

40D1000

trusted library allocation

page read and write

2EC6000

trusted library allocation

page read and write

40E4000

trusted library allocation

page read and write

36D9000

direct allocation

page read and write

3093000

trusted library allocation

page read and write

527E000

trusted library allocation

page read and write

7CE000

stack

page read and write

30D6000

trusted library allocation

page read and write

4066000

trusted library allocation

page read and write

66AE000

stack

page read and write

6370000

heap

page read and write

A5D000

heap

page read and write

There are 302 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
z30ProofofPaymentAttached.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportz30ProofofPaymentAttached.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
z30ProofofPaymentAttached.exe