IOC Report

loading gif

Files

File Path
Type
Category
Malicious
DHL_119040 ontvangstbewijs,pdf.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_119040 ontvangstbewijs,pdf.exe.log
ASCII text, with CRLF line terminators
dropped
clean

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe
"C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe"
malicious
C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe
C:\Users\user\Desktop\DHL_119040 ontvangstbewijs,pdf.exe
malicious

URLs

Name
IP
Malicious
http://www.mgbless.in
unknown
malicious
https://www.mgbless.in/
unknown
malicious
https://www.mgbless.in4
unknown
malicious
https://www.mgbless.in
unknown
malicious
http://mgbless.in
unknown
malicious
https://www.mgbless.in/mac/inc/0bb73b6c7ade1a.php127.0.0.1POST
unknown
malicious
https://www.mgbless.in/mac/inc/0bb73b6c7ade1a.php
104.223.93.105
malicious
https://www.mgbless.inD8
unknown
malicious
http://127.0.0.1:HTTP/1.1
unknown
clean
http://DynDns.comDynDNS
unknown
clean
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
unknown
clean
https://api.ipify.org%GETMozilla/5.0
unknown
clean
http://lmeJrA.com
unknown
clean
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
clean
https://api.ipify.org%
unknown
clean
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
unknown
clean
There are 6 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
mgbless.in
104.223.93.105
malicious
www.mgbless.in
unknown
malicious

IPs

IP
Domain
Country
Malicious
104.223.93.105
mgbless.in
United States
malicious
192.168.2.1
unknown
unknown
clean

Registry

Path
Value
Malicious
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing
EnableConsoleTracing
clean
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DHL_119040 ontvangstbewijs,pdf_RASAPI32
EnableFileTracing
clean
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DHL_119040 ontvangstbewijs,pdf_RASAPI32
EnableAutoFileTracing
clean
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DHL_119040 ontvangstbewijs,pdf_RASAPI32
EnableConsoleTracing
clean
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DHL_119040 ontvangstbewijs,pdf_RASAPI32
FileTracingMask
clean
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DHL_119040 ontvangstbewijs,pdf_RASAPI32
ConsoleTracingMask
clean
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DHL_119040 ontvangstbewijs,pdf_RASAPI32
MaxFileSize
clean
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DHL_119040 ontvangstbewijs,pdf_RASAPI32
FileDirectory
clean
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DHL_119040 ontvangstbewijs,pdf_RASMANCS
EnableFileTracing
clean
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DHL_119040 ontvangstbewijs,pdf_RASMANCS
EnableAutoFileTracing
clean
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DHL_119040 ontvangstbewijs,pdf_RASMANCS
EnableConsoleTracing
clean
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DHL_119040 ontvangstbewijs,pdf_RASMANCS
FileTracingMask
clean
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DHL_119040 ontvangstbewijs,pdf_RASMANCS
ConsoleTracingMask
clean
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DHL_119040 ontvangstbewijs,pdf_RASMANCS
MaxFileSize
clean
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DHL_119040 ontvangstbewijs,pdf_RASMANCS
FileDirectory
clean
There are 5 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
402000
unkown
page execute and read and write
malicious
402000
unkown
page execute and read and write
malicious
402000
unkown
page execute and read and write
malicious
293B000
unkown
page read and write
malicious
2871000
unkown
page read and write
malicious
2811000
unkown
page read and write
malicious
387D000
unkown
page read and write
malicious
402000
unkown
page execute and read and write
malicious
2960000
unkown
page read and write
malicious
402000
unkown
page execute and read and write
malicious
20FA82D0000
unkown
page read and write
clean
26F8000
unkown
page read and write
clean
FAA89FC000
stack
page read and write
clean
5F09000
unkown
page read and write
clean
AD0000
stack
page read and write
clean
FAA92FC000
stack
page read and write
clean
4F05000
unkown
page read and write
clean
5E50000
unkown
page read and write
clean
C30000
stack
page read and write
clean
21CBD374000
unkown
page read and write
clean
4DD5000
unkown
page read and write
clean
7FF5060A1000
unkown image
page readonly
clean
21CBD37C000
unkown
page read and write
clean
C40000
stack
page read and write
clean
5290000
unkown
page read and write
clean
21CBD802000
unkown
page read and write
clean
FAA8F7F000
stack
page read and write
clean
28F1000
unkown
page read and write
clean
21CBD387000
unkown
page read and write
clean
500000
unkown image
page readonly
clean
7DF572E62000
unkown image
page readonly
clean
21CBD384000
unkown
page read and write
clean
7FF5D8803000
unkown image
page readonly
clean
4F90000
unkown
page read and write
clean
2F4310A0000
unkown
page read and write