Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

DHL_Doc.9787653446578978656879764534576879764545766456.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.975789802094544
Filename:	DHL_Doc.9787653446578978656879764534576879764545766456.exe
Filesize:	1078784
MD5:	61bdc143810dff5cb798e3b005b6331c
SHA1:	d4353ab7ad96db756d9d7e93e9bcc9d1f97c629c
SHA256:	92c5d005c4454ff4be8093157b6f5d5cb11e7254fb3f979ffdddf167e464955f
SHA512:	0074fcbe88119f522a33a61282b156bdcabca62e6948f89561ba6d17864c24b21349683c0396d72ed0d6e8eba82ddb755119358b7b4dba76e295e3b5cf3d8cc1
SSDEEP:	12288:Htb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSgaSTUqpKVjfgiJ6A:Htb20pkaCqT5TBWgNQ7ayUMglJ6A
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection	Disable or Modify Tools
Binary is likely a compiled AutoIt script file	System Summary
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection Disable or Modify Tools
Switches to a custom stack to bypass stack traces	Malware Analysis System Evasion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging	Disable or Modify Tools
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Application Window Discovery
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Valid Accounts Access Token Manipulation Disable or Modify Tools
Contains functionality to launch a process as a different user	System Summary
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	Disable or Modify Tools
Contains functionality to read the PEB	Anti Debugging
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Disable or Modify Tools
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to shutdown / reboot the system	System Summary	System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Detected potential crypto function	System Summary	System Time Discovery Archive Collected Data Encrypted Channel
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found evaded block containing many API calls	Malware Analysis System Evasion	Disable or Modify Tools
Found evasive API chain (date check)	Malware Analysis System Evasion	Native API
Found large amount of non-executed APIs	Malware Analysis System Evasion	System Time Discovery
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information	Disable or Modify Tools System Shutdown/Reboot
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Disable or Modify Tools Input Capture
Sample file is different than original file name gathered from version info	System Summary	System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary	Disable or Modify Tools
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary	Disable or Modify Tools
.NET source code contains calls to encryption/decryption functions	System Summary
Contains functionality for error logging	System Summary	Disable or Modify Tools
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary
Contains functionality to check free disk space	System Summary
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enum processes or threads	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Contains functionality to instantiate COM classes	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Disable or Modify Tools
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion	Disable or Modify Tools
Reads software policies	System Summary
Sample is known by Antivirus	System Summary	Disable or Modify Tools
Tries to load missing DLLs	System Summary	DLL Side-Loading Disable or Modify Tools
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary	Disable or Modify Tools

C:\Users\user\AppData\Local\Temp\aut3EFA.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut3EFA.tmp
Category:	dropped
Dump:	aut3EFA.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\DHL_Doc.9787653446578978656879764534576879764545766456.exe
Type:	data
Entropy:	7.7473196469982675
Encrypted:	false
Ssdeep:	3072:x+rPAAID3y/VlYpjAbpb9V4fyv3otVlVg+uAL61TdzaVj:x+7ID3yysbpbC03ojlnWaV
Size:	146170
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\outbluffed

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\outbluffed
Category:	dropped
Dump:	outbluffed.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\DHL_Doc.9787653446578978656879764534576879764545766456.exe
Type:	data
Entropy:	6.715119996849362
Encrypted:	false
Ssdeep:	3072:q3PTd5PisUIP6gbzuW1nLD3xRU+owC1I6sLAjGt9FAmaqXLjgSTUo/qOA+Ozv6yY:q37d5RUQ6gbdxXxRU+buIdL/pASgaivY
Size:	244736
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\DHL_Doc.9787653446578978656879764534576879764545766456.exe

"C:\Users\user\Desktop\DHL_Doc.9787653446578978656879764534576879764545766456.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5176
Target ID:	0
Parent PID:	4004
Name:	DHL_Doc.9787653446578978656879764534576879764545766456.exe
Path:	C:\Users\user\Desktop\DHL_Doc.9787653446578978656879764534576879764545766456.exe
Commandline:	"C:\Users\user\Desktop\DHL_Doc.9787653446578978656879764534576879764545766456.exe"
Size:	1078784
MD5:	61BDC143810DFF5CB798E3B005B6331C
Time:	01:54:45
Date:	20/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x780000
Modulesize:	1105920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Binary is likely a compiled AutoIt script file	System Summary
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\DHL_Doc.9787653446578978656879764534576879764545766456.exe"

Details

Is windows:	true
Is dropped:	false
PID:	3088
Target ID:	2
Parent PID:	5176
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\DHL_Doc.9787653446578978656879764534576879764545766456.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	01:54:46
Date:	20/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x3f0000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://account.dyn.com/

unknown

Details

Name:	https://account.dyn.com/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\DHL_Doc.9787653446578978656879764534576879764545766456.exe
Source:	DHL_Doc.9787653446578978656879764534576879764545766456.exe, 00000000.00000002.2183208774.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3407442270.00000000007C2000.00000040.80000000.00040000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000002.00000002.3408272306.00000000027F8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3408272306.0000000002731000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://ip-api.com/line/?fields=hosting

208.95.112.1

Details

Name:	http://ip-api.com/line/?fields=hosting
IP:	208.95.112.1
TargetID:	2
From Memory:	false
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking

http://ip-api.com

unknown

Details

Name:	http://ip-api.com
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000002.00000002.3408272306.0000000002812000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3408272306.00000000027F8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3408272306.0000000002731000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

ip-api.com

208.95.112.1

Details

Name:	ip-api.com
IP:	208.95.112.1
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Check if machine is in data center or colocation facility	Malware Analysis System Evasion	Security Software Discovery
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

208.95.112.1

ip-api.com

United States

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

7C2000

system

page execute and read and write

3C00000

direct allocation

page read and write

3DB3000

direct allocation

page read and write

3F5D000

direct allocation

page read and write

2849000

trusted library allocation

page read and write

3D63000

direct allocation

page read and write

174A000

heap

page read and write

9F3000

trusted library allocation

page execute and read and write

11BC000

stack

page read and write

9E0000

trusted library allocation

page read and write

844000

unkown

page readonly

3D63000

direct allocation

page read and write

3C90000

direct allocation

page read and write

154F000

heap

page read and write

A10000

trusted library allocation

page read and write

C40000

trusted library allocation

page read and write

4C1B000

trusted library allocation

page read and write

5EF0000

trusted library allocation

page execute and read and write

3F59000

direct allocation

page read and write

2280000

heap

page read and write

15DD000

heap

page read and write

3C40000

direct allocation

page read and write

2180000

heap

page read and write

5A96000

heap

page read and write

175D000

heap

page read and write

3739000

trusted library allocation

page read and write

130E000

stack

page read and write

5EC0000

trusted library allocation

page read and write

529E000

stack

page read and write

4EDC000

stack

page read and write

3F7E000

direct allocation

page read and write

5A94000

heap

page read and write

3C40000

direct allocation

page read and write

3FCE000

direct allocation

page read and write

2820000

trusted library allocation

page read and write

3F09000

direct allocation

page read and write

A0D000

trusted library allocation

page execute and read and write

1536000

heap

page read and write

2830000

trusted library allocation

page read and write

BEE000

stack

page read and write

2822000

trusted library allocation

page read and write

3731000

trusted library allocation

page read and write

3F7E000

direct allocation

page read and write

9B0000

heap

page read and write

BA0000

heap

page read and write

14FE000

heap

page read and write

4C3D000

trusted library allocation

page read and write

3F0D000

direct allocation

page read and write

4C53000

heap

page read and write

3C90000

direct allocation

page read and write

4C70000

heap

page read and write

7FBD0000

trusted library allocation

page execute and read and write

505E000

stack

page read and write

CA0000

heap

page execute and read and write

935000

heap

page read and write

780000

unkown

page readonly

B04000

heap

page read and write

27A6000

trusted library allocation

page read and write

2843000

trusted library allocation

page read and write

174A000

heap

page read and write

83A000

unkown

page read and write

5D7E000

stack

page read and write

11FC000

stack

page read and write

3C90000

direct allocation

page read and write

3FCE000

direct allocation

page read and write

3DB3000

direct allocation

page read and write

2812000

trusted library allocation

page read and write

3759000

trusted library allocation

page read and write

1538000

heap

page read and write

3F09000

direct allocation

page read and write

5EB7000

trusted library allocation

page read and write

4C16000

trusted library allocation

page read and write

840000

heap

page read and write

A22000

trusted library allocation

page read and write

27F2000

trusted library allocation

page read and write

20EE000

stack

page read and write

3D63000

direct allocation

page read and write

80D000

unkown

page readonly

83A000

unkown

page write copy

B90000

heap

page read and write

27F8000

trusted library allocation

page read and write

3F09000

direct allocation

page read and write

1535000

heap

page read and write

82E000

unkown

page readonly

25FC000

stack

page read and write

A1A000

trusted library allocation

page execute and read and write

C90000

trusted library allocation

page execute and read and write

A68000

heap

page read and write

14FA000

heap

page read and write

4C2A000

trusted library allocation

page read and write

781000

unkown

page execute read

80D000

unkown

page readonly

ADB000

heap

page read and write

5EA0000

trusted library allocation

page execute and read and write

152B000

heap

page read and write

1555000

heap

page read and write

788000

stack

page read and write

B2A000

stack

page read and write

2610000

trusted library allocation

page read and write

A30000

heap

page read and write

9F0000

trusted library allocation

page read and write

AA5000

heap

page read and write

9F4000

trusted library allocation

page read and write

4C50000

heap

page read and write

930000

heap

page read and write

4C31000

trusted library allocation

page read and write

ABA000

heap

page read and write

3F09000

direct allocation

page read and write

3799000

trusted library allocation

page read and write

5A88000

heap

page read and write

15DC000

heap

page read and write

1536000

heap

page read and write

16BB000

heap

page read and write

501E000

stack

page read and write

4DD0000

heap

page execute and read and write

A2B000

trusted library allocation

page execute and read and write

11CF000

stack

page read and write

257F000

stack

page read and write

B1D000

heap

page read and write

5AA0000

heap

page read and write

1536000

heap

page read and write

3E30000

direct allocation

page read and write

3E30000

direct allocation

page read and write

3F7E000

direct allocation

page read and write

5F00000

heap

page read and write

15EF000

heap

page read and write

48CD000

stack

page read and write

3F0D000

direct allocation

page read and write

160E000

heap

page read and write

4C1E000

trusted library allocation

page read and write

844000

unkown

page readonly

2620000

heap

page read and write

3F5D000

direct allocation

page read and write

4738000

trusted library allocation

page read and write

281C000

trusted library allocation

page read and write

5F90000

trusted library allocation

page read and write

4C10000

trusted library allocation

page read and write

519D000

stack

page read and write

5EE0000

trusted library allocation

page read and write

1587000

heap

page read and write

CD6000

heap

page read and write

3DE0000

direct allocation

page read and write

5E7E000

stack

page read and write

781000

unkown

page execute read

82E000

unkown

page readonly

1793000

heap

page read and write

1CEE000

stack

page read and write

2765000

trusted library allocation

page read and write

5EC7000

trusted library allocation

page read and write

14F0000

heap

page read and write

4C36000

trusted library allocation

page read and write

5E80000

heap

page read and write

5F80000

heap

page read and write

780000

unkown

page readonly

3F59000

direct allocation

page read and write

2184000

heap

page read and write

1340000

heap

page read and write

4C2E000

trusted library allocation

page read and write

CB0000

trusted library allocation

page read and write

1794000

heap

page read and write

7C0000

system

page execute and read and write

3E30000

direct allocation

page read and write

515E000

stack

page read and write

A16000

trusted library allocation

page execute and read and write

3F0D000

direct allocation

page read and write

CD0000

heap

page read and write

5A40000

heap

page read and write

5EB0000

trusted library allocation

page read and write

3F5D000

direct allocation

page read and write

CC0000

trusted library allocation

page read and write

538E000

stack

page read and write

5ED0000

trusted library allocation

page read and write

152C000

heap

page read and write

3F7E000

direct allocation

page read and write

A12000

trusted library allocation

page read and write

4F1E000

stack

page read and write

5E90000

trusted library allocation

page read and write

11DB000

stack

page read and write

990000

heap

page read and write

9FD000

trusted library allocation

page execute and read and write

3C40000

direct allocation

page read and write

4C42000

trusted library allocation

page read and write

5A59000

heap

page read and write

A38000

heap

page read and write

A27000

trusted library allocation

page execute and read and write

169E000

heap

page read and write

3DE0000

direct allocation

page read and write

3F59000

direct allocation

page read and write

280C000

trusted library allocation

page read and write

3D63000

direct allocation

page read and write

3DB3000

direct allocation

page read and write

4DAC000

stack

page read and write

920000

heap

page read and write

174A000

heap

page read and write

534E000

stack

page read and write

22A0000

heap

page read and write

68A000

stack

page read and write

1749000

heap

page execute and read and write

4C22000

trusted library allocation

page read and write

3DE0000

direct allocation

page read and write

3F0D000

direct allocation

page read and write

2600000

trusted library allocation

page read and write

3FCE000

direct allocation

page read and write

C8E000

stack

page read and write

83F000

unkown

page write copy

A00000

trusted library allocation

page read and write

3C40000

direct allocation

page read and write

2731000

trusted library allocation

page read and write

A65000

heap

page read and write

3DE0000

direct allocation

page read and write

2835000

trusted library allocation

page read and write

1536000

heap

page read and write

174E000

heap

page read and write

There are 203 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
DHL_Doc.9787653446578978656879764534576879764545766456.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportDHL_Doc.9787653446578978656879764534576879764545766456.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
DHL_Doc.9787653446578978656879764534576879764545766456.exe