Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

rPayment_slip.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.056798158667147
Filename:	rPayment_slip.exe
Filesize:	992521
MD5:	743ab8e823bb4d5fafa96b6334c0ce4d
SHA1:	61982f5dda24433c87ed4c24e9f9261c115d84ed
SHA256:	74016b927469a965edfc8bfb29d943b08f71cf2e4b6e756d739b1e926c859439
SHA512:	b9c6ad2f627c2889af8ce4f88956e68d9433eac82217f944f1c6a59a1e50689245792e1ddfdf68c9b1f8b3637ecff22abffebcb43346cdc2443babab6d8bbe06
SSDEEP:	12288:ALkcoxg7v3qnC11ErwIhh0F4qwUgUny5QYEAmD4M+4x88WncL51fG9hcGTa:WfmMv6Ckr7Mny5QYjY88WcNL0a
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Contains functionality to detect sleep reduction / modifications	Malware Analysis System Evasion	File and Directory Discovery
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion
Switches to a custom stack to bypass stack traces	Malware Analysis System Evasion
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion
Contains functionality to launch a process as a different user	System Summary	Valid Accounts Native API Access Token Manipulation
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Process Discovery Clipboard Data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Contains functionality to shutdown / reboot the system	System Summary	System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Process Discovery
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information	System Shutdown/Reboot
PE file contains an invalid checksum	Data Obfuscation
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Sample file is different than original file name gathered from version info	System Summary	System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
Contains functionality for error logging	System Summary
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary
Contains functionality to check free disk space	System Summary
Contains functionality to download additional files from the internet	Networking
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery System Information Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion
PE file has an executable .text section and no other executable section	System Summary
Reads ini files	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
Category:	dropped
Dump:	RegSvcs.exe.log.1.dr
ID:	dr_1
Target ID:	1
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.353332853270839
Encrypted:	false
Ssdeep:	24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
Size:	1039
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

C:\Users\user\AppData\Local\Temp\Idonna

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Idonna
Category:	dropped
Dump:	Idonna.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\rPayment_slip.exe
Type:	data
Entropy:	6.985993561351513
Encrypted:	false
Ssdeep:	3072:1d4WWuMKi6lsiH+eSzJ2b5W/1UQ0lk/OIexcfnQhBrPe:oWbi0+/CQ06OIeungtPe
Size:	133632
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\rPayment_slip.exe

"C:\Users\user\Desktop\rPayment_slip.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5408
Target ID:	0
Parent PID:	2580
Name:	rPayment_slip.exe
Path:	C:\Users\user\Desktop\rPayment_slip.exe
Commandline:	"C:\Users\user\Desktop\rPayment_slip.exe"
Size:	992521
MD5:	743AB8E823BB4D5FAFA96B6334C0CE4D
Time:	20:31:59
Date:	13/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	782336
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
PE file contains an invalid checksum	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\rPayment_slip.exe"

Details

Is windows:	true
Is dropped:	false
PID:	2124
Target ID:	1
Parent PID:	5408
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\rPayment_slip.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	20:32:01
Date:	13/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x390000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Creates files inside the user directory	System Summary	Masquerading
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Details

Is windows:	true
Is dropped:	false
PID:	5924
Target ID:	2
Parent PID:	2124
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	20:32:12
Date:	13/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x240000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	5448
Target ID:	3
Parent PID:	5924
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	20:32:12
Date:	13/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

Details

Is windows:	true
Is dropped:	false
PID:	7124
Target ID:	4
Parent PID:	5924
Name:	choice.exe
Path:	C:\Windows\SysWOW64\choice.exe
Commandline:	choice /C Y /N /D Y /T 3
Size:	28160
MD5:	FCE0E41C87DC4ABBE976998AD26C27E4
Time:	20:32:12
Date:	13/10/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x9e0000
Modulesize:	40960
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://reallyfreegeoip.org

unknown

http://checkip.dyndns.org

unknown

http://checkip.dyndns.org/

158.101.44.242

http://checkip.dyndns.com

unknown

https://reallyfreegeoip.org/xml/8.46.123.33

188.114.96.3

https://reallyfreegeoip.org/xml/8.46.123.33$

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://checkip.dyndns.org/q

unknown

http://reallyfreegeoip.org

unknown

https://reallyfreegeoip.org/xml/

unknown

Domains

Name

Malicious

reallyfreegeoip.org

188.114.96.3

Details

Name:	reallyfreegeoip.org
IP:	188.114.96.3
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Tries to detect the country of the analysis system (by using the IP)	Location Tracking
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Suricata IDS alerts with low severity for network traffic	Networking
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.com

158.101.44.242

IPs

Domain

Country

Malicious

188.114.96.3

reallyfreegeoip.org

European Union

Details

IP:	188.114.96.3
TargetID:	1
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	reallyfreegeoip.org

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

158.101.44.242

checkip.dyndns.com

United States

Details

IP:	158.101.44.242
TargetID:	1
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	United States
Countrycode:	USA
ASN number:	31898
ASN name:	ORACLE-BMC-31898US
Private:	false
Domain:	checkip.dyndns.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

2F50000

direct allocation

page read and write

2821000

trusted library allocation

page read and write

762000

system

page execute and read and write

A30000

heap

page read and write

3BF0000

heap

page read and write

41F9000

direct allocation

page read and write

3C8A000

heap

page execute and read and write

31A0000

heap

page read and write

313F000

unkown

page read and write

93E000

stack

page read and write

29CD000

trusted library allocation

page read and write

BD2000

trusted library allocation

page read and write

3D4B000

heap

page read and write

3F30000

direct allocation

page read and write

2996000

trusted library allocation

page read and write

E30000

trusted library allocation

page execute and read and write

3849000

trusted library allocation

page read and write

28E8000

trusted library allocation

page read and write

760000

system

page execute and read and write

41FD000

direct allocation

page read and write

40D0000

direct allocation

page read and write

3D05000

heap

page read and write

3CA3000

heap

page read and write

9A000

stack

page read and write

5B8E000

stack

page read and write

8E0000

heap

page read and write

426E000

direct allocation

page read and write

297B000

trusted library allocation

page read and write

BA0000

trusted library allocation

page read and write

B5E000

stack

page read and write

E6E000

trusted library allocation

page read and write

291E000

trusted library allocation

page read and write

4100000

direct allocation

page read and write

968000

heap

page read and write

5E4F000

stack

page read and write

BAD000

trusted library allocation

page execute and read and write

31AC000

heap

page read and write

98B000

heap

page read and write

28D0000

trusted library allocation

page read and write

300E000

unkown

page read and write

3AF1000

heap

page read and write

317F000

stack

page read and write

BD7000

trusted library allocation

page execute and read and write

33D0000

heap

page read and write

41F9000

direct allocation

page read and write

629C000

stack

page read and write

BC0000

trusted library allocation

page read and write

A50000

heap

page read and write

2810000

heap

page execute and read and write

600E000

stack

page read and write

3D4B000

heap

page read and write

422D000

direct allocation

page read and write

E86000

trusted library allocation

page read and write

33A0000

heap

page read and write

1E0000

heap

page read and write

64FE000

stack

page read and write

339F000

stack

page read and write

29ED000

trusted library allocation

page read and write

E89000

trusted library allocation

page read and write

5BCE000

stack

page read and write

8F5000

heap

page read and write

A54000

heap

page read and write

4F60000

heap

page execute and read and write

737000

stack

page read and write

3D4B000

heap

page read and write

3B5A000

heap

page read and write

A15000

heap

page read and write

3C02000

heap

page read and write

5F8E000

stack

page read and write

3C8B000

heap

page read and write

EA7000

heap

page read and write

BC6000

trusted library allocation

page execute and read and write

3D4B000

heap

page read and write

3821000

trusted library allocation

page read and write

51EE000

stack

page read and write

3F30000

direct allocation

page read and write

3D19000

heap

page read and write

31C3000

heap

page read and write

63FE000

stack

page read and write

2F84000

heap

page read and write

2F80000

heap

page read and write

295F000

trusted library allocation

page read and write

100000

heap

page read and write

422D000

direct allocation

page read and write

B60000

heap

page read and write

BA3000

trusted library allocation

page execute and read and write

940000

heap

page read and write

BF0000

trusted library allocation

page read and write

317E000

stack

page read and write

3010000

heap

page read and write

4A7000

unkown

page read and write

A5E000

heap

page read and write

4083000

direct allocation

page read and write

4229000

direct allocation

page read and write

BDB000

trusted library allocation

page execute and read and write

429E000

direct allocation

page read and write

E40000

heap

page read and write

3D05000

heap

page read and write

491C000

stack

page read and write

28CD000

trusted library allocation

page read and write

3F30000

direct allocation

page read and write

40D0000

direct allocation

page read and write

3E72000

heap

page read and write

3D05000

heap

page read and write

1840000

heap

page read and write

50ED000

stack

page read and write

490000

unkown

page write copy

429E000

direct allocation

page read and write

97E000

heap

page read and write

3C0E000

heap

page read and write

4053000

direct allocation

page read and write

3D04000

heap

page read and write

41F9000

direct allocation

page read and write

3D05000

heap

page read and write

532E000

stack

page read and write

B90000

trusted library allocation

page read and write

31B8000

heap

page read and write

3C8B000

heap

page read and write

A10000

heap

page read and write

296B000

trusted library allocation

page read and write

2967000

trusted library allocation

page read and write

400000

unkown

page readonly

EA0000

heap

page read and write

99C000

heap

page read and write

28D9000

trusted library allocation

page read and write

A87000

heap

page read and write

3827000

trusted library allocation

page read and write

274E000

stack

page read and write

3F30000

direct allocation

page read and write

40D0000

direct allocation

page read and write

BA4000

trusted library allocation

page read and write

28C8000

trusted library allocation

page read and write

A89000

heap

page read and write

2DAD000

stack

page read and write

5D08000

heap

page read and write

3C4F000

heap

page read and write

9DF000

heap

page read and write

2FA0000

heap

page read and write

3D4B000

heap

page read and write

3F60000

direct allocation

page read and write

490000

unkown

page read and write

3010000

heap

page read and write

E81000

trusted library allocation

page read and write

970000

heap

page read and write

4083000

direct allocation

page read and write

960000

heap

page read and write

426E000

direct allocation

page read and write

3D4B000

heap

page read and write

3CA3000

heap

page read and write

2FA5000

heap

page read and write

2760000

trusted library allocation

page read and write

4AB000

unkown

page readonly

639C000

stack

page read and write

3D05000

heap

page read and write

3D4B000

heap

page read and write

3D4B000

heap

page read and write

63B0000

heap

page read and write

4AB000

unkown

page readonly

2922000

trusted library allocation

page read and write

D4E000

stack

page read and write

41FD000

direct allocation

page read and write

3D05000

heap

page read and write

3D4B000

heap

page read and write

5D3A000

heap

page read and write

C3E000

stack

page read and write

332F000

stack

page read and write

41FD000

direct allocation

page read and write

3C66000

heap

page read and write

5D28000

heap

page read and write

E2C000

stack

page read and write

8DD000

stack

page read and write

4053000

direct allocation

page read and write

5D1D000

heap

page read and write

164F000

stack

page read and write

5FCE000

stack

page read and write

426E000

direct allocation

page read and write

28E6000

trusted library allocation

page read and write

3C8B000

heap

page read and write

E50000

trusted library allocation

page read and write

181E000

stack

page read and write

2E6D000

heap

page read and write

3C8F000

heap

page read and write

31C5000

heap

page read and write

4E20000

heap

page read and write

400000

unkown

page readonly

93E000

stack

page read and write

401000

unkown

page execute read

5A8E000

stack

page read and write

312E000

stack

page read and write

2927000

trusted library allocation

page read and write

4229000

direct allocation

page read and write

482000

unkown

page readonly

9CE000

stack

page read and write

4083000

direct allocation

page read and write

8AF000

stack

page read and write

3D05000

heap

page read and write

5D13000

heap

page read and write

3AF0000

heap

page read and write

522D000

stack

page read and write

3130000

heap

page read and write

32EE000

stack

page read and write

3BF4000

heap

page read and write

40D0000

direct allocation

page read and write

5E8E000

stack

page read and write

3D05000

heap

page read and write

2977000

trusted library allocation

page read and write

E95000

trusted library allocation

page read and write

29A3000

trusted library allocation

page read and write

3F60000

direct allocation

page read and write

29F4000

trusted library allocation

page read and write

4F2E000

stack

page read and write

BB0000

trusted library allocation

page read and write

3D05000

heap

page read and write

A85000

heap

page read and write

7C0000

heap

page read and write

604E000

stack

page read and write

E64000

trusted library allocation

page read and write

8FE000

stack

page read and write

31B0000

heap

page read and write

4053000

direct allocation

page read and write

3B3B000

heap

page read and write

429E000

direct allocation

page read and write

3D05000

heap

page read and write

3030000

heap

page read and write

4D00000

heap

page read and write

C40000

heap

page read and write

4E00000

trusted library allocation

page read and write

BC2000

trusted library allocation

page read and write

A22000

heap

page read and write

2BF0000

heap

page read and write

2973000

trusted library allocation

page read and write

3180000

heap

page read and write

3F60000

direct allocation

page read and write

28D5000

trusted library allocation

page read and write

3D4B000

heap

page read and write

296F000

trusted library allocation

page read and write

5E0E000

stack

page read and write

8F0000

heap

page read and write

41F9000

direct allocation

page read and write

41FD000

direct allocation

page read and write

BCA000

trusted library allocation

page execute and read and write

426E000

direct allocation

page read and write

3AEF000

stack

page read and write

31C2000

heap

page read and write

3D05000

heap

page read and write

401000

unkown

page execute read

3D4B000

heap

page read and write

124F000

stack

page read and write

614E000

stack

page read and write

E74000

trusted library allocation

page read and write

5CD0000

heap

page read and write

2988000

trusted library allocation

page read and write

975000

heap

page read and write

3D05000

heap

page read and write

2900000

trusted library allocation

page read and write

536E000

stack

page read and write

2EFD000

stack

page read and write

2D6C000

stack

page read and write

89F000

stack

page read and write

3D37000

heap

page read and write

4229000

direct allocation

page read and write

2750000

trusted library allocation

page read and write

4100000

direct allocation

page read and write

422D000

direct allocation

page read and write

2756000

trusted library allocation

page read and write

29B1000

trusted library allocation

page read and write

2963000

trusted library allocation

page read and write

34E0000

heap

page read and write

2B8D000

stack

page read and write

4100000

direct allocation

page read and write

5CCF000

stack

page read and write

27ED000

stack

page read and write

29D1000

trusted library allocation

page read and write

3C8B000

heap

page read and write

482000

unkown

page readonly

4053000

direct allocation

page read and write

2915000

trusted library allocation

page read and write

53AE000

stack

page read and write

63B000

stack

page read and write

2780000

trusted library allocation

page read and write

36EE000

stack

page read and write

A5A000

heap

page read and write

29DF000

trusted library allocation

page read and write

3D04000

heap

page read and write

3C5A000

heap

page read and write

There are 275 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
rPayment_slip.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportrPayment_slip.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
rPayment_slip.exe