Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

wrong bank details.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.765554913857324
Filename:	wrong bank details.exe
Filesize:	563200
MD5:	67a9a9b047b1e4f4d70930d8fd2142ad
SHA1:	269a60f8300a7b449c9cdc54a1470eefc0e192fb
SHA256:	a750777345fce604f483adfbe40e5f0d4c0582e5536c273675d7fd1002e84c5d
SHA512:	f63cefa6eb0b9019983e5e5cfddda955b639ae45b842a40c55e0b088500cddd0cf9d223df15fcdf4a069e1cf6244363c647f50538c947c920fea4f8314a6a5c4
SSDEEP:	12288:mnf0nZYr6+Tvy+XxpbVsh8FCvWuagIYIHNb8Pqli:mnGZY2+TvlvbVshnvWuaa
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0.................. ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation	Software Packing
.NET source code references suspicious native API functions	HIPS / PFW / Operating System Protection Evasion	Native API
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Abnormal high CPU Usage	System Summary	Process Injection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities	Obfuscated Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wrong bank details.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wrong bank details.exe.log
Category:	dropped
Dump:	wrong bank details.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\wrong bank details.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\wrong bank details.exe

"C:\Users\user\Desktop\wrong bank details.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4992
Target ID:	0
Parent PID:	4004
Name:	wrong bank details.exe
Path:	C:\Users\user\Desktop\wrong bank details.exe
Commandline:	"C:\Users\user\Desktop\wrong bank details.exe"
Size:	563200
MD5:	67A9A9B047B1E4F4D70930D8FD2142AD
Time:	09:41:21
Date:	07/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x1e0000
Modulesize:	589824
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected MassLogger RAT	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\wrong bank details.exe

"C:\Users\user\Desktop\wrong bank details.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6236
Target ID:	3
Parent PID:	4992
Name:	wrong bank details.exe
Path:	C:\Users\user\Desktop\wrong bank details.exe
Commandline:	"C:\Users\user\Desktop\wrong bank details.exe"
Size:	563200
MD5:	67A9A9B047B1E4F4D70930D8FD2142AD
Time:	09:41:22
Date:	07/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x1f0000
Modulesize:	589824
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected MassLogger RAT	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\wrong bank details.exe

"C:\Users\user\Desktop\wrong bank details.exe"

Details

Is windows:	false
Is dropped:	false
PID:	616
Target ID:	4
Parent PID:	4992
Name:	wrong bank details.exe
Path:	C:\Users\user\Desktop\wrong bank details.exe
Commandline:	"C:\Users\user\Desktop\wrong bank details.exe"
Size:	563200
MD5:	67A9A9B047B1E4F4D70930D8FD2142AD
Time:	09:41:23
Date:	07/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x640000
Modulesize:	589824
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected MassLogger RAT	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

https://api.telegram.org

unknown

https://api.telegram.org/bot

unknown

http://certificates.godaddy.com/repository/0

unknown

http://certs.godaddy.com/repository/1301

unknown

http://reallyfreegeoip.orgd

unknown

http://crl.godaddy.com/gdig2s1-19134.crl0

unknown

http://checkip.dyndns.org

unknown

https://api.telegram.org/bot8012948610:AAH4T2bfY_PPyXgKFGVw8rmhjBzj3nREYAE/sendDocument?chat_id=4039

unknown

https://certs.godaddy.com/repository/0

unknown

https://reallyfreegeoip.org/xml/8.46.123.33

188.114.96.3

https://reallyfreegeoip.org/xml/8.46.123.33l

unknown

http://crl.godaddy.com/gdroot-g2.crl0F

unknown

http://checkip.dyndns.org/

132.226.8.169

http://checkip.dyndns.comd

unknown

https://reallyfreegeoip.org/xml/8.46.123.33d

unknown

http://checkip.dyndns.org/q

unknown

http://crl.godaddy.com/gdroot.crl0F

unknown

http://reallyfreegeoip.org

unknown

http://checkip.dyndns.orgd

unknown

https://reallyfreegeoip.org

unknown

http://api.telegram.orgd

unknown

http://checkip.dyndns.com

unknown

http://api.telegram.org

unknown

http://certificates.godaddy.com/repository/gdig2.crt0

unknown

http://checkip.dyndns.org/d

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://api.telegram.org/bot-/sendDocument?chat_id=

unknown

https://reallyfreegeoip.org/xml/

unknown

There are 18 hidden URLs, click here to show them.

Domains

Name

Malicious

reallyfreegeoip.org

188.114.96.3

Details

Name:	reallyfreegeoip.org
IP:	188.114.96.3
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Tries to detect the country of the analysis system (by using the IP)	Location Tracking
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

api.telegram.org

149.154.167.220

Details

Name:	api.telegram.org
IP:	149.154.167.220
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Uses the Telegram API (likely for C&C communication)	Networking	Web Service
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.com

132.226.8.169

IPs

Domain

Country

Malicious

149.154.167.220

api.telegram.org

United Kingdom

Details

IP:	149.154.167.220
TargetID:	4
Current Path:	C:\Users\user\Desktop\wrong bank details.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	62041
ASN name:	TELEGRAMRU
Private:	false
Domain:	api.telegram.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

188.114.96.3

reallyfreegeoip.org

European Union

Details

IP:	188.114.96.3
TargetID:	4
Current Path:	C:\Users\user\Desktop\wrong bank details.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	reallyfreegeoip.org

Signature Hits	Behavior Group	Mitre Attack
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

132.226.8.169

checkip.dyndns.com

United States

Details

IP:	132.226.8.169
TargetID:	4
Current Path:	C:\Users\user\Desktop\wrong bank details.exe
Country:	United States
Countrycode:	USA
ASN number:	16989
ASN name:	UTMEMUS
Private:	false
Domain:	checkip.dyndns.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\wrong bank details_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\wrong bank details_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\wrong bank details_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\wrong bank details_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\wrong bank details_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\wrong bank details_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\wrong bank details_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\wrong bank details_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\wrong bank details_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\wrong bank details_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\wrong bank details_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\wrong bank details_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\wrong bank details_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\wrong bank details_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

3676000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

2B74000

trusted library allocation

page read and write

35A9000

trusted library allocation

page read and write

610E000

stack

page read and write

28E4000

trusted library allocation

page read and write

2B31000

trusted library allocation

page read and write

2A2F000

trusted library allocation

page read and write

9CE000

stack

page read and write

3A91000

trusted library allocation

page read and write

7330000

heap

page read and write

8C9000

heap

page read and write

4FFA000

trusted library allocation

page read and write

2B2D000

trusted library allocation

page read and write

C70000

trusted library allocation

page read and write

6C70000

trusted library allocation

page read and write

4EBA000

trusted library allocation

page read and write

66C0000

heap

page read and write

2910000

heap

page execute and read and write

730F000

stack

page read and write

4FF6000

trusted library allocation

page read and write

B56000

trusted library allocation

page execute and read and write

806000

heap

page read and write

2891000

trusted library allocation

page read and write

2815000

trusted library allocation

page read and write

2A43000

trusted library allocation

page read and write

4E50000

heap

page read and write

642E000

stack

page read and write

23E0000

trusted library allocation

page read and write

2B04000

trusted library allocation

page read and write

B30000

trusted library allocation

page read and write

266B000

trusted library allocation

page read and write

624D000

stack

page read and write

2853000

trusted library allocation

page read and write

DE0000

trusted library allocation

page read and write

2801000

trusted library allocation

page read and write

7D0000

heap

page read and write

DB0000

trusted library allocation

page read and write

811000

heap

page read and write

2785000

trusted library allocation

page read and write

2424000

trusted library allocation

page read and write

55D0000

heap

page read and write

DD0000

trusted library allocation

page read and write

4CC0000

trusted library allocation

page execute and read and write

2B04000

trusted library allocation

page read and write

6C00000

trusted library section

page read and write

2420000

trusted library allocation

page read and write

9FFE000

stack

page read and write

243E000

trusted library allocation

page read and write

63EF000

stack

page read and write

55C0000

heap

page read and write

4ED2000

trusted library allocation

page read and write

2BF4000

trusted library allocation

page read and write

C92000

trusted library allocation

page read and write

4F60000

heap

page read and write

67C0000

trusted library allocation

page execute and read and write

760000

heap

page read and write

C9B000

trusted library allocation

page execute and read and write

279A000

trusted library allocation

page read and write

4F40000

trusted library allocation

page execute and read and write

B67000

trusted library allocation

page execute and read and write

2AFE000

trusted library allocation

page read and write

36F6000

trusted library allocation

page read and write

F3E000

stack

page read and write

3A21000

trusted library allocation

page read and write

4A5D000

stack

page read and write

C86000

trusted library allocation

page execute and read and write

B52000

trusted library allocation

page read and write

C97000

trusted library allocation

page execute and read and write

23BC000

stack

page read and write

2AD4000

trusted library allocation

page read and write

2ABB000

trusted library allocation

page read and write

B33000

trusted library allocation

page execute and read and write

2A82000

trusted library allocation

page read and write

2B18000

trusted library allocation

page read and write

4F63000

heap

page read and write

2A6D000

trusted library allocation

page read and write

2400000

heap

page read and write

2B34000

trusted library allocation

page read and write

242B000

trusted library allocation

page read and write

27AE000

trusted library allocation

page read and write

5000000

trusted library allocation

page execute and read and write

6BAE000

stack

page read and write

285F000

stack

page read and write

2446000

trusted library allocation

page read and write

B20000

trusted library allocation

page read and write

2A82000

trusted library allocation

page read and write

4F5E000

stack

page read and write

2C34000

trusted library allocation

page read and write

1E0000

unkown

page readonly

471D000

stack

page read and write

400000

remote allocation

page execute and read and write

2771000

trusted library allocation

page read and write

6C60000

trusted library allocation

page read and write

25D9000

trusted library allocation

page read and write

C8A000

trusted library allocation

page execute and read and write

B80000

heap

page read and write

B67000

heap

page read and write

2A1A000

trusted library allocation

page read and write

4ECD000

trusted library allocation

page read and write

28A6000

trusted library allocation

page read and write

B23000

trusted library allocation

page execute and read and write

25C000

unkown

page readonly

2868000

trusted library allocation

page read and write

B43000

trusted library allocation

page read and write

2AC0000

trusted library allocation

page read and write

2A05000

trusted library allocation

page read and write

23F0000

trusted library allocation

page read and write

9B7D000

stack

page read and write

27EC000

trusted library allocation

page read and write

2A21000

trusted library allocation

page read and write

750000

heap

page read and write

C95000

trusted library allocation

page execute and read and write

4EBE000

trusted library allocation

page read and write

2B36000

trusted library allocation

page read and write

B4D000

heap

page read and write

41A000

remote allocation

page execute and read and write

7310000

trusted library section

page read and write

2B43000

trusted library allocation

page read and write

2B39000

trusted library allocation

page read and write

656E000

stack

page read and write

993E000

stack

page read and write

275C000

trusted library allocation

page read and write

6C6A000

trusted library allocation

page read and write

6BF0000

trusted library allocation

page read and write

6110000

heap

page read and write

2A96000

trusted library allocation

page read and write

62B0000

heap

page read and write

3ACD000

trusted library allocation

page read and write

B20000

trusted library allocation

page read and write

2A1E000

stack

page read and write

670000

heap

page read and write

2AD0000

trusted library allocation

page read and write

4EC6000

trusted library allocation

page read and write

4AD2000

trusted library allocation

page read and write

C80000

trusted library allocation

page read and write

B87000

heap

page read and write

4CF0000

heap

page read and write

29B2000

trusted library allocation

page read and write

3A44000

trusted library allocation

page read and write

6251000

trusted library allocation

page read and write

DA0000

trusted library allocation

page execute and read and write

4F50000

trusted library allocation

page read and write

4A80000

trusted library allocation

page read and write

7DE000

heap

page read and write

B40000

trusted library allocation

page read and write

F7F000

stack

page read and write

2922000

trusted library allocation

page read and write

2B0E000

trusted library allocation

page read and write

7F7000

heap

page read and write

600E000

stack

page read and write

C7D000

trusted library allocation

page execute and read and write

DC0000

heap

page read and write

B50000

trusted library allocation

page read and write

4AD0000

trusted library allocation

page read and write

88B000

heap

page read and write

23C0000

trusted library allocation

page execute and read and write

2974000

trusted library allocation

page read and write

4D4B000

stack

page read and write

C25000

heap

page read and write

2ADC000

trusted library allocation

page read and write

2403000

heap

page read and write

2460000

trusted library allocation

page read and write

369B000

trusted library allocation

page read and write

814000

heap

page read and write

294B000

trusted library allocation

page read and write

2B30000

trusted library allocation

page read and write

29DC000

trusted library allocation

page read and write

6790000

trusted library allocation

page read and write

B0E000

stack

page read and write

2B20000

trusted library allocation

page read and write

67B0000

trusted library allocation

page read and write

6179000

heap

page read and write

DD4000

trusted library allocation

page read and write

4FF4000

trusted library allocation

page read and write

67E0000

heap

page read and write

257E000

stack

page read and write

2AD5000

trusted library allocation

page read and write

2936000

trusted library allocation

page read and write

BB2000

heap

page read and write

B5A000

trusted library allocation

page execute and read and write

237E000

stack

page read and write

B2D000

trusted library allocation

page execute and read and write

F9B000

trusted library allocation

page read and write

7F250000

trusted library allocation

page execute and read and write

2FA000

stack

page read and write

AF7000

stack

page read and write

C6E000

stack

page read and write

3A59000

trusted library allocation

page read and write

5000000

trusted library allocation

page read and write

2B3D000

trusted library allocation

page read and write

9DBE000

stack

page read and write

B38000

heap

page read and write

2AF9000

trusted library allocation

page read and write

4EAB000

trusted library allocation

page read and write

290D000

trusted library allocation

page read and write

7430000

trusted library allocation

page read and write

7C0000

heap

page read and write

2A58000

trusted library allocation

page read and write

B24000

trusted library allocation

page read and write

B34000

trusted library allocation

page read and write

4EC1000

trusted library allocation

page read and write

B4D000

trusted library allocation

page execute and read and write

6F2F000

stack

page read and write

27D8000

trusted library allocation

page read and write

4EA6000

trusted library allocation

page read and write

6E0E000

stack

page read and write

4AF0000

trusted library allocation

page read and write

A0E000

stack

page read and write

4D70000

heap

page execute and read and write

678E000

stack

page read and write

4E55000

heap

page read and write

283F000

trusted library allocation

page read and write

690E000

stack

page read and write

4588000

trusted library allocation

page read and write

3589000

trusted library allocation

page read and write

37AD000

trusted library allocation

page read and write

CA0000

heap

page read and write

2410000

heap

page execute and read and write

6D2E000

stack

page read and write

2960000

trusted library allocation

page read and write

B3D000

trusted library allocation

page execute and read and write

4A60000

trusted library allocation

page read and write

B59000

heap

page read and write

2B17000

trusted library allocation

page read and write

B62000

trusted library allocation

page read and write

28BA000

trusted library allocation

page read and write

6C80000

trusted library allocation

page read and write

4B5E000

stack

page read and write

28CF000

trusted library allocation

page read and write

69B0000

heap

page read and write

29F1000

trusted library allocation

page read and write

630000

heap

page read and write

2C30000

trusted library allocation

page read and write

2330000

trusted library allocation

page read and write

6570000

trusted library allocation

page read and write

B6B000

trusted library allocation

page execute and read and write

BFF000

heap

page read and write

4F3D000

stack

page read and write

1E2000

unkown

page readonly

B10000

trusted library allocation

page read and write

282A000

trusted library allocation

page read and write

720E000

stack

page read and write

2BF2000

trusted library allocation

page read and write

9A3E000

stack

page read and write

7AE000

stack

page read and write

244D000

trusted library allocation

page read and write

2AE9000

trusted library allocation

page read and write

539F000

stack

page read and write

29C7000

trusted library allocation

page read and write

2B1C000

trusted library allocation

page read and write

5130000

trusted library allocation

page execute and read and write

9C7D000

stack

page read and write

2A9C000

trusted library allocation

page read and write

9C80000

heap

page read and write

287D000

trusted library allocation

page read and write

299E000

trusted library allocation

page read and write

4D00000

heap

page read and write

9EFE000

stack

page read and write

2A9E000

trusted library allocation

page read and write

4AE0000

trusted library allocation

page execute and read and write

6CEE000

stack

page read and write

67E2000

trusted library allocation

page read and write

2470000

heap

page read and write

266D000

trusted library allocation

page read and write

2581000

trusted library allocation

page read and write

75A000

stack

page read and write

2900000

trusted library allocation

page read and write

2B37000

trusted library allocation

page read and write

6258000

trusted library allocation

page read and write

25DF000

trusted library allocation

page read and write

3F7000

stack

page read and write

3A4D000

trusted library allocation

page read and write

2AFE000

trusted library allocation

page read and write

4EAE000

trusted library allocation

page read and write

27C3000

trusted library allocation

page read and write

2465000

trusted library allocation

page read and write

4CE0000

trusted library section

page readonly

23D0000

trusted library allocation

page read and write

3581000

trusted library allocation

page read and write

2AD8000

trusted library allocation

page read and write

FB0000

heap

page read and write

7336000

heap

page read and write

4D50000

heap

page read and write

DF0000

heap

page read and write

2AAB000

trusted library allocation

page read and write

7D0000

heap

page read and write

9B3F000

stack

page read and write

2441000

trusted library allocation

page read and write

4AC0000

heap

page read and write

F90000

trusted library allocation

page read and write

9EBE000

stack

page read and write

5150000

heap

page execute and read and write

3752000

trusted library allocation

page read and write

7D8000

heap

page read and write

2989000

trusted library allocation

page read and write

2AC5000

trusted library allocation

page read and write

C82000

trusted library allocation

page read and write

EFF000

stack

page read and write

55EE000

heap

page read and write

4EA0000

trusted library allocation

page read and write

B30000

heap

page read and write

28F8000

trusted library allocation

page read and write

6CA0000

trusted library allocation

page execute and read and write

6D6E000

stack

page read and write

652E000

stack

page read and write

There are 296 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
wrong bank details.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportwrong bank details.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
wrong bank details.exe