Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Ship Docs_ CI_BL_HBL_.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.934705332372938
Filename:	Ship Docs_ CI_BL_HBL_.exe
Filesize:	1036800
MD5:	6902d6b5857bdcde15b9af8aaf50b407
SHA1:	48acd39a0fd4b11c37e5b06d6d831d1825279f0f
SHA256:	4cf20ea54fb348cc2573628cf6d751faa35d3adf5317970068d28185c5a285c9
SHA512:	9cc8c63db4ebd12fe35cec61d586445d64b184e111ac258b04159c202f05bdb010f83101b5f2ae645b9b96e4f2d694542ae58a7db594a060b2629330fde5decc
SSDEEP:	24576:CAHnh+eWsN3skA4RV1Hom2KXMmHarkCe0UbtW5:Fh+ZkldoPK8Yarhmm
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection	Exploitation for Privilege Escalation
Multi AV Scanner detection for submitted file	AV Detection	Disable or Modify Tools
Binary is likely a compiled AutoIt script file	System Summary
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection Disable or Modify Tools
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging	Disable or Modify Tools
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Application Window Discovery
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Valid Accounts Access Token Manipulation Disable or Modify Tools
Contains functionality to launch a process as a different user	System Summary
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	Disable or Modify Tools
Contains functionality to read the PEB	Anti Debugging
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Disable or Modify Tools
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to shutdown / reboot the system	System Summary	System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Detected potential crypto function	System Summary	System Time Discovery Encrypted Channel
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found evasive API chain (date check)	Malware Analysis System Evasion	Native API
Found large amount of non-executed APIs	Malware Analysis System Evasion	System Time Discovery
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information	Disable or Modify Tools System Shutdown/Reboot
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Disable or Modify Tools Input Capture
Sample file is different than original file name gathered from version info	System Summary	System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary	Disable or Modify Tools
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
.NET source code contains calls to encryption/decryption functions	System Summary	Archive Collected Data
Contains functionality for error logging	System Summary	Disable or Modify Tools
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary
Contains functionality to check free disk space	System Summary
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enum processes or threads	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Disable or Modify Tools
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion	Disable or Modify Tools
Reads software policies	System Summary
Sample is known by Antivirus	System Summary	Disable or Modify Tools
Tries to load missing DLLs	System Summary	DLL Side-Loading Disable or Modify Tools
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\Users\user\AppData\Local\Temp\aut7C1F.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut7C1F.tmp
Category:	dropped
Dump:	aut7C1F.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Ship Docs_ CI_BL_HBL_.exe
Type:	data
Entropy:	7.90028433812621
Encrypted:	false
Ssdeep:	3072:ecIb4sw8Ut5EbFSOuZ7W5bfIKR820OsHkEhU02rEOpjCtIQLJHh:OXFUtLwC2pjOIQLJHh
Size:	147946
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\aut7C5F.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut7C5F.tmp
Category:	dropped
Dump:	aut7C5F.tmp.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\Ship Docs_ CI_BL_HBL_.exe
Type:	data
Entropy:	7.599104754585102
Encrypted:	false
Ssdeep:	192:C+cKwsF7SQU2a5C/x9x7PKe+MCJAUqLrTCVOLVa:h7wsF7SQUI7PKe+zpqXTCVOLQ
Size:	9870
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\cerecloths

ASCII text, with very long lines (28720), with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\cerecloths
Category:	dropped
Dump:	cerecloths.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\Ship Docs_ CI_BL_HBL_.exe
Type:	ASCII text, with very long lines (28720), with no line terminators
Entropy:	3.5944300830265745
Encrypted:	false
Ssdeep:	768:wiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbBE+Ii6m34vfF3if6gy8:wiTZ+2QoioGRk6ZklputwjpjBkCiw2RJ
Size:	28720
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\nouses

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\nouses
Category:	dropped
Dump:	nouses.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\Ship Docs_ CI_BL_HBL_.exe
Type:	data
Entropy:	6.544012199447945
Encrypted:	false
Ssdeep:	6144:KgaYD1hdH9/pzLUX20fvk77iBP2AUWreniJvI3QhQALjZUoQa5V4g5ZKV0I78ZAg:F1hdH9/psX20fvk77KPIWrnJvI36QA3v
Size:	243200
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Ship Docs_ CI_BL_HBL_.exe

"C:\Users\user\Desktop\Ship Docs_ CI_BL_HBL_.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6576
Target ID:	0
Parent PID:	2580
Name:	Ship Docs_ CI_BL_HBL_.exe
Path:	C:\Users\user\Desktop\Ship Docs_ CI_BL_HBL_.exe
Commandline:	"C:\Users\user\Desktop\Ship Docs_ CI_BL_HBL_.exe"
Size:	1036800
MD5:	6902D6B5857BDCDE15B9AF8AAF50B407
Time:	10:14:53
Date:	23/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xf80000
Modulesize:	1060864
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Binary is likely a compiled AutoIt script file	System Summary
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\Ship Docs_ CI_BL_HBL_.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6600
Target ID:	1
Parent PID:	6576
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\Ship Docs_ CI_BL_HBL_.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	10:14:54
Date:	23/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x90000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://api.ipify.org/

104.26.13.205

http://r3.o.lencr.org0

unknown

https://api.ipify.org

unknown

http://mail.myhydropowered.com

unknown

https://account.dyn.com/

unknown

https://api.ipify.org/t

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://x1.c.lencr.org/0

unknown

http://x1.i.lencr.org/0

unknown

http://ip-api.com/line/?fields=hosting

208.95.112.1

http://ip-api.com

unknown

http://r3.i.lencr.org/0

unknown

There are 2 hidden URLs, click here to show them.

Domains

Name

Malicious

mail.myhydropowered.com

131.226.2.60

Details

Name:	mail.myhydropowered.com
IP:	131.226.2.60
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
URLs found in memory or binary data	Networking

api.ipify.org

104.26.13.205

Details

Name:	api.ipify.org
IP:	104.26.13.205
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

ip-api.com

208.95.112.1

Details

Name:	ip-api.com
IP:	208.95.112.1
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Check if machine is in data center or colocation facility	Malware Analysis System Evasion	Security Software Discovery
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

131.226.2.60

mail.myhydropowered.com

United States

Details

IP:	131.226.2.60
TargetID:	1
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	United States
Countrycode:	USA
ASN number:	16797
ASN name:	UNASSIGNED
Private:	false
Domain:	mail.myhydropowered.com

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

208.95.112.1

ip-api.com

United States

104.26.13.205

api.ipify.org

United States

Details

IP:	104.26.13.205
TargetID:	1
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

162000

system

page execute and read and write

2415000

trusted library allocation

page read and write

2438000

trusted library allocation

page read and write

ED0000

direct allocation

page read and write

5B2D000

stack

page read and write

156F000

heap

page read and write

AE0000

heap

page execute and read and write

4F4C000

stack

page read and write

3D00000

direct allocation

page read and write

3FCD000

direct allocation

page read and write

6A0000

trusted library allocation

page read and write

34F7000

trusted library allocation

page read and write

245D000

trusted library allocation

page read and write

48AE000

trusted library allocation

page read and write

6BD000

trusted library allocation

page execute and read and write

4BCC000

stack

page read and write

48BD000

trusted library allocation

page read and write

7F2B0000

trusted library allocation

page execute and read and write

94C000

stack

page read and write

48C2000

trusted library allocation

page read and write

5D4C000

stack

page read and write

239E000

stack

page read and write

58ED000

stack

page read and write

A053000

trusted library allocation

page read and write

25EA000

trusted library allocation

page read and write

5730000

heap

page read and write

23E5000

trusted library allocation

page read and write

60B0000

trusted library allocation

page read and write

3FCD000

direct allocation

page read and write

157D000

heap

page read and write

A01C000

trusted library allocation

page read and write

34B7000

trusted library allocation

page read and write

48E0000

trusted library allocation

page read and write

685D000

stack

page read and write

23F9000

trusted library allocation

page read and write

3EA0000

direct allocation

page read and write

A044000

trusted library allocation

page read and write

A02B000

trusted library allocation

page read and write

14F6000

heap

page read and write

3E23000

direct allocation

page read and write

145E000

stack

page read and write

103F000

unkown

page write copy

14F5000

heap

page read and write

35D7000

trusted library allocation

page read and write

6E5000

trusted library allocation

page execute and read and write

403E000

direct allocation

page read and write

1048000

unkown

page readonly

3617000

trusted library allocation

page read and write

3FCD000

direct allocation

page read and write

160000

system

page execute and read and write

2502000

trusted library allocation

page read and write

655C000

stack

page read and write

3E23000

direct allocation

page read and write

6D2000

trusted library allocation

page read and write

159C000

heap

page read and write

5F00000

trusted library allocation

page read and write

33D9000

trusted library allocation

page read and write

3417000

trusted library allocation

page read and write

785000

heap

page read and write

2401000

trusted library allocation

page read and write

23B1000

trusted library allocation

page read and write

A067000

trusted library allocation

page read and write

5ECC000

stack

page read and write

25A3000

trusted library allocation

page read and write

3D00000

direct allocation

page read and write

5B7E000

stack

page read and write

3537000

trusted library allocation

page read and write

48D0000

trusted library allocation

page read and write

19E000

system

page execute and read and write

49C3000

heap

page read and write

403E000

direct allocation

page read and write

A049000

trusted library allocation

page read and write

15AC000

heap

page read and write

1554000

heap

page read and write

718000

heap

page read and write

7A7000

heap

page read and write

1553000

heap

page read and write

489B000

trusted library allocation

page read and write

84C000

unkown

page read and write

59EE000

stack

page read and write

14E6000

heap

page read and write

150D000

heap

page read and write

A062000

trusted library allocation

page read and write

23A0000

heap

page read and write

146B000

stack

page read and write

72E000

heap

page read and write

14F7000

heap

page read and write

5F60000

trusted library allocation

page read and write

5EE0000

trusted library allocation

page read and write

A026000

trusted library allocation

page read and write

F81000

unkown

page execute read

49AE000

stack

page read and write

77C0000

heap

page read and write

23FD000

trusted library allocation

page read and write

5670000

heap

page read and write

150D000

heap

page read and write

73A000

heap

page read and write

5710000

heap

page read and write

2651000

trusted library allocation

page read and write

39B0000

heap

page read and write

4890000

trusted library allocation

page read and write

3FC9000

direct allocation

page read and write

14B8000

heap

page read and write

1553000

heap

page read and write

159C000

heap

page read and write

3FCD000

direct allocation

page read and write

CA86000

trusted library allocation

page read and write

100F000

unkown

page readonly

5719000

heap

page read and write

8890000

heap

page read and write

489E000

trusted library allocation

page read and write

48AA000

trusted library allocation

page read and write

3497000

trusted library allocation

page read and write

1553000

heap

page read and write

3FC9000

direct allocation

page read and write

3D00000

direct allocation

page read and write

8E9000

stack

page read and write

454E000

stack

page read and write

49D0000

heap

page read and write

6CD000

trusted library allocation

page execute and read and write

665D000

stack

page read and write

745000

heap

page read and write

5E4C000

stack

page read and write

A071000

trusted library allocation

page read and write

3FCD000

direct allocation

page read and write

8E89000

trusted library allocation

page read and write

68A0000

heap

page read and write

4D0E000

stack

page read and write

3FC9000

direct allocation

page read and write

AF6000

heap

page read and write

9E0000

heap

page read and write

6030000

trusted library allocation

page execute and read and write

1043000

unkown

page write copy

DAAE000

stack

page read and write

5F5C000

stack

page read and write

148C000

stack

page read and write

9DE000

stack

page read and write

150D000

heap

page read and write

640E000

stack

page read and write

3EA0000

direct allocation

page read and write

6D0000

trusted library allocation

page read and write

48B6000

trusted library allocation

page read and write

5EFD000

trusted library allocation

page read and write

5CCE000

stack

page read and write

2463000

trusted library allocation

page read and write

3E23000

direct allocation

page read and write

14F5000

heap

page read and write

48A2000

trusted library allocation

page read and write

5A2E000

stack

page read and write

403E000

direct allocation

page read and write

562C000

stack

page read and write

150D000

heap

page read and write

A90000

heap

page read and write

35B7000

trusted library allocation

page read and write

3457000

trusted library allocation

page read and write

6E2000

trusted library allocation

page read and write

77B0000

heap

page read and write

4E4C000

stack

page read and write

3FC9000

direct allocation

page read and write

4F70000

heap

page read and write

14D7000

heap

page read and write

263B000

trusted library allocation

page read and write

3577000

trusted library allocation

page read and write

14DC000

heap

page read and write

DC0000

heap

page read and write

6B0000

trusted library allocation

page read and write

3E23000

direct allocation

page read and write

150D000

heap

page read and write

6DA000

trusted library allocation

page execute and read and write

33B1000

trusted library allocation

page read and write

1CAF000

stack

page read and write

3D00000

direct allocation

page read and write

4CCD000

stack

page read and write

3EA0000

direct allocation

page read and write

2450000

trusted library allocation

page read and write

A8C000

stack

page read and write

5630000

heap

page read and write

675C000

stack

page read and write

2616000

trusted library allocation

page read and write

20AE000

stack

page read and write

48B1000

trusted library allocation

page read and write

613E000

stack

page read and write

150D000

heap

page read and write

883B000

heap

page read and write

547000

heap

page read and write

A021000

trusted library allocation

page read and write

23F5000

trusted library allocation

page read and write

4E0E000

stack

page read and write

100F000

unkown

page readonly

748000

heap

page read and write

6C0000

trusted library allocation

page read and write

14E6000

heap

page read and write

60F0000

trusted library allocation

page execute and read and write

AC0000

trusted library allocation

page read and write

53E000

stack

page read and write

710000

heap

page read and write

3597000

trusted library allocation

page read and write

2694000

trusted library allocation

page read and write

3D00000

direct allocation

page read and write

14B0000

heap

page read and write

AF0000

heap

page read and write

103F000

unkown

page read and write

CA8E000

trusted library allocation

page read and write

3E23000

direct allocation

page read and write

2549000

trusted library allocation

page read and write

48F0000

heap

page execute and read and write

24AB000

trusted library allocation

page read and write

8869000

heap

page read and write

A0C000

stack

page read and write

68B0000

trusted library allocation

page read and write

12A000

stack

page read and write

2575000

trusted library allocation

page read and write

AD0000

trusted library allocation

page read and write

1048000

unkown

page readonly

5A0000

heap

page read and write

23ED000

trusted library allocation

page read and write

3E23000

direct allocation

page read and write

3437000

trusted library allocation

page read and write

570D000

heap

page read and write

6B4000

trusted library allocation

page read and write

403E000

direct allocation

page read and write

39B4000

heap

page read and write

150E000

heap

page read and write

8E8E000

trusted library allocation

page read and write

2851000

trusted library allocation

page read and write

DA0000

heap

page read and write

3FCD000

direct allocation

page read and write

150D000

heap

page read and write

6D6000

trusted library allocation

page execute and read and write

3D00000

direct allocation

page read and write

3FC9000

direct allocation

page read and write

3477000

trusted library allocation

page read and write

157D000

heap

page read and write

3EA0000

direct allocation

page read and write

144F000

stack

page read and write

6E7000

trusted library allocation

page execute and read and write

3FC9000

direct allocation

page read and write

14F7000

heap

page read and write

99E000

stack

page read and write

1562000

heap

page read and write

CA89000

trusted library allocation

page read and write

5ED6000

trusted library allocation

page read and write

8874000

heap

page read and write

A030000

trusted library allocation

page read and write

34D7000

trusted library allocation

page read and write

98C000

stack

page read and write

1E0000

heap

page read and write

5EE4000

trusted library allocation

page read and write

4896000

trusted library allocation

page read and write

5EF3000

trusted library allocation

page read and write

35F7000

trusted library allocation

page read and write

403E000

direct allocation

page read and write

A4E000

stack

page read and write

3E23000

direct allocation

page read and write

150D000

heap

page read and write

1035000

unkown

page readonly

87B0000

heap

page read and write

14D4000

heap

page read and write

A06C000

trusted library allocation

page read and write

3557000

trusted library allocation

page read and write

A03F000

trusted library allocation

page read and write

43B8000

trusted library allocation

page read and write

700000

trusted library allocation

page read and write

62DC000

stack

page read and write

7D1000

heap

page read and write

5E8C000

stack

page read and write

540000

heap

page read and write

5B30000

trusted library allocation

page read and write

9CC000

stack

page read and write

3EA0000

direct allocation

page read and write

5C7F000

stack

page read and write

403E000

direct allocation

page read and write

3FCD000

direct allocation

page read and write

1F0000

heap

page read and write

3EA0000

direct allocation

page read and write

14E4000

heap

page read and write

403E000

direct allocation

page read and write

5A5000

heap

page read and write

EC0000

direct allocation

page execute and read and write

AB0000

trusted library allocation

page execute and read and write

A058000

trusted library allocation

page read and write

14F5000

heap

page read and write

A05D000

trusted library allocation

page read and write

8E86000

trusted library allocation

page read and write

6B3000

trusted library allocation

page execute and read and write

26D2000

trusted library allocation

page read and write

5640000

trusted library allocation

page read and write

5660000

trusted library allocation

page read and write

3EA0000

direct allocation

page read and write

5ED0000

trusted library allocation

page read and write

494C000

stack

page read and write

5F10000

trusted library allocation

page execute and read and write

6450000

heap

page read and write

A03A000

trusted library allocation

page read and write

F80000

unkown

page readonly

6EB000

trusted library allocation

page execute and read and write

F80000

unkown

page readonly

3D00000

direct allocation

page read and write

F30000

heap

page read and write

4F9000

stack

page read and write

950000

heap

page read and write

3547000

trusted library allocation

page read and write

159C000

heap

page read and write

F81000

unkown

page execute read

60A0000

heap

page read and write

2642000

trusted library allocation

page read and write

A01A000

trusted library allocation

page read and write

A04E000

trusted library allocation

page read and write

1035000

unkown

page readonly

A035000

trusted library allocation

page read and write

6040000

trusted library allocation

page read and write

26D6000

trusted library allocation

page read and write

3517000

trusted library allocation

page read and write

68AA000

heap

page read and write

49C0000

heap

page read and write

5D0E000

stack

page read and write

3FC9000

direct allocation

page read and write

There are 307 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Ship Docs_ CI_BL_HBL_.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportShip Docs_ CI_BL_HBL_.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
Ship Docs_ CI_BL_HBL_.exe