Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

DHL_VTER000105453.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.956439048355657
Filename:	DHL_VTER000105453.exe
Filesize:	713224
MD5:	7dec2c3596f3081f16fb71af0b1340ef
SHA1:	2f95bb30d3d11e88713b66fe1c55113e06890656
SHA256:	0144ad3c79e25335ba0bb88e4c47c497215af9d44f0dc9f8a550bf71d579ca07
SHA512:	99b383bc464f37fc5b5a8cf3e8415360e9eca70df7358fec3a2e17b045e8d928042a32ca89504ee460048e28f044efda00ef882264fdf4010c318a3a81fe8a53
SSDEEP:	12288:uVUL2iNdl0ZE1huYAo+eovnS+P1R+5DH2qhu1zbCxjLqsewT8Nu/+SyST3xT1O1V:u+1Pl0GDADZvFPD+tHlAoJewINI+SySq
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....q\|...............0.............6.... ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains method to dynamically call methods (often used by packers)	Data Obfuscation
.NET source code contains potential unpacker	Data Obfuscation
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)	Anti Debugging
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Contains functionality to register a low level keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Disable or Modify Tools
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing
Machine Learning detection for sample	AV Detection
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation Virtualization/Sandbox Evasion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Checks if the current process is being debugged	Anti Debugging
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a window with clipboard capturing capabilities	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE / OLE file has an invalid certificate	System Summary
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
.NET source code contains methods with suspicious names	System Summary	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary	System Information Discovery
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_VTER000105453.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_VTER000105453.exe.log
Category:	dropped
Dump:	DHL_VTER000105453.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\DHL_VTER000105453.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
PE / OLE file has an invalid certificate	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\DHL_VTER000105453.exe

"C:\Users\user\Desktop\DHL_VTER000105453.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3564
Target ID:	0
Parent PID:	4056
Name:	DHL_VTER000105453.exe
Path:	C:\Users\user\Desktop\DHL_VTER000105453.exe
Commandline:	"C:\Users\user\Desktop\DHL_VTER000105453.exe"
Size:	713224
MD5:	7DEC2C3596F3081F16FB71AF0B1340EF
Time:	10:02:23
Date:	04/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x150000
Modulesize:	720896
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE / OLE file has an invalid certificate	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\DHL_VTER000105453.exe

"C:\Users\user\Desktop\DHL_VTER000105453.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5060
Target ID:	3
Parent PID:	3564
Name:	DHL_VTER000105453.exe
Path:	C:\Users\user\Desktop\DHL_VTER000105453.exe
Commandline:	"C:\Users\user\Desktop\DHL_VTER000105453.exe"
Size:	713224
MD5:	7DEC2C3596F3081F16FB71AF0B1340EF
Time:	10:02:24
Date:	04/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x790000
Modulesize:	720896
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE / OLE file has an invalid certificate	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

https://api.ipify.org/

172.67.74.152

https://api.ipify.org

unknown

https://account.dyn.com/

unknown

http://x1.c.lencr.org/0

unknown

http://x1.i.lencr.org/0

unknown

http://tempuri.org/DataSeta.xsd)Microsoft

unknown

http://ip-api.com

unknown

http://r3.o.lencr.org0

unknown

https://api.ipify.org/t

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://www.chiark.greenend.org.uk/~sgtatham/putty/0

unknown

http://ip-api.com/line/?fields=hosting

208.95.112.1

http://nl9.nlkoddos.com

unknown

http://r3.i.lencr.org/0

unknown

There are 4 hidden URLs, click here to show them.

Domains

Name

Malicious

nl9.nlkoddos.com

89.249.49.141

Details

Name:	nl9.nlkoddos.com
IP:	89.249.49.141
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

api.ipify.org

172.67.74.152

Details

Name:	api.ipify.org
IP:	172.67.74.152
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

ip-api.com

208.95.112.1

Details

Name:	ip-api.com
IP:	208.95.112.1
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Check if machine is in data center or colocation facility	Malware Analysis System Evasion	Security Software Discovery
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

89.249.49.141

nl9.nlkoddos.com

Russian Federation

Details

IP:	89.249.49.141
TargetID:	3
Current Path:	C:\Users\user\Desktop\DHL_VTER000105453.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	41310
ASN name:	IPCTRU
Private:	false
Domain:	nl9.nlkoddos.com

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

208.95.112.1

ip-api.com

United States

172.67.74.152

api.ipify.org

United States

Details

IP:	172.67.74.152
TargetID:	3
Current Path:	C:\Users\user\Desktop\DHL_VTER000105453.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DHL_VTER000105453_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DHL_VTER000105453_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DHL_VTER000105453_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DHL_VTER000105453_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DHL_VTER000105453_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DHL_VTER000105453_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DHL_VTER000105453_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DHL_VTER000105453_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DHL_VTER000105453_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DHL_VTER000105453_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DHL_VTER000105453_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DHL_VTER000105453_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DHL_VTER000105453_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DHL_VTER000105453_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

2C1E000

trusted library allocation

page read and write

2BF5000

trusted library allocation

page read and write

252A000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

366E000

trusted library allocation

page read and write

4F70000

trusted library section

page read and write

2C16000

trusted library allocation

page read and write

2491000

trusted library allocation

page read and write

2292000

trusted library allocation

page read and write

C40000

heap

page read and write

6A4E000

stack

page read and write

2B91000

trusted library allocation

page read and write

2BCF000

trusted library allocation

page read and write

C30000

heap

page read and write

E08000

heap

page read and write

6EE41000

unkown

page execute read

1032000

trusted library allocation

page read and write

22A2000

trusted library allocation

page read and write

4FDB000

trusted library allocation

page read and write

3B91000

trusted library allocation

page read and write

5EAE000

stack

page read and write

22F0000

heap

page execute and read and write

5010000

trusted library allocation

page read and write

3491000

trusted library allocation

page read and write

4A60000

trusted library allocation

page execute and read and write

1020000

trusted library allocation

page read and write

103B000

trusted library allocation

page execute and read and write

7160000

heap

page read and write

4F45000

heap

page read and write

117E000

stack

page read and write

618000

heap

page read and write

1010000

trusted library allocation

page read and write

4BD0000

heap

page execute and read and write

66F0000

heap

page read and write

6A60000

trusted library allocation

page execute and read and write

4A52000

trusted library allocation

page read and write

2B70000

trusted library allocation

page read and write

553F000

stack

page read and write

2C10000

trusted library allocation

page read and write

626E000

stack

page read and write

2968000

trusted library allocation

page read and write

152000

unkown

page readonly

4F30000

trusted library section

page read and write

6EE40000

unkown

page readonly

ACF000

stack

page read and write

E77000

heap

page read and write

68A0000

trusted library allocation

page read and write

6333000

heap

page read and write

233E000

stack

page read and write

1070000

heap

page read and write

6AA0000

heap

page read and write

3535000

trusted library allocation

page read and write

66FE000

stack

page read and write

228D000

trusted library allocation

page execute and read and write

5600000

heap

page read and write

6270000

heap

page read and write

E96000

heap

page read and write

229A000

trusted library allocation

page execute and read and write

C60000

heap

page read and write

44CE000

stack

page read and write

2A00000

trusted library allocation

page read and write

1077000

heap

page read and write

E00000

heap

page read and write

2A10000

heap

page read and write

499D000

trusted library allocation

page read and write

6EE5F000

unkown

page readonly

3BF8000

trusted library allocation

page read and write

62BA000

heap

page read and write

557E000

stack

page read and write

4E4D000

stack

page read and write

6EE5D000

unkown

page read and write

2BDD000

trusted library allocation

page read and write

2BD9000

trusted library allocation

page read and write

4C8E000

stack

page read and write

2290000

trusted library allocation

page read and write

1030000

trusted library allocation

page read and write

662F000

stack

page read and write

49A2000

trusted library allocation

page read and write

9C9000

stack

page read and write

67FD000

stack

page read and write

2C14000

trusted library allocation

page read and write

5EED000

stack

page read and write

97FF000

stack

page read and write

C50000

heap

page read and write

44D8000

trusted library allocation

page read and write

2280000

trusted library allocation

page read and write

4BC0000

trusted library allocation

page execute and read and write

49E0000

trusted library allocation

page read and write

6907000

heap

page read and write

5030000

heap

page read and write

66FE000

heap

page read and write

55F0000

heap

page read and write

5FEE000

stack

page read and write

1035000

trusted library allocation

page execute and read and write

6EE5D000

unkown

page read and write

D7E000

stack

page read and write

4A70000

trusted library allocation

page read and write

56BE000

stack

page read and write

651000

heap

page read and write

22A7000

trusted library allocation

page execute and read and write

52B0000

heap

page execute and read and write

F3E000

unkown

page read and write

4B8C000

stack

page read and write

5002000

trusted library allocation

page read and write

6C0000

heap

page read and write

2C2E000

trusted library allocation

page read and write

2C28000

trusted library allocation

page read and write

8B0000

trusted library allocation

page read and write

22AB000

trusted library allocation

page execute and read and write

707000

heap

page read and write

4F50000

trusted library allocation

page read and write

602D000

stack

page read and write

8C0000

heap

page read and write

95FE000

stack

page read and write

612F000

stack

page read and write

4996000

trusted library allocation

page read and write

49C0000

trusted library allocation

page read and write

64E0000

trusted library allocation

page read and write

1050000

trusted library allocation

page read and write

689D000

trusted library allocation

page read and write

4FD0000

trusted library allocation

page read and write

543E000

stack

page read and write

49B0000

trusted library allocation

page read and write

7FD00000

trusted library allocation

page execute and read and write

1026000

trusted library allocation

page execute and read and write

2480000

heap

page read and write

6D7C000

stack

page read and write

2273000

trusted library allocation

page execute and read and write

69F0000

trusted library allocation

page read and write

2BC5000

trusted library allocation

page read and write

8CA000

stack

page read and write

3BB9000

trusted library allocation

page read and write

22E0000

trusted library allocation

page read and write

630C000

heap

page read and write

96FE000

stack

page read and write

70AD000

stack

page read and write

6AD0000

trusted library allocation

page execute and read and write

44D0000

trusted library allocation

page read and write

4A50000

trusted library allocation

page read and write

877000

heap

page read and write

66BE000

stack

page read and write

2C12000

trusted library allocation

page read and write

2283000

trusted library allocation

page read and write

243E000

stack

page read and write

6D2000

heap

page read and write

48A000

stack

page read and write

1037000

trusted library allocation

page execute and read and write

247C000

stack

page read and write

63AE000

stack

page read and write

1022000

trusted library allocation

page read and write

E35000

heap

page read and write

68B0000

trusted library allocation

page read and write

43E000

remote allocation

page execute and read and write

86E000

stack

page read and write

4D40000

heap

page read and write

2C38000

trusted library allocation

page read and write

683C000

stack

page read and write

E33000

heap

page read and write

94FF000

stack

page read and write

6911000

heap

page read and write

4BA0000

heap

page read and write

5144000

heap

page read and write

610000

heap

page read and write

8080000

heap

page read and write

4FFD000

trusted library allocation

page read and write

600000

heap

page read and write

4F80000

trusted library allocation

page read and write

22C0000

trusted library allocation

page read and write

6A7B000

stack

page read and write

E29000

heap

page read and write

4970000

trusted library allocation

page read and write

49D0000

trusted library allocation

page read and write

2B1F000

stack

page read and write

34E7000

trusted library allocation

page read and write

4BB0000

heap

page read and write

452D000

stack

page read and write

498E000

trusted library allocation

page read and write

2B80000

heap

page execute and read and write

49D5000

trusted library allocation

page read and write

ECC000

heap

page read and write

9CE000

stack

page read and write

567F000

stack

page read and write

56C0000

trusted library allocation

page read and write

6880000

trusted library allocation

page read and write

4F60000

trusted library allocation

page execute and read and write

6FA0000

heap

page read and write

6F6D000

stack

page read and write

22D0000

trusted library allocation

page execute and read and write

4974000

trusted library allocation

page read and write

652E000

stack

page read and write

100D000

trusted library allocation

page execute and read and write

102A000

trusted library allocation

page execute and read and write

EA8000

heap

page read and write

68EE000

stack

page read and write

101D000

trusted library allocation

page execute and read and write

68F0000

heap

page read and write

6900000

heap

page read and write

5E0000

heap

page read and write

53FC000

stack

page read and write

2B60000

trusted library allocation

page read and write

3583000

trusted library allocation

page read and write

4B90000

trusted library section

page readonly

227D000

trusted library allocation

page execute and read and write

653000

heap

page read and write

1003000

trusted library allocation

page execute and read and write

6A80000

trusted library allocation

page read and write

61E000

heap

page read and write

FFB000

stack

page read and write

C47000

heap

page read and write

716A000

heap

page read and write

4FDE000

trusted library allocation

page read and write

462C000

stack

page read and write

4A83000

heap

page read and write

52FC000

stack

page read and write

400000

remote allocation

page execute and read and write

5140000

heap

page read and write

DF0000

trusted library allocation

page read and write

1004000

trusted library allocation

page read and write

587000

stack

page read and write

688000

heap

page read and write

2C36000

trusted library allocation

page read and write

870000

heap

page read and write

150000

unkown

page readonly

FBE000

stack

page read and write

82D000

stack

page read and write

4FEE000

trusted library allocation

page read and write

F7E000

unkown

page read and write

6EE56000

unkown

page readonly

2BE1000

trusted library allocation

page read and write

1000000

trusted library allocation

page read and write

4ED0000

trusted library allocation

page read and write

4A40000

heap

page read and write

4A80000

heap

page read and write

637000

heap

page read and write

933E000

stack

page read and write

6280000

heap

page read and write

2270000

trusted library allocation

page read and write

6A00000

trusted library allocation

page read and write

6C7F000

stack

page read and write

92FE000

stack

page read and write

8070000

heap

page read and write

7F9F000

stack

page read and write

2B5C000

stack

page read and write

64D0000

heap

page read and write

4FE2000

trusted library allocation

page read and write

5DAF000

stack

page read and write

6890000

trusted library allocation

page read and write

64AD000

stack

page read and write

7D26000

trusted library allocation

page read and write

645000

heap

page read and write

62F000

heap

page read and write

2274000

trusted library allocation

page read and write

667D000

stack

page read and write

295E000

stack

page read and write

4FF6000

trusted library allocation

page read and write

69C0000

trusted library allocation

page execute and read and write

6A90000

trusted library allocation

page read and write

44E0000

trusted library allocation

page execute and read and write

4F2E000

stack

page read and write

22A0000

trusted library allocation

page read and write

4A00000

trusted library allocation

page read and write

4F40000

heap

page read and write

68A5000

trusted library allocation

page read and write

6C90000

trusted library section

page read and write

4991000

trusted library allocation

page read and write

4FF1000

trusted library allocation

page read and write

7170000

trusted library allocation

page read and write

7E0000

heap

page read and write

2B74000

trusted library allocation

page read and write

3499000

trusted library allocation

page read and write

616D000

stack

page read and write

2296000

trusted library allocation

page execute and read and write

497B000

trusted library allocation

page read and write

1060000

trusted library allocation

page execute and read and write

DBE000

stack

page read and write

C65000

heap

page read and write

56E0000

trusted library allocation

page read and write

69E0000

trusted library allocation

page execute and read and write

There are 268 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
DHL_VTER000105453.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportDHL_VTER000105453.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
DHL_VTER000105453.exe