Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Ship Docs_CI PL HBL COO_.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.970108026459542
Filename:	Ship Docs_CI PL HBL COO_.exe
Filesize:	1059328
MD5:	bb66e44260b8a454abcb20aeb4b13f7b
SHA1:	dd6a7662d0f2a05f00dcc80dd6baa37cdefafba6
SHA256:	d4c4ee49a5ce076550c8305fcd63fe86707a251a2ca7d47c67d0dbef66b2a1e3
SHA512:	9677eb4607c573e2f940ebeb2005e6151241afedfe798e54776a9808eb99644821c50c65b4d4d451d07ec4dcb2767ad3fd2768bf3ef06e263522d87a0e07a8df
SSDEEP:	24576:AAHnh+eWsN3skA4RV1Hom2KXMmHajmsE+a6U27eDQVyx5:3h+ZkldoPK8YajRNn2sVI
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Binary is likely a compiled AutoIt script file	System Summary	Security Software Discovery
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion
Switches to a custom stack to bypass stack traces	Malware Analysis System Evasion	Access Token Manipulation
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Application Window Discovery
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Valid Accounts
Contains functionality to launch a process as a different user	System Summary
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation Access Token Manipulation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Access Token Manipulation Clipboard Data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging	Access Token Manipulation
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Creates processes with suspicious names	Persistence and Installation Behavior
Detected potential crypto function	System Summary	Access Token Manipulation Encrypted Channel
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found evasive API chain (date check)	Malware Analysis System Evasion	Native API Access Token Manipulation
Found large amount of non-executed APIs	Malware Analysis System Evasion	Access Token Manipulation
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information	Access Token Manipulation System Shutdown/Reboot
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
Contains functionality for error logging	System Summary	Access Token Manipulation
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to check free disk space	System Summary
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion	Access Token Manipulation
Contains functionality to download additional files from the internet	Networking
Contains functionality to enum processes or threads	System Summary	Access Token Manipulation
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary	Access Token Manipulation
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery System Information Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection	Access Token Manipulation
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Program exit points	Malware Analysis System Evasion
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\Graff

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Graff
Category:	dropped
Dump:	Graff.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exe
Type:	data
Entropy:	6.640227593395889
Encrypted:	false
Ssdeep:	6144:0J69qjM5Rwzm8E/eOm54OSstCArVeblhtZmwciszm1FxUgn:h8eGzm8qeOVlhuedR
Size:	246272
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\aut5F9C.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut5F9C.tmp
Category:	dropped
Dump:	aut5F9C.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exe
Type:	data
Entropy:	7.92820320555911
Encrypted:	false
Ssdeep:	3072:V7ap5kYVAWcrggE9+lUi0NkgWiTCNBawtc18xn62dw4s:VoeYVNcrgvYUi0/TIANA62dPs
Size:	153610
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\aut5FCC.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut5FCC.tmp
Category:	dropped
Dump:	aut5FCC.tmp.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exe
Type:	data
Entropy:	7.604572376847771
Encrypted:	false
Ssdeep:	192:ZyaFcKb+Kfp488lkVmkX64sKX16WBVoBFuCMQeWTyNM0iP:3F7b+Kfp48Eyn0s13BVoreVM0iP
Size:	9838
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\vehiculation

ASCII text, with very long lines (28756), with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\vehiculation
Category:	dropped
Dump:	vehiculation.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exe
Type:	ASCII text, with very long lines (28756), with no line terminators
Entropy:	3.5907145057364027
Encrypted:	false
Ssdeep:	768:4iTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbd+IH6B34vfF3if6gyC3:4iTZ+2QoioGRk6ZklputwjpjBkCiw2Rc
Size:	28756
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exe

"C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6752
Target ID:	0
Parent PID:	2580
Name:	Ship Docs_CI PL HBL COO_.exe
Path:	C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exe
Commandline:	"C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exe"
Size:	1059328
MD5:	BB66E44260B8A454ABCB20AEB4B13F7B
Time:	20:21:54
Date:	04/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x20000
Modulesize:	1085440
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Binary is likely a compiled AutoIt script file	System Summary
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6776
Target ID:	1
Parent PID:	6752
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	20:21:55
Date:	04/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xf10000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://api.ipify.org/

104.26.12.205

https://api.ipify.org

unknown

http://r10.o.lencr.org0#

unknown

https://account.dyn.com/

unknown

http://mail.suplementvases.com

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://x1.c.lencr.org/0

unknown

http://x1.i.lencr.org/0

unknown

http://r10.i.lencr.org/0

unknown

http://ip-api.com/line/?fields=hosting

208.95.112.1

Domains

Name

Malicious

ip-api.com

208.95.112.1

Details

Name:	ip-api.com
IP:	208.95.112.1
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Check if machine is in data center or colocation facility	Malware Analysis System Evasion	Security Software Discovery
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

mail.suplementvases.com

131.226.2.151

Details

Name:	mail.suplementvases.com
IP:	131.226.2.151
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

api.ipify.org

104.26.12.205

Details

Name:	api.ipify.org
IP:	104.26.12.205
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

208.95.112.1

ip-api.com

United States

131.226.2.151

mail.suplementvases.com

United States

Details

IP:	131.226.2.151
TargetID:	1
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	United States
Countrycode:	USA
ASN number:	16797
ASN name:	UNASSIGNED
Private:	false
Domain:	mail.suplementvases.com

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

104.26.12.205

api.ipify.org

United States

Details

IP:	104.26.12.205
TargetID:	1
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

334C000

trusted library allocation

page read and write

402000

system

page execute and read and write

3010000

direct allocation

page read and write

E3000

unkown

page write copy

3710000

direct allocation

page read and write

6E70000

heap

page read and write

19D0000

direct allocation

page execute and read and write

3520000

direct allocation

page read and write

FA9000

stack

page read and write

AF000

unkown

page readonly

661B000

heap

page read and write

3710000

direct allocation

page read and write

327B000

trusted library allocation

page read and write

A437000

heap

page read and write

C64000

heap

page read and write

D76000

heap

page read and write

32C0000

trusted library allocation

page read and write

141E000

stack

page read and write

3693000

direct allocation

page read and write

6D0D000

trusted library allocation

page read and write

33F7000

trusted library allocation

page read and write

5D60000

heap

page read and write

70C0000

trusted library allocation

page execute and read and write

A4B3000

heap

page read and write

6626000

heap

page read and write

17D0000

trusted library allocation

page read and write

4358000

trusted library allocation

page read and write

172E000

stack

page read and write

6603000

heap

page read and write

332E000

trusted library allocation

page read and write

65BB000

heap

page read and write

17ED000

trusted library allocation

page execute and read and write

3321000

trusted library allocation

page read and write

C56000

heap

page read and write

3332000

trusted library allocation

page read and write

366D000

trusted library allocation

page read and write

65E1000

heap

page read and write

3693000

direct allocation

page read and write

59DC000

stack

page read and write

C90000

heap

page read and write

3671000

trusted library allocation

page read and write

17F0000

trusted library allocation

page read and write

36C0000

direct allocation

page read and write

C86000

heap

page read and write

1320000

heap

page read and write

36C0000

direct allocation

page read and write

385E000

direct allocation

page read and write

4379000

trusted library allocation

page read and write

65B6000

heap

page read and write

21000

unkown

page execute read

8AFC000

stack

page read and write

32E0000

heap

page execute and read and write

A47F000

heap

page read and write

6C3E000

stack

page read and write

1815000

trusted library allocation

page execute and read and write

6636000

heap

page read and write

3839000

direct allocation

page read and write

3551000

trusted library allocation

page read and write

367A000

trusted library allocation

page read and write

A47B000

heap

page read and write

697E000

stack

page read and write

653D000

stack

page read and write

3839000

direct allocation

page read and write

701F000

stack

page read and write

663D000

heap

page read and write

322C000

stack

page read and write

6D60000

trusted library allocation

page read and write

1397000

heap

page read and write

6ABE000

stack

page read and write

3824000

trusted library allocation

page read and write

CA2000

heap

page read and write

3140000

heap

page read and write

CA2000

heap

page read and write

D45000

heap

page read and write

140B000

heap

page read and write

3628000

trusted library allocation

page read and write

38AE000

direct allocation

page read and write

37ED000

direct allocation

page read and write

9BF000

stack

page read and write

BCE000

stack

page read and write

654C000

heap

page read and write

1370000

heap

page read and write

BC3B000

stack

page read and write

6E40000

trusted library allocation

page read and write

6B3E000

stack

page read and write

3130000

trusted library allocation

page execute and read and write

13FE000

heap

page read and write

3401000

trusted library allocation

page read and write

3445000

trusted library allocation

page read and write

32D0000

trusted library allocation

page read and write

1802000

trusted library allocation

page read and write

74F0000

heap

page read and write

180A000

trusted library allocation

page execute and read and write

37ED000

direct allocation

page read and write

14B6000

heap

page read and write

3570000

direct allocation

page read and write

53ED000

stack

page read and write

A404000

heap

page read and write

A400000

heap

page read and write

D45000

heap

page read and write

32B0000

heap

page read and write

7500000

trusted library allocation

page read and write

19B0000

heap

page read and write

660A000

heap

page read and write

65F5000

heap

page read and write

328E000

trusted library allocation

page read and write

13E0000

heap

page read and write

CA5000

heap

page read and write

C5E000

heap

page read and write

16AC000

stack

page read and write

6DF0000

trusted library allocation

page read and write

38AE000

direct allocation

page read and write

7110000

trusted library allocation

page read and write

6548000

heap

page read and write

C73000

heap

page read and write

3240000

heap

page read and write

33BC000

trusted library allocation

page read and write

AF000

unkown

page readonly

181B000

trusted library allocation

page execute and read and write

CA2000

heap

page read and write

32B3000

heap

page read and write

3158000

trusted library allocation

page read and write

385E000

direct allocation

page read and write

69BE000

stack

page read and write

5D5E000

stack

page read and write

CA2000

heap

page read and write

3570000

direct allocation

page read and write

9DB000

stack

page read and write

1806000

trusted library allocation

page execute and read and write

3296000

trusted library allocation

page read and write

637E000

stack

page read and write

577C000

stack

page read and write

A485000

heap

page read and write

6AFE000

stack

page read and write

42F1000

trusted library allocation

page read and write

6540000

heap

page read and write

A4BA000

heap

page read and write

4399000

trusted library allocation

page read and write

D5000

unkown

page readonly

57D0000

heap

page execute and read and write

3336000

trusted library allocation

page read and write

38AE000

direct allocation

page read and write

3276000

trusted library allocation

page read and write

C85000

heap

page read and write

74AC000

stack

page read and write

5CDB000

stack

page read and write

736B000

stack

page read and write

33FD000

trusted library allocation

page read and write

1812000

trusted library allocation

page read and write

3282000

trusted library allocation

page read and write

36A5000

trusted library allocation

page read and write

16EE000

stack

page read and write

3570000

direct allocation

page read and write

6D00000

trusted library allocation

page read and write

65EF000

heap

page read and write

D47000

heap

page read and write

6D70000

trusted library allocation

page execute and read and write

C5E000

heap

page read and write

3655000

trusted library allocation

page read and write

57E0000

heap

page read and write

C64000

heap

page read and write

37ED000

direct allocation

page read and write

21000

unkown

page execute read

C73000

heap

page read and write

1817000

trusted library allocation

page execute and read and write

6D80000

trusted library allocation

page execute and read and write

37E9000

direct allocation

page read and write

1418000

heap

page read and write

181F000

stack

page read and write

13DE000

stack

page read and write

5A1E000

stack

page read and write

6D17000

trusted library allocation

page read and write

17E0000

trusted library allocation

page read and write

DF000

unkown

page read and write

6633000

heap

page read and write

A8E000

stack

page read and write

E8000

unkown

page readonly

3610000

trusted library allocation

page read and write

34AA000

trusted library allocation

page read and write

BB3C000

stack

page read and write

3260000

trusted library allocation

page read and write

385E000

direct allocation

page read and write

FE0000

heap

page read and write

57F0000

heap

page read and write

332A000

trusted library allocation

page read and write

136C000

stack

page read and write

17E4000

trusted library allocation

page read and write

5D80000

trusted library allocation

page read and write

3D9000

stack

page read and write

13E8000

heap

page read and write

6D10000

trusted library allocation

page read and write

7130000

heap

page read and write

687E000

stack

page read and write

400000

system

page execute and read and write

14B4000

heap

page read and write

746E000

stack

page read and write

3643000

direct allocation

page read and write

3643000

direct allocation

page read and write

37E9000

direct allocation

page read and write

35D9000

trusted library allocation

page read and write

5B1D000

stack

page read and write

17E3000

trusted library allocation

page execute and read and write

6DE0000

trusted library allocation

page read and write

5D1D000

stack

page read and write

6E30000

heap

page read and write

74FA000

heap

page read and write

21000

unkown

page execute read

1810000

trusted library allocation

page read and write

312F000

stack

page read and write

8400000

heap

page read and write

17FD000

trusted library allocation

page execute and read and write

1830000

trusted library allocation

page read and write

187E000

stack

page read and write

C28000

heap

page read and write

65B9000

heap

page read and write

3630000

trusted library allocation

page read and write

337B000

trusted library allocation

page read and write

A493000

heap

page read and write

CA4000

heap

page read and write

FE5000

heap

page read and write

37E9000

direct allocation

page read and write

AB0000

heap

page read and write

3230000

trusted library allocation

page read and write

4319000

trusted library allocation

page read and write

1800000

trusted library allocation

page read and write

3643000

direct allocation

page read and write

6DE6000

trusted library allocation

page read and write

1416000

heap

page read and write

C55000

heap

page read and write

3060000

heap

page read and write

3520000

direct allocation

page read and write

A41B000

heap

page read and write

E8000

unkown

page readonly

C74000

heap

page read and write

14AF000

heap

page read and write

3064000

heap

page read and write

333A000

trusted library allocation

page read and write

D76000

heap

page read and write

329D000

trusted library allocation

page read and write

DF000

unkown

page write copy

1390000

heap

page read and write

A40000

heap

page read and write

5B20000

heap

page read and write

20000

unkown

page readonly

D45000

heap

page read and write

65DA000

heap

page read and write

D65000

heap

page read and write

3553000

trusted library allocation

page read and write

383D000

direct allocation

page read and write

3598000

trusted library allocation

page read and write

7F290000

trusted library allocation

page execute and read and write

33B8000

trusted library allocation

page read and write

3447000

trusted library allocation

page read and write

36C0000

direct allocation

page read and write

D66000

heap

page read and write

662A000

heap

page read and write

6E00000

trusted library allocation

page read and write

327E000

trusted library allocation

page read and write

1479000

heap

page read and write

9FD000

stack

page read and write

D5000

unkown

page readonly

383D000

direct allocation

page read and write

3693000

direct allocation

page read and write

C20000

heap

page read and write

1458000

heap

page read and write

65FD000

heap

page read and write

9CF000

stack

page read and write

3291000

trusted library allocation

page read and write

D66000

heap

page read and write

655D000

heap

page read and write

20000

unkown

page readonly

D85000

heap

page read and write

3520000

direct allocation

page read and write

8410000

heap

page read and write

1880000

heap

page read and write

3710000

direct allocation

page read and write

32A2000

trusted library allocation

page read and write

32F1000

trusted library allocation

page read and write

5D88000

trusted library allocation

page read and write

1886000

heap

page read and write

C73000

heap

page read and write

D47000

heap

page read and write

662E000

heap

page read and write

3270000

trusted library allocation

page read and write

12F8000

stack

page read and write

3839000

direct allocation

page read and write

19F0000

heap

page read and write

383D000

direct allocation

page read and write

328A000

trusted library allocation

page read and write

A90000

heap

page read and write

CA2000

heap

page read and write

There are 281 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Ship Docs_CI PL HBL COO_.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportShip Docs_CI PL HBL COO_.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
Ship Docs_CI PL HBL COO_.exe