Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Documents Of DHL -BL- AWB- 8976453410.exe

"C:\Users\user\Desktop\Documents Of DHL -BL- AWB- 8976453410.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3812
Target ID:	0
Parent PID:	4056
Name:	Documents Of DHL -BL- AWB- 8976453410.exe
Path:	C:\Users\user\Desktop\Documents Of DHL -BL- AWB- 8976453410.exe
Commandline:	"C:\Users\user\Desktop\Documents Of DHL -BL- AWB- 8976453410.exe"
Size:	641545
MD5:	5F73C9853E26A72D00ACB018DB8A9175
Time:	14:23:38
Date:	23/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x22037b40000
Modulesize:	57344
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet	System Summary
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Powershell Defender Exclusion	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Documents Of DHL -BL- AWB- 8976453410.exe" -Force

Details

Is windows:	true
Is dropped:	false
PID:	4104
Target ID:	2
Parent PID:	3812
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Documents Of DHL -BL- AWB- 8976453410.exe" -Force
Size:	452608
MD5:	04029E121A0CFA5991749937DD22A1D9
Time:	14:23:43
Date:	23/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff741d30000
Modulesize:	462848
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Powershell Defender Exclusion	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	5896
Target ID:	4
Parent PID:	3812
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	14:23:43
Date:	23/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xfd0000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	5900
Target ID:	5
Parent PID:	3812
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	14:23:43
Date:	23/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x2a0000
Modulesize:	73728
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	4132
Target ID:	3
Parent PID:	4104
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	14:23:43
Date:	23/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff75da10000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3812 -s 1324

Details

Is windows:	true
Is dropped:	false
PID:	432
Target ID:	8
Parent PID:	3812
Name:	WerFault.exe
Path:	C:\Windows\System32\WerFault.exe
Commandline:	C:\Windows\system32\WerFault.exe -u -p 3812 -s 1324
Size:	570736
MD5:	FD27D9F6D02763BDE32511B5DF7FF7A0
Time:	14:23:44
Date:	23/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x1d0000
Modulesize:	155648
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://api.telegram.org/bot6814314158:AAEkRl6H9QdGzzoVC6YfWI-wFLiqXO8LEls/sendDocument

149.154.167.220

Details

Name:	https://api.telegram.org/bot6814314158:AAEkRl6H9QdGzzoVC6YfWI-wFLiqXO8LEls/sendDocument
IP:	149.154.167.220
TargetID:	4
From Memory:	false
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://api.telegram.org

unknown

Details

Name:	https://api.telegram.org
TargetID:	4
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source:	RegAsm.exe, 00000004.00000002.3680847328.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3680847328.000000000342C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3680847328.000000000348F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3680847328.000000000365A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3680847328.0000000003322000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3680847328.00000000036BC000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3680847328.00000000033C2000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
URLs found in memory or binary data	Networking

https://api.telegram.org/bot6814314158:AAEkRl6H9QdGzzoVC6YfWI-wFLiqXO8LEls/

unknown

Details

Name:	https://api.telegram.org/bot6814314158:AAEkRl6H9QdGzzoVC6YfWI-wFLiqXO8LEls/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\Documents Of DHL -BL- AWB- 8976453410.exe
Source:	Documents Of DHL -BL- AWB- 8976453410.exe, 00000000.00000002.1450836685.0000022049842000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3680847328.0000000003261000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3674535652.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
URLs found in memory or binary data	Networking

https://api.ipify.org/

172.67.74.152

Details

Name:	https://api.ipify.org/
IP:	172.67.74.152
TargetID:	4
From Memory:	false
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://api.ipify.org

unknown

Details

Name:	https://api.ipify.org
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\Documents Of DHL -BL- AWB- 8976453410.exe
Source:	Documents Of DHL -BL- AWB- 8976453410.exe, 00000000.00000002.1450836685.0000022049842000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3680847328.0000000003261000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3674535652.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://upx.sf.net

unknown

https://account.dyn.com/

unknown

Details

Name:	https://account.dyn.com/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\Documents Of DHL -BL- AWB- 8976453410.exe
Source:	Documents Of DHL -BL- AWB- 8976453410.exe, 00000000.00000002.1450836685.0000022049842000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3674535652.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://api.telegram.org

unknown

Details

Name:	http://api.telegram.org
TargetID:	4
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source:	RegAsm.exe, 00000004.00000002.3680847328.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3680847328.000000000342C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3680847328.000000000348F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3680847328.000000000365A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.3680847328.00000000036BC000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Domains

Name

Malicious

api.telegram.org

149.154.167.220

Details

Name:	api.telegram.org
IP:	149.154.167.220
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
Uses the Telegram API (likely for C&C communication)	Networking	Web Service
HTTP GET or POST without a user agent	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

api.ipify.org

172.67.74.152

Details

Name:	api.ipify.org
IP:	172.67.74.152
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

149.154.167.220

api.telegram.org

United Kingdom

Details

IP:	149.154.167.220
TargetID:	4
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	62041
ASN name:	TELEGRAMRU
Private:	false
Domain:	api.telegram.org

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

172.67.74.152

api.ipify.org

United States

Details

IP:	172.67.74.152
TargetID:	4
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

EnableLUA

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance

Enabled

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASMANCS

FileDirectory

\REGISTRY\A\{e5e93249-4a50-765d-1454-a27525b9adbc}\Root\InventoryApplicationFile\documents of dhl|3c12d9b5b13a6e4a

ProgramId

\REGISTRY\A\{e5e93249-4a50-765d-1454-a27525b9adbc}\Root\InventoryApplicationFile\documents of dhl|3c12d9b5b13a6e4a

FileId

\REGISTRY\A\{e5e93249-4a50-765d-1454-a27525b9adbc}\Root\InventoryApplicationFile\documents of dhl|3c12d9b5b13a6e4a

LowerCaseLongPath

\REGISTRY\A\{e5e93249-4a50-765d-1454-a27525b9adbc}\Root\InventoryApplicationFile\documents of dhl|3c12d9b5b13a6e4a

LongPathHash

\REGISTRY\A\{e5e93249-4a50-765d-1454-a27525b9adbc}\Root\InventoryApplicationFile\documents of dhl|3c12d9b5b13a6e4a

Name

\REGISTRY\A\{e5e93249-4a50-765d-1454-a27525b9adbc}\Root\InventoryApplicationFile\documents of dhl|3c12d9b5b13a6e4a

OriginalFileName

\REGISTRY\A\{e5e93249-4a50-765d-1454-a27525b9adbc}\Root\InventoryApplicationFile\documents of dhl|3c12d9b5b13a6e4a

Publisher

\REGISTRY\A\{e5e93249-4a50-765d-1454-a27525b9adbc}\Root\InventoryApplicationFile\documents of dhl|3c12d9b5b13a6e4a

Version

\REGISTRY\A\{e5e93249-4a50-765d-1454-a27525b9adbc}\Root\InventoryApplicationFile\documents of dhl|3c12d9b5b13a6e4a

BinFileVersion

\REGISTRY\A\{e5e93249-4a50-765d-1454-a27525b9adbc}\Root\InventoryApplicationFile\documents of dhl|3c12d9b5b13a6e4a

BinaryType

\REGISTRY\A\{e5e93249-4a50-765d-1454-a27525b9adbc}\Root\InventoryApplicationFile\documents of dhl|3c12d9b5b13a6e4a

ProductName

\REGISTRY\A\{e5e93249-4a50-765d-1454-a27525b9adbc}\Root\InventoryApplicationFile\documents of dhl|3c12d9b5b13a6e4a

ProductVersion

\REGISTRY\A\{e5e93249-4a50-765d-1454-a27525b9adbc}\Root\InventoryApplicationFile\documents of dhl|3c12d9b5b13a6e4a

LinkDate

\REGISTRY\A\{e5e93249-4a50-765d-1454-a27525b9adbc}\Root\InventoryApplicationFile\documents of dhl|3c12d9b5b13a6e4a

BinProductVersion

\REGISTRY\A\{e5e93249-4a50-765d-1454-a27525b9adbc}\Root\InventoryApplicationFile\documents of dhl|3c12d9b5b13a6e4a

AppxPackageFullName

\REGISTRY\A\{e5e93249-4a50-765d-1454-a27525b9adbc}\Root\InventoryApplicationFile\documents of dhl|3c12d9b5b13a6e4a

AppxPackageRelativeId

\REGISTRY\A\{e5e93249-4a50-765d-1454-a27525b9adbc}\Root\InventoryApplicationFile\documents of dhl|3c12d9b5b13a6e4a

Size

\REGISTRY\A\{e5e93249-4a50-765d-1454-a27525b9adbc}\Root\InventoryApplicationFile\documents of dhl|3c12d9b5b13a6e4a

Language

\REGISTRY\A\{e5e93249-4a50-765d-1454-a27525b9adbc}\Root\InventoryApplicationFile\documents of dhl|3c12d9b5b13a6e4a

Usn

There are 26 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

220398D1000

trusted library allocation

page read and write

32A8000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

22049842000

trusted library allocation

page read and write

22037C31000

heap

page read and write

3150000

heap

page execute and read and write

154E000

stack

page read and write

22037E80000

heap

page execute and read and write

7FFAACE00000

trusted library allocation

page read and write

74EC000

stack

page read and write

780D000

stack

page read and write

15AA000

trusted library allocation

page execute and read and write

22037C1A000

heap

page read and write

15B7000

trusted library allocation

page execute and read and write

70D0000

heap

page read and write

770A000

heap

page read and write

4583000

trusted library allocation

page read and write

6EE06000

unkown

page readonly

7FFAACC6C000

trusted library allocation

page execute and read and write

33FB000

trusted library allocation

page read and write

32EF000

trusted library allocation

page read and write

5880000

heap

page read and write

42D1EFF000

stack

page read and write

5DB0000

trusted library allocation

page read and write

454D000

trusted library allocation

page read and write

E3C3000

trusted library allocation

page read and write

22037EA0000

heap

page execute and read and write

7FFAACC66000

trusted library allocation

page read and write

E3D7000

trusted library allocation

page read and write

667E000

heap

page read and write

42D1CFD000

stack

page read and write

6DFF000

stack

page read and write

32CE000

trusted library allocation

page read and write

5DE0000

heap

page read and write

42D1DFE000

stack

page read and write

42D19FE000

stack

page read and write

7FFAACC96000

trusted library allocation

page execute and read and write

3261000

trusted library allocation

page read and write

22038080000

heap

page read and write

342C000

trusted library allocation

page read and write

6E50000

trusted library allocation

page execute and read and write

840F000

stack

page read and write

7FFB1E3A0000

unkown

page readonly

E39B000

trusted library allocation

page read and write

325C000

stack

page read and write

22037F25000

heap

page read and write

1580000

trusted library allocation

page read and write

7FFAACD60000

trusted library allocation

page read and write

7FFB1E3A1000

unkown

page execute read

71C0000

heap

page read and write

42D20FE000

stack

page read and write

348F000

trusted library allocation

page read and write

2FFE000

stack

page read and write

7FFAACBB0000

trusted library allocation

page read and write

7FFAACDD5000

trusted library allocation

page read and write

1379000

stack

page read and write

E391000

trusted library allocation

page read and write

30FE000

stack

page read and write

7810000

trusted library allocation

page read and write

7FFAACBB3000

trusted library allocation

page execute and read and write

22037E00000

heap

page read and write

36BA000

trusted library allocation

page read and write

329C000

trusted library allocation

page read and write

32F7000

trusted library allocation

page read and write

57C6000

trusted library allocation

page read and write

5CBE000

stack

page read and write

22051FF0000

trusted library section

page read and write

22052096000

heap

page read and write

7FFAACBD4000

trusted library allocation

page read and write

158D000

trusted library allocation

page execute and read and write

67DD000

stack

page read and write

1890000

trusted library allocation

page read and write

7FFAACBC2000

trusted library allocation

page read and write

71CB000

heap

page read and write

348D000

trusted library allocation

page read and write

6CF7000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

C8EE000

trusted library allocation

page read and write

6D50000

trusted library allocation

page execute and read and write

42E9000

trusted library allocation

page read and write

6EDF0000

unkown

page readonly

7FFAACD70000

trusted library allocation

page read and write

7FFB1E3C5000

unkown

page readonly

584C000

stack

page read and write

E3BE000

trusted library allocation

page read and write

1583000

trusted library allocation

page execute and read and write

22039C09000

trusted library allocation

page read and write

4329000

trusted library allocation

page read and write

70C0000

trusted library allocation

page execute and read and write

E387000

trusted library allocation

page read and write

543E000

stack

page read and write

3298000

trusted library allocation

page read and write

57CD000

trusted library allocation

page read and write

2F80000

trusted library allocation

page read and write

7FFAACBDB000

trusted library allocation

page execute and read and write

22037DE0000

heap

page read and write

42D25FB000

stack

page read and write

65DB000

stack

page read and write

6D40000

trusted library allocation

page read and write

22039914000

trusted library allocation

page read and write

22037C34000

heap

page read and write

18A0000

heap

page read and write

726F000

heap

page read and write

64DE000

stack

page read and write

6D60000

trusted library allocation

page execute and read and write

7FFAACC60000

trusted library allocation

page read and write

6CE0000

trusted library allocation

page read and write

65E0000

heap

page read and write

6689000

heap

page read and write

22037BD0000

heap

page read and write

220520FE000

heap

page read and write

7FFAACE10000

trusted library allocation

page read and write

7FFAACD80000

trusted library allocation

page read and write

E3A0000

trusted library allocation

page read and write

365A000

trusted library allocation

page read and write

7264000

heap

page read and write

6CF0000

trusted library allocation

page read and write

330F000

trusted library allocation

page read and write

3322000

trusted library allocation

page read and write

7700000

heap

page read and write

6B5E000

stack

page read and write

7FFAACDB0000

trusted library allocation

page read and write

42D1BFE000

stack

page read and write

71EE000

heap

page read and write

14C0000

heap

page read and write

42C9000

trusted library allocation

page read and write

15D0000

trusted library allocation

page read and write

1590000

trusted library allocation

page read and write

E385000

trusted library allocation

page read and write

4289000

trusted library allocation

page read and write

7FFAACDD0000

trusted library allocation

page read and write

66A3000

heap

page read and write

1584000

trusted library allocation

page read and write

7FFAACBB4000

trusted library allocation

page read and write

43EA000

trusted library allocation

page read and write

452D000

trusted library allocation

page read and write

57D2000

trusted library allocation

page read and write

1570000

trusted library allocation

page read and write

E3D2000

trusted library allocation

page read and write

7FFAACD90000

trusted library allocation

page read and write

5BCD000

stack

page read and write

22051860000

trusted library allocation

page read and write

7FFAACBCD000

trusted library allocation

page execute and read and write

7F9E0000

trusted library allocation

page execute and read and write

71FC000

heap

page read and write

57C1000

trusted library allocation

page read and write

7FFB1E3B6000

unkown

page readonly

44AD000

trusted library allocation

page read and write

6CD8000

trusted library allocation

page read and write

5DA0000

trusted library allocation

page read and write

6616000

heap

page read and write

22037F20000

heap

page read and write

7FFAACD50000

trusted library allocation

page read and write

22037EB0000

trusted library section

page read and write

6BBE000

stack

page read and write

313B000

stack

page read and write

220398B5000

trusted library allocation

page read and write

5ACE000

stack

page read and write

57E0000

trusted library allocation

page read and write

C8E6000

trusted library allocation

page read and write

14F5000

heap

page read and write

3140000

trusted library allocation

page read and write

7FFAACBD0000

trusted library allocation

page read and write

18A6000

heap

page read and write

32A0000

trusted library allocation

page read and write

E3AA000

trusted library allocation

page read and write

7640000

heap

page read and write

33A6000

trusted library allocation

page read and write

14F0000

heap

page read and write

220520DB000

heap

page read and write

42D23FD000

stack

page read and write

7222000

heap

page read and write

B010000

trusted library allocation

page read and write

43AA000

trusted library allocation

page read and write

6CED000

trusted library allocation

page read and write

22037EF0000

heap

page read and write

16CD000

heap

page read and write

15E0000

trusted library allocation

page execute and read and write

36BC000

trusted library allocation

page read and write

163D000

heap

page read and write

1640000

heap

page read and write

7FFAACCD0000

trusted library allocation

page execute and read and write

E38C000

trusted library allocation

page read and write

159D000

trusted library allocation

page execute and read and write

E3A5000

trusted library allocation

page read and write

7FFAACE30000

trusted library allocation

page read and write

220520E1000

heap

page read and write

5D8B000

stack

page read and write

6EE0F000

unkown

page readonly

22037E73000

trusted library allocation

page read and write

42D1FFE000

stack

page read and write

1600000

heap

page read and write

3307000

trusted library allocation

page read and write

45E4000

trusted library allocation

page read and write

33C2000

trusted library allocation

page read and write

16D2000

heap

page read and write

2FA0000

heap

page read and write

15F0000

heap

page read and write

22052111000

heap

page read and write

15A2000

trusted library allocation

page read and write

2204983D000

trusted library allocation

page read and write

22037C5E000

heap

page read and write

65E2000

heap

page read and write

7FFB1E3C0000

unkown

page read and write

14E0000

heap

page read and write

6CD0000

trusted library allocation

page read and write

703C000

stack

page read and write

15A6000

trusted library allocation

page execute and read and write

22037B40000

unkown

page readonly

2F7C000

unkown

page read and write

6EE0D000

unkown

page read and write

14E7000

heap

page read and write

7FFAACDD8000

trusted library allocation

page read and write

22049838000

trusted library allocation

page read and write

5870000

heap

page read and write

42D24FE000

stack

page read and write

4369000

trusted library allocation

page read and write

32F3000

trusted library allocation

page read and write

533C000

stack

page read and write

22037DC0000

heap

page read and write

E3C8000

trusted library allocation

page read and write

2EFF000

stack

page read and write

57F0000

trusted library allocation

page read and write

3303000

trusted library allocation

page read and write

57AB000

trusted library allocation

page read and write

830B000

stack

page read and write

15A0000

trusted library allocation

page read and write

57AE000

trusted library allocation

page read and write

3401000

trusted library allocation

page read and write

4261000

trusted library allocation

page read and write

722C000

heap

page read and write

5874000

heap

page read and write

7FFB1E3C2000

unkown

page readonly

667C000

heap

page read and write

C8E9000

trusted library allocation

page read and write

22052107000

heap

page read and write

15BB000

trusted library allocation

page execute and read and write

16D0000

heap

page read and write

5E2D000

stack

page read and write

5C7E000

stack

page read and write

8720000

heap

page read and write

5860000

heap

page execute and read and write

42D18F2000

stack

page read and write

127A000

stack

page read and write

440000

remote allocation

page execute and read and write

7226000

heap

page read and write

57A0000

trusted library allocation

page read and write

6A5E000

stack

page read and write

7FFAACE20000

trusted library allocation

page read and write

70B0000

trusted library allocation

page read and write

7FFAACE34000

trusted library allocation

page read and write

32FF000

trusted library allocation

page read and write

22037E60000

trusted library allocation

page read and write

6600000

heap

page read and write

7FFAACD95000

trusted library allocation

page read and write

E3AF000

trusted library allocation

page read and write

22039831000

trusted library allocation

page read and write

42D1AFE000

stack

page read and write

22038085000

heap

page read and write

15B5000

trusted library allocation

page execute and read and write

7FFAACDF7000

trusted library allocation

page read and write

8710000

heap

page read and write

22037C1C000

heap

page read and write

22049831000

trusted library allocation

page read and write

7FFAACBBD000

trusted library allocation

page execute and read and write

22037E70000

trusted library allocation

page read and write

330B000

trusted library allocation

page read and write

7FFAACC0C000

trusted library allocation

page execute and read and write

22052090000

heap

page read and write

E3B9000

trusted library allocation

page read and write

6EDF1000

unkown

page execute read

7FFAACDE0000

trusted library allocation

page execute and read and write

57B2000

trusted library allocation

page read and write

22037B42000

unkown

page readonly

5A7C000

stack

page read and write

E3DC000

trusted library allocation

page read and write

662A000

heap

page read and write

6F00000

heap

page read and write

2F3C000

stack

page read and write

22052098000

heap

page read and write

32FB000

trusted library allocation

page read and write

6A1F000

stack

page read and write

6D3E000

stack

page read and write

32A4000

trusted library allocation

page read and write

75EC000

stack

page read and write

2FB0000

trusted library allocation

page execute and read and write

220522D0000

heap

page read and write

7FFAACDC0000

trusted library allocation

page read and write

22037BF0000

heap

page read and write

22037BFC000

heap

page read and write

E3B4000

trusted library allocation

page read and write

5268000

trusted library allocation

page read and write

7080000

trusted library allocation

page read and write

160B000

heap

page read and write

5780000

heap

page read and write

7FFAACDA0000

trusted library allocation

page read and write

7FFAACC70000

trusted library allocation

page execute and read and write

E396000

trusted library allocation

page read and write

7FFAACBDD000

trusted library allocation

page execute and read and write

15B0000

trusted library allocation

page read and write

7280000

heap

page read and write

7FFAACD7C000

trusted library allocation

page read and write

7FFAACBC9000

trusted library allocation

page read and write

7FFAACDF0000

trusted library allocation

page read and write

44ED000

trusted library allocation

page read and write

6E40000

trusted library allocation

page read and write

446D000

trusted library allocation

page read and write

7FFAACBC0000

trusted library allocation

page read and write

22037E40000

trusted library allocation

page read and write

22037C12000

heap

page read and write

6CBE000

stack

page read and write

15B2000

trusted library allocation

page read and write

57BE000

trusted library allocation

page read and write

7FF41D150000

trusted library allocation

page execute and read and write

E3CD000

trusted library allocation

page read and write

13E0000

heap

page read and write

442C000

trusted library allocation

page read and write

There are 307 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Documents Of DHL -BL- AWB- 8976453410.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportDocuments Of DHL -BL- AWB- 8976453410.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
Documents Of DHL -BL- AWB- 8976453410.exe