Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Zahlung_09102024,jpg.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.4344224654434825
Filename:	Zahlung_09102024,jpg.exe
Filesize:	1208337
MD5:	b96fc31917973046588a08c04de74c5e
SHA1:	7e3654b085fc5db5a76c89edf73be7283b1747d7
SHA256:	a428b095b8feca750e1d32dcb0badfeed322bb7ac99afa99a4d3c1e41b8fddb0
SHA512:	717a9b33f182458b0fae3a8ea67e2e74e5a7eab6529651e7d365b5d71042d321cc1ffd9973bd9432360df518e4e13d1a5f2e782e7b4c1cf21f5b46ad948cd652
SSDEEP:	24576:ffmMv6Ckr7Mny5QL4Lh6ApjnvX1QodPqUb80fGW6H4RX0VTW5j:f3v+7/5QLa6AVnVv80OW6HAElEj
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary	System Information Discovery
Multi AV Scanner detection for submitted file	AV Detection
Contains functionality to detect sleep reduction / modifications	Malware Analysis System Evasion
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Security Software Discovery
Switches to a custom stack to bypass stack traces	Malware Analysis System Evasion	Access Token Manipulation
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Security Software Discovery
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Valid Accounts
Contains functionality to launch a process as a different user	System Summary	Native API
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation Access Token Manipulation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Access Token Manipulation Process Discovery Clipboard Data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging	Access Token Manipulation Security Software Discovery
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Access Token Manipulation Process Discovery
Found large amount of non-executed APIs	Malware Analysis System Evasion	Access Token Manipulation
Found potential string decryption / allocating functions	System Summary
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information	Access Token Manipulation System Shutdown/Reboot
PE file contains an invalid checksum	Data Obfuscation
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation Security Software Discovery System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information Security Software Discovery
Yara signature match	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Security Software Discovery Archive Collected Data
Contains functionality for error logging	System Summary	Access Token Manipulation
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to check free disk space	System Summary
Contains functionality to download additional files from the internet	Networking
Contains functionality to enum processes or threads	System Summary	Access Token Manipulation Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Contains functionality to instantiate COM classes	System Summary	Access Token Manipulation Security Software Discovery
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery
Contains functionality to query system information	Malware Analysis System Evasion	System Information Discovery
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery Security Software Discovery System Owner/User Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
Creates temporary files	System Summary	Security Software Discovery
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Sample reads its own file content	System Summary	Access Token Manipulation Security Software Discovery
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\Okeghem

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Okeghem
Category:	dropped
Dump:	Okeghem.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Zahlung_09102024,jpg.exe
Type:	data
Entropy:	6.775479265854842
Encrypted:	false
Ssdeep:	6144:ud8m8QiD3GEY5TrT7XDU0nnQfYjxJnVw4KI649Cn6Z5fdmL:udr8XrNfYdJVwG64a6Z51U
Size:	274944
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Zahlung_09102024,jpg.exe

"C:\Users\user\Desktop\Zahlung_09102024,jpg.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4836
Target ID:	0
Parent PID:	1028
Name:	Zahlung_09102024,jpg.exe
Path:	C:\Users\user\Desktop\Zahlung_09102024,jpg.exe
Commandline:	"C:\Users\user\Desktop\Zahlung_09102024,jpg.exe"
Size:	1208337
MD5:	B96FC31917973046588A08C04DE74C5E
Time:	04:14:45
Date:	10/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	741376
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Yara detected VIP Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
PE file contains an invalid checksum	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\Zahlung_09102024,jpg.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6508
Target ID:	2
Parent PID:	4836
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\Zahlung_09102024,jpg.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	04:14:48
Date:	10/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x9e0000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Yara detected VIP Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://www.office.com/

unknown

https://duckduckgo.com/chrome_newtab

unknown

https://duckduckgo.com/ac/?q=

unknown

https://api.telegram.org

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

https://api.telegram.org/bot

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:284992%0D%0ADate%20and%20Time:%2010/10/2024%20/%2013:51:17%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20284992%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D

149.154.167.220

http://checkip.dyndns.org

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

https://www.office.com/lBjq

unknown

https://reallyfreegeoip.org/xml/8.46.123.33

188.114.96.3

https://api.telegram.org/bot/sendMessage?chat_id=&text=

unknown

https://chrome.google.com/webstore?hl=en

unknown

https://www.ecosia.org/newtab/

unknown

http://varders.kozow.com:8081

unknown

http://aborters.duckdns.org:8081

unknown

https://ac.ecosia.org/autocomplete?q=

unknown

http://checkip.dyndns.org/

193.122.130.0

https://reallyfreegeoip.org/xml/8.46.123.33$

unknown

http://anotherarmy.dns.army:8081

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

http://checkip.dyndns.org/q

unknown

https://reallyfreegeoip.org

unknown

https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:284992%0D%0ADate%20a

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded

unknown

https://chrome.google.com/webstore?hl=enlBjq

unknown

https://reallyfreegeoip.org/xml/

unknown

There are 20 hidden URLs, click here to show them.

Domains

Name

Malicious

reallyfreegeoip.org

188.114.96.3

Details

Name:	reallyfreegeoip.org
IP:	188.114.96.3
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Tries to detect the country of the analysis system (by using the IP)	Location Tracking
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Suricata IDS alerts with low severity for network traffic	Networking
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

api.telegram.org

149.154.167.220

Details

Name:	api.telegram.org
IP:	149.154.167.220
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Uses the Telegram API (likely for C&C communication)	Networking	Web Service
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.com

193.122.130.0

IPs

Domain

Country

Malicious

149.154.167.220

api.telegram.org

United Kingdom

Details

IP:	149.154.167.220
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	62041
ASN name:	TELEGRAMRU
Private:	false
Domain:	api.telegram.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

188.114.96.3

reallyfreegeoip.org

European Union

Details

IP:	188.114.96.3
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	reallyfreegeoip.org

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

193.122.130.0

checkip.dyndns.com

United States

Details

IP:	193.122.130.0
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	United States
Countrycode:	USA
ASN number:	31898
ASN name:	ORACLE-BMC-31898US
Private:	false
Domain:	checkip.dyndns.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

2F20000

direct allocation

page read and write

2E31000

trusted library allocation

page read and write

402000

system

page execute and read and write

6880000

trusted library allocation

page read and write

30E6000

trusted library allocation

page read and write

4239000

trusted library allocation

page read and write

492D000

direct allocation

page read and write

648E000

stack

page read and write

FF7000

heap

page read and write

4800000

direct allocation

page read and write

A79000

heap

page read and write

4660000

direct allocation

page read and write

4075000

heap

page read and write

2E95000

trusted library allocation

page read and write

402F000

heap

page read and write

41CA000

trusted library allocation

page read and write

2C20000

trusted library allocation

page execute and read and write

30A6000

trusted library allocation

page read and write

3EAD000

heap

page read and write

123F000

stack

page read and write

2C60000

trusted library allocation

page read and write

402F000

heap

page read and write

F30000

heap

page read and write

4783000

direct allocation

page read and write

4054000

trusted library allocation

page read and write

571E000

stack

page read and write

492D000

direct allocation

page read and write

402F000

heap

page read and write

4075000

heap

page read and write

402F000

heap

page read and write

402F000

heap

page read and write

401000

unkown

page execute read

2EDE000

trusted library allocation

page read and write

E20000

heap

page read and write

F2D000

trusted library allocation

page execute and read and write

4F2E000

stack

page read and write

F5A000

heap

page read and write

6E60000

heap

page read and write

2AB2000

trusted library allocation

page read and write

6750000

trusted library allocation

page read and write

4075000

heap

page read and write

A05000

heap

page read and write

4783000

direct allocation

page read and write

4660000

direct allocation

page read and write

4197000

trusted library allocation

page read and write

3117000

trusted library allocation

page read and write

4219000

trusted library allocation

page read and write

490000

unkown

page write copy

54C0000

trusted library allocation

page execute and read and write

4800000

direct allocation

page read and write

3DC0000

heap

page read and write

30A1000

trusted library allocation

page read and write

6760000

trusted library allocation

page execute and read and write

5300000

trusted library allocation

page execute and read and write

402F000

heap

page read and write

402F000

heap

page read and write

3B29000

heap

page read and write

3FE6000

heap

page read and write

940000

heap

page read and write

300D000

trusted library allocation

page read and write

492D000

direct allocation

page read and write

4075000

heap

page read and write

402F000

heap

page read and write

42D4000

trusted library allocation

page read and write

F4E000

heap

page read and write

402F000

heap

page read and write

A7B000

heap

page read and write

2FE1000

trusted library allocation

page read and write

42FE000

trusted library allocation

page read and write

499E000

direct allocation

page read and write

3F46000

heap

page read and write

F1D000

trusted library allocation

page execute and read and write

499E000

direct allocation

page read and write

312D000

trusted library allocation

page read and write

4050000

trusted library allocation

page read and write

3EB6000

trusted library allocation

page read and write

42C1000

trusted library allocation

page read and write

3F3B000

heap

page read and write

3CC0000

heap

page read and write

54B0000

trusted library allocation

page read and write

C7A000

stack

page read and write

499E000

direct allocation

page read and write

492D000

direct allocation

page read and write

A10000

heap

page read and write

DE0000

heap

page read and write

4A7000

unkown

page read and write

41D4000

trusted library allocation

page read and write

4075000

heap

page read and write

2EA0000

trusted library allocation

page read and write

3B1F000

stack

page read and write

424F000

trusted library allocation

page read and write

2FDE000

trusted library allocation

page read and write

402F000

heap

page read and write

658E000

stack

page read and write

4075000

heap

page read and write

2F36000

trusted library allocation

page read and write

6790000

trusted library allocation

page execute and read and write

101D000

heap

page read and write

4333000

trusted library allocation

page read and write

402F000

heap

page read and write

4660000

direct allocation

page read and write

4075000

heap

page read and write

400000

unkown

page readonly

402F000

heap

page read and write

2EEE000

trusted library allocation

page read and write

4075000

heap

page read and write

62D0000

heap

page read and write

A4E000

heap

page read and write

40BB000

heap

page read and write

4085000

trusted library allocation

page read and write

41B1000

trusted library allocation

page read and write

2F84000

heap

page read and write

4075000

heap

page read and write

A40000

heap

page read and write

2F14000

trusted library allocation

page read and write

A73000

heap

page read and write

2E16000

trusted library allocation

page read and write

6860000

trusted library allocation

page execute and read and write

499E000

direct allocation

page read and write

4800000

direct allocation

page read and write

8B4000

stack

page read and write

9A000

stack

page read and write

3FFD000

trusted library allocation

page read and write

402F000

heap

page read and write

402F000

heap

page read and write

54D0000

heap

page execute and read and write

93E000

stack

page read and write

3E51000

trusted library allocation

page read and write

4075000

heap

page read and write

3130000

trusted library allocation

page read and write

9AE000

stack

page read and write

4075000

heap

page read and write

FBE000

heap

page read and write

402F000

heap

page read and write

402F000

heap

page read and write

2D5E000

trusted library allocation

page read and write

4783000

direct allocation

page read and write

44DC000

heap

page read and write

482000

unkown

page readonly

3BA3000

heap

page read and write

4013000

trusted library allocation

page read and write

4660000

direct allocation

page read and write

632D000

heap

page read and write

402F000

heap

page read and write

3016000

trusted library allocation

page read and write

674E000

stack

page read and write

4108000

trusted library allocation

page read and write

4800000

direct allocation

page read and write

4075000

heap

page read and write

2EE2000

trusted library allocation

page read and write

402F000

heap

page read and write

402F000

heap

page read and write

2F38000

trusted library allocation

page read and write

41ED000

trusted library allocation

page read and write

6338000

heap

page read and write

402F000

heap

page read and write

402F000

heap

page read and write

2FDC000

trusted library allocation

page read and write

4800000

direct allocation

page read and write

402F000

heap

page read and write

490000

unkown

page read and write

6890000

trusted library allocation

page execute and read and write

3E95000

trusted library allocation

page read and write

3EAA000

heap

page read and write

2EDA000

trusted library allocation

page read and write

2D66000

trusted library allocation

page read and write

41C3000

trusted library allocation

page read and write

2E1A000

trusted library allocation

page read and write

4075000

heap

page read and write

3E31000

trusted library allocation

page read and write

3E59000

trusted library allocation

page read and write

3E44000

trusted library allocation

page read and write

F10000

trusted library allocation

page read and write

2ED2000

trusted library allocation

page read and write

2FD0000

heap

page read and write

402F000

heap

page read and write

4075000

heap

page read and write

2AB0000

trusted library allocation

page read and write

2D6D000

trusted library allocation

page read and write

401000

unkown

page execute read

402F000

heap

page read and write

2E20000

heap

page execute and read and write

3ED0000

heap

page read and write

2FEB000

trusted library allocation

page read and write

3FB7000

heap

page read and write

3081000

trusted library allocation

page read and write

4075000

heap

page read and write

2F10000

heap

page read and write

EEE000

stack

page read and write

6870000

trusted library allocation

page read and write

EA0000

heap

page read and write

A7E000

heap

page read and write

2D40000

trusted library allocation

page read and write

F38000

heap

page read and write

3124000

trusted library allocation

page read and write

3FE1000

heap

page execute and read and write

2D90000

trusted library allocation

page read and write

2FF0000

trusted library allocation

page read and write

3EEA000

heap

page read and write

2D4B000

trusted library allocation

page read and write

3EA3000

trusted library allocation

page read and write

2E97000

trusted library allocation

page read and write

2EEA000

trusted library allocation

page read and write

660E000

stack

page read and write

492D000

direct allocation

page read and write

664E000

stack

page read and write

2AA6000

trusted library allocation

page execute and read and write

53B0000

heap

page read and write

A00000

heap

page read and write

2AA2000

trusted library allocation

page read and write

3F96000

heap

page read and write

2D4E000

trusted library allocation

page read and write

2C30000

trusted library allocation

page read and write

3FA9000

heap

page read and write

43CC000

heap

page read and write

2FAA000

trusted library allocation

page read and write

3E67000

heap

page read and write

42AC000

trusted library allocation

page read and write

4075000

heap

page read and write

6857000

trusted library allocation

page read and write

4075000

heap

page read and write

6840000

trusted library allocation

page read and write

2C50000

heap

page read and write

A4A000

heap

page read and write

402E000

heap

page read and write

4025000

trusted library allocation

page read and write

3EA5000

heap

page read and write

41B8000

trusted library allocation

page read and write

6850000

trusted library allocation

page read and write

30D7000

trusted library allocation

page read and write

2AD0000

trusted library allocation

page read and write

12FE000

stack

page read and write

3012000

trusted library allocation

page read and write

3FA0000

trusted library allocation

page read and write

4075000

heap

page read and write

4075000

heap

page read and write

F13000

trusted library allocation

page execute and read and write

2E8A000

trusted library allocation

page read and write

1E0000

heap

page read and write

301C000

trusted library allocation

page read and write

4075000

heap

page read and write

3F2B000

trusted library allocation

page read and write

3E9C000

trusted library allocation

page read and write

40E3000

trusted library allocation

page read and write

100000

heap

page read and write

89F000

stack

page read and write

3EA9000

trusted library allocation

page read and write

4929000

direct allocation

page read and write

431E000

trusted library allocation

page read and write

492D000

direct allocation

page read and write

3021000

trusted library allocation

page read and write

163E000

stack

page read and write

52AD000

stack

page read and write

4075000

heap

page read and write

3F6A000

trusted library allocation

page read and write

4075000

heap

page read and write

EA5000

heap

page read and write

402F000

heap

page read and write

30AB000

trusted library allocation

page read and write

40F9000

trusted library allocation

page read and write

E6E000

stack

page read and write

3FE2000

heap

page read and write

499E000

direct allocation

page read and write

2DF0000

heap

page read and write

3133000

trusted library allocation

page read and write

4075000

heap

page read and write

9FE000

stack

page read and write

400000

unkown

page readonly

3FE2000

heap

page read and write

30E0000

trusted library allocation

page read and write

4302000

trusted library allocation

page read and write

4660000

direct allocation

page read and write

30B4000

trusted library allocation

page read and write

2E00000

trusted library allocation

page read and write

65CE000

stack

page read and write

4075000

heap

page read and write

406F000

trusted library allocation

page read and write

30B0000

trusted library allocation

page read and write

2EE6000

trusted library allocation

page read and write

4800000

direct allocation

page read and write

4075000

heap

page read and write

402F000

heap

page read and write

2AA0000

trusted library allocation

page read and write

2D3C000

stack

page read and write

2D80000

trusted library allocation

page read and write

402F000

heap

page read and write

632F000

heap

page read and write

2D61000

trusted library allocation

page read and write

4075000

heap

page read and write

418B000

trusted library allocation

page read and write

67F0000

trusted library allocation

page read and write

4075000

heap

page read and write

402F000

heap

page read and write

402F000

heap

page read and write

3F17000

heap

page read and write

68C0000

heap

page read and write

41DF000

trusted library allocation

page read and write

4929000

direct allocation

page read and write

402F000

heap

page read and write

4075000

heap

page read and write

3EAD000

trusted library allocation

page read and write

2ABB000

trusted library allocation

page execute and read and write

E00000

heap

page read and write

3EA0000

heap

page read and write

4929000

direct allocation

page read and write

4783000

direct allocation

page read and write

402F000

heap

page read and write

3F15000

trusted library allocation

page read and write

2D5A000

trusted library allocation

page read and write

3EBB000

trusted library allocation

page read and write

2E2B000

heap

page read and write

4075000

heap

page read and write

8FE000

stack

page read and write

30A9000

trusted library allocation

page read and write

11FE000

stack

page read and write

371E000

stack

page read and write

4075000

heap

page read and write

E70000

heap

page read and write

4075000

heap

page read and write

4075000

heap

page read and write

4075000

heap

page read and write

2D46000

trusted library allocation

page read and write

644F000

stack

page read and write

3E3F000

trusted library allocation

page read and write

52FD000

trusted library allocation

page read and write

402F000

heap

page read and write

402F000

heap

page read and write

403F000

heap

page read and write

2D72000

trusted library allocation

page read and write

4AB000

unkown

page readonly

3EB2000

trusted library allocation

page read and write

2DF3000

heap

page read and write

3EC1000

trusted library allocation

page read and write

61CE000

stack

page read and write

402F000

heap

page read and write

4075000

heap

page read and write

4660000

direct allocation

page read and write

2E14000

trusted library allocation

page read and write

2ECE000

trusted library allocation

page read and write

4929000

direct allocation

page read and write

4075000

heap

page read and write

326E000

trusted library allocation

page read and write

499E000

direct allocation

page read and write

F00000

trusted library allocation

page read and write

4783000

direct allocation

page read and write

400000

system

page execute and read and write

D77000

stack

page read and write

2AAA000

trusted library allocation

page execute and read and write

4075000

heap

page read and write

41A4000

trusted library allocation

page read and write

2EA8000

trusted library allocation

page read and write

2AB7000

trusted library allocation

page execute and read and write

4929000

direct allocation

page read and write

3EB8000

trusted library allocation

page read and write

62CE000

stack

page read and write

402F000

heap

page read and write

2ED6000

trusted library allocation

page read and write

52F0000

trusted library allocation

page read and write

6780000

trusted library allocation

page execute and read and write

4929000

direct allocation

page read and write

F20000

trusted library allocation

page read and write

3F8A000

trusted library allocation

page read and write

402F000

heap

page read and write

2C1E000

stack

page read and write

A7E000

heap

page read and write

41CF000

trusted library allocation

page read and write

4783000

direct allocation

page read and write

2AB5000

trusted library allocation

page execute and read and write

402F000

heap

page read and write

F6A000

heap

page read and write

2EA4000

trusted library allocation

page read and write

6770000

trusted library allocation

page execute and read and write

1800000

heap

page read and write

3E4B000

trusted library allocation

page read and write

2C68000

trusted library allocation

page read and write

3FC0000

heap

page read and write

402F000

heap

page read and write

2F80000

heap

page read and write

2E7E000

trusted library allocation

page read and write

482000

unkown

page readonly

640D000

stack

page read and write

4075000

heap

page read and write

F14000

trusted library allocation

page read and write

3F3E000

trusted library allocation

page read and write

2B1E000

stack

page read and write

2C40000

trusted library allocation

page read and write

4AB000

unkown

page readonly

DF0000

heap

page read and write

2FD5000

heap

page read and write

3E5B000

heap

page read and write

8AF000

stack

page read and write

There are 381 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Zahlung_09102024,jpg.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportZahlung_09102024,jpg.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
Zahlung_09102024,jpg.exe