IOC Report

loading gif

Files

File Path
Type
Category
Malicious
FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe.log
ASCII text, with CRLF line terminators
dropped
malicious
C:\Windows\System32\drivers\etc\hosts
ASCII text, with CRLF line terminators
dropped
malicious
C:\Users\user\AppData\Roaming\becfyxbg.kps\Chrome\Default\Cookies
SQLite 3.x database, last written using SQLite version 3032001
modified
clean

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
"C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe"
malicious
C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
C:\Users\user\Desktop\FedEx Shipment Notification - Air WayBill FED1007990_A10792.exe
malicious

URLs

Name
IP
Malicious
http://127.0.0.1:HTTP/1.1
unknown
clean
http://DynDns.comDynDNS
unknown
clean
https://api.telegram.org4
unknown
clean
https://api.telegram.org
unknown
clean
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
unknown
clean
https://api.telegram.org/bot1881721018:AAFgjKCKDmGZSPG9IqaTLsC7W4rwVP8dqs0/sendDocumentdocument-----
unknown
clean
https://190L8dvjH7GrrK.net
unknown
clean
https://api.telegram.org/bot1881721018:AAFgjKCKDmGZSPG9IqaTLsC7W4rwVP8dqs0/
unknown
clean
http://yWRCNh.com
unknown
clean
https://api.ipify.org%GETMozilla/5.0
unknown
clean
http://api.telegram.org
unknown
clean
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
clean
https://api.ipify.org%
unknown
clean
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
unknown
clean
https://api.telegram.orgD8
unknown
clean
https://190L8dvjH7GrrK.netP
unknown
clean
https://api.telegram.org/bot1881721018:AAFgjKCKDmGZSPG9IqaTLsC7W4rwVP8dqs0/sendDocument
149.154.167.220
clean
There are 7 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
api.telegram.org
149.154.167.220
clean

IPs

IP
Domain
Country
Malicious
149.154.167.220
api.telegram.org
United Kingdom
clean

Registry

Path
Value
Malicious
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing
EnableConsoleTracing
clean
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
EnableFileTracing
clean
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
EnableAutoFileTracing
clean
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
EnableConsoleTracing
clean
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
FileTracingMask
clean
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
ConsoleTracingMask
clean
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
MaxFileSize
clean
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
FileDirectory
clean
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS
EnableFileTracing
clean
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS
EnableAutoFileTracing
clean
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS
EnableConsoleTracing
clean
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS
FileTracingMask
clean
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS
ConsoleTracingMask
clean
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS
MaxFileSize
clean
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS
FileDirectory
clean
There are 5 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
402000
unkown
page execute and read and write
malicious
402000
unkown
page execute and read and write
malicious
2F26000
unkown
page read and write
malicious
31A1000
unkown
page read and write
malicious
402000
unkown
page execute and read and write
malicious
402000
unkown
page execute and read and write
malicious
402000
unkown
page execute and read and write
malicious
2EA1000
unkown
page read and write
malicious
3EAD000
unkown
page read and write
malicious
1310000
stack
page read and write
clean
1394000
unkown
page read and write
clean
1394000
unkown
page read and write
clean
7FF5E334F000
unkown image
page readonly
clean
1394000
unkown
page read and write
clean
6630000
unkown
page read and write
clean
E70000
unkown image
page readonly
clean
55F7000
unkown
page read and write
clean
1394000
unkown
page read and write
clean
13C0000
stack
page read and write
clean
2FB0000
unkown
page read and write
clean
1394000
unkown
page read and write
clean
253AE913000
unkown
page read and write
clean
13E0000
stack
page read and write
clean
1394000
unkown
page read and write
clean
1394000
unkown
page read and write
clean
5554000
unkown
page read and write
clean
7FF51874C000
unkown image
page readonly
clean
6F4B000
unkown
page read and write
clean
1394000
unkown
page read and write
clean
72EE000
stack
page read and write
clean