Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

ndvdikok.vbs

ASCII text, with CRLF line terminators

initial sample

Details

Filetype:	ASCII text, with CRLF line terminators
Entropy:	5.049551124986586
Filename:	ndvdikok.vbs
Filesize:	1629
MD5:	32f61baa669991fb989439babaf493ff
SHA1:	4242d545077e3e643854e3148e00c8283533b9ab
SHA256:	75db6f949461cb03a155dd26c781a3c9e00edb917275f3b4d306b7094ed06a14
SHA512:	d20bf0b9a664caa9e9fe18dcb3899182b8f8bbb0275907bec6e3e888c0d2cd36a17ba24c49a3b92910ee075e6309aef5b8cf9392acf5833d66c0fbdcd3fdc2df
SSDEEP:	24:/seK+C6uS9ciJ+p/Mb2vwtIjAaAs3iQe1sLPbLsH+U/jlhJSf7V7iOtXYOcqVx3:/F1CT5i+xFljAaAZthJuVmOGOcqL3
Preview:	on error resume next..Function GenerateRandomString(ByVal length).. Dim characters, characterCount, randomString, i, position.... characters = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789".. characterCount = Len(characters)..

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection	Create Account Disable or Modify Tools
Java / VBScript file with very long strings (likely obfuscated code)	System Summary
Sample is known by Antivirus	System Summary	Access Token Manipulation Disable or Modify Tools
URLs found in memory or binary data	Networking	Disable or Modify Tools

C:\NwiQ\AutoHotkey.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\NwiQ\AutoHotkey.exe
Category:	dropped
Dump:	AutoHotkey.exe.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Windows\System32\wscript.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.508000668604986
Encrypted:	false
Ssdeep:	24576:bGzl9+a4Ne1nEFI56xU+0IdY2Zv952uetfbFEzP4UFhOt:b+tOWnEFZR0El0JEzQAh
Size:	913920
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to inject code into remote processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Contains functionality to inject threads in other processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Contains functionality to register a low level keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Sample or dropped binary is a compiled AutoHotkey binary	System Summary
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging	Disable or Modify Tools
Contains functionality to call native functions	System Summary
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Application Window Discovery
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to read the PEB	Anti Debugging
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to record screenshots	Key, Mouse, Clipboard, Microphone and Screen Capturing	Screen Capture
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Contains functionality to shutdown / reboot the system	System Summary	System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found evaded block containing many API calls	Malware Analysis System Evasion	Native API
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Queries information about the installed CPU (vendor, model number etc)	Language, Device and Operating System Detection	System Information Discovery
Queries the product ID of Windows	Language, Device and Operating System Detection	System Information Discovery
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)	Malware Analysis System Evasion	System Information Discovery
Contains functionality for error logging	System Summary
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to check free disk space	System Summary	System Information Discovery
Contains functionality to create a new desktop	Protection of GUI	Create Account
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to modify the execution of threads in other processes
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Information Discovery System Time Discovery
Contains functionality to query system information	Malware Analysis System Evasion	System Information Discovery
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
Parts of this applications are using Borland Delphi (Probably coded in Delphi)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\NwiQ\file.zip

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

Details

File:	C:\NwiQ\file.zip
Category:	dropped
Dump:	file.zip.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Windows\System32\wscript.exe
Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy:	7.994720720467439
Encrypted:	true
Ssdeep:	24576:iDv3cPduvcaRMi59YF7neQfxdIhjRT2Wrp:ij9kBi7kLeQydT2Wrp
Size:	795674
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery

C:\NwiQ\script.ahk

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\NwiQ\script.ahk
Category:	dropped
Dump:	script.ahk.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Windows\System32\wscript.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.2568075754664525
Encrypted:	false
Ssdeep:	6:8kYWQxcpC1ogdG+GbBWcQdSIurioqqu3DHzJsaum8rkwHYF6DtGy1xk5QQNP0Pa8:LQxcpCeY0Ojo1uLdsa7e4YD/ktVsKVnw
Size:	441
Whitelisted:	false
Reputation:	low

C:\NwiQ\test.txt

ASCII text, with very long lines (65536), with no line terminators

dropped

Details

File:	C:\NwiQ\test.txt
Category:	dropped
Dump:	test.txt.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Windows\System32\wscript.exe
Type:	ASCII text, with very long lines (65536), with no line terminators
Entropy:	3.5855231265302026
Encrypted:	false
Ssdeep:	12288:aaxFc9Kd5DbbWr8McQ/Rk4iailK/RjPwr0Xl/rbXjQ108Xk0RPopY+wM2e8dQm9D:T7EUIN9S
Size:	952930
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\fykbmgsz[1]

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\fykbmgsz[1]
Category:	dropped
Dump:	fykbmgsz[1].0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Windows\System32\wscript.exe
Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy:	7.994720720467439
Encrypted:	true
Ssdeep:	24576:iDv3cPduvcaRMi59YF7neQfxdIhjRT2Wrp:ij9kBi7kLeQydT2Wrp
Size:	795674
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Composite Document File V2 Document, Cannot read section info

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Category:	dropped
Dump:	f01b4d95cf55d32a.automaticDestinations-ms.0.dr
ID:	dr_5
Target ID:	0
Process:	C:\Windows\System32\wscript.exe
Type:	Composite Document File V2 Document, Cannot read section info
Entropy:	4.1077153913004825
Encrypted:	false
Ssdeep:	48:r8sPtL+1rVW0T1MqughNY1IkAKOSuPlQBSuH3kbTpadR1Im/BRQd2KuXb:BaNJ4ClbYdRyXdY
Size:	6144
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Roaming\heeeaAd

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Roaming\heeeaAd
Category:	dropped
Dump:	heeeaAd.1.dr
ID:	dr_6
Target ID:	1
Process:	C:\NwiQ\AutoHotkey.exe
Type:	ASCII text, with no line terminators
Entropy:	3.7775182662886326
Encrypted:	false
Ssdeep:	3:UD2kttQO:nkf1
Size:	32
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Windows\System32\wscript.exe

C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ndvdikok.vbs"

Details

Is windows:	true
Is dropped:	false
PID:	6640
Target ID:	0
Parent PID:	2580
Name:	wscript.exe
Class:	wscript
Path:	C:\Windows\System32\wscript.exe
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ndvdikok.vbs"
Size:	170496
MD5:	A47CBE969EA935BDD3AB568BB126BC80
Time:	06:39:53
Date:	17/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff68fd10000
Modulesize:	184320
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Script Initiated Connection to Non-Local Network	System Summary
Sigma detected: WScript or CScript Dropper	System Summary
Sigma detected: Script Initiated Connection	System Summary
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Executes visual basic scripts	System Summary	Scripting
Spawns processes	System Summary	Process Injection

C:\NwiQ\AutoHotkey.exe

"C:\NwiQ\Autohotkey.exe" "c:\NwiQ\script.ahk"

Details

Is windows:	false
Is dropped:	true
PID:	6544
Target ID:	1
Parent PID:	6640
Name:	AutoHotkey.exe
Path:	C:\NwiQ\AutoHotkey.exe
Commandline:	"C:\NwiQ\Autohotkey.exe" "c:\NwiQ\script.ahk"
Size:	913920
MD5:	A59A2D3E5DDA7ACA6EC879263AA42FD3
Time:	06:39:56
Date:	17/04/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	false
Is elevated:	false
Modulebase:	0x400000
Modulesize:	950272
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Benign windows process drops PE files	HIPS / PFW / Operating System Protection Evasion	Exploitation for Client Execution
Yara detected DarkGate	Stealing of Sensitive Information, Remote Access Functionality
Yara detected MailPassView	Stealing of Sensitive Information
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Dropped file seen in connection with other malware	System Summary
Drops PE files	Persistence and Installation Behavior
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
Yara detected Keylogger Generic	Key, Mouse, Clipboard, Microphone and Screen Capturing
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://backupssupport.com/fykbmgsz

205.234.201.153

Details

Name:	http://backupssupport.com/fykbmgsz
IP:	205.234.201.153
TargetID:	0
From Memory:	false
Current Path:	C:\Windows\System32\wscript.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Script Initiated Connection to Non-Local Network	System Summary
Sigma detected: Script Initiated Connection	System Summary
URLs found in memory or binary data	Networking

http://backupssupport.com/fykbmgszj

unknown

Details

Name:	http://backupssupport.com/fykbmgszj
TargetID:	0
From Memory:	true
Current Path:	C:\Windows\System32\wscript.exe
Source:	wscript.exe, 00000000.00000003.1656750950.000001D5A3C95000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1659182934.000001D5A3C9F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1658042445.000001D5A3C9E000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://autohotkey.com

unknown

Details

Name:	https://autohotkey.com
TargetID:	-1
From Memory:	true
Source:	AutoHotkey.exe, AutoHotkey.exe, 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmp, AutoHotkey.exe, 00000001.00000000.1655102872.00000000004AD000.00000002.00000001.01000000.00000008.sdmp, AutoHotkey.exe.0.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://backupssupport.com/fykbmgsz6

unknown

Details

Name:	http://backupssupport.com/fykbmgsz6
TargetID:	0
From Memory:	true
Current Path:	C:\Windows\System32\wscript.exe
Source:	wscript.exe, 00000000.00000003.1655755076.000001D5A3CE7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660138257.000001D5A3D19000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1655827819.000001D5A3D13000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://autohotkey.comCould

unknown

Domains

Name

Malicious

backupssupport.com

205.234.201.153

Details

Name:	backupssupport.com
IP:	205.234.201.153
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Script Initiated Connection to Non-Local Network	System Summary
Sigma detected: Script Initiated Connection	System Summary
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

205.234.201.153

backupssupport.com

United States

Details

IP:	205.234.201.153
TargetID:	0
Current Path:	C:\Windows\System32\wscript.exe
Country:	United States
Countrycode:	USA
ASN number:	23352
ASN name:	SERVERCENTRALUS
Private:	false
Domain:	backupssupport.com

Signature Hits	Behavior Group	Mitre Attack
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Script Initiated Connection to Non-Local Network	System Summary
Sigma detected: Script Initiated Connection	System Summary

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached

{E88DCCE0-B7B3-11D1-A9F0-00AA0060FA31} {000214E6-0000-0000-C000-000000000046} 0xFFFF

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum

Implementing

Memdumps

Base Address

Regiontype

Protect

Malicious

4840000

direct allocation

page execute and read and write

48AA000

direct allocation

page execute and read and write

1D5A667C000

heap

page read and write

1D5A3EC9000

heap

page read and write

1D5A6659000

heap

page read and write

14E000

stack

page read and write

1D5A3D5D000

heap

page read and write

1D5A6672000

heap

page read and write

1D5A666E000

heap

page read and write

4AE1000

heap

page read and write

1D5A6604000

heap

page read and write

1D5A666E000

heap

page read and write

4AD000

unkown

page readonly

1D5A661D000

heap

page read and write

1D5A3D5D000

heap

page read and write

1D5A5B30000

heap

page read and write

1D5A6663000

heap

page read and write

1D5A6668000

heap

page read and write

1D5A3D00000

heap

page read and write

4AB5000

heap

page read and write

1D5A663C000

heap

page read and write

ACB000

heap

page read and write

1D5A667C000

heap

page read and write

1D5A5F11000

heap

page read and write

1D5A65EF000

heap

page read and write

A50000

heap

page read and write

1D5A3D0E000

heap

page read and write

452A8FB000

stack

page read and write

1D5A667C000

heap

page read and write

1D5A663A000

heap

page read and write

1D5A663A000

heap

page read and write

1D5A666E000

heap

page read and write

1D5A666C000

heap

page read and write

2DA4000

direct allocation

page read and write

1D5A5F06000

heap

page read and write

1D5A5B38000

heap

page read and write

1D5A3CFC000

heap

page read and write

1D5A5F21000

heap

page read and write

1D5A5F31000

heap

page read and write

1D5A667C000

heap

page read and write

493D000

heap

page read and write

1D5A5F25000

heap

page read and write

1D5A5ED0000

heap

page read and write

1D5A5EFF000

heap

page read and write

1D5A5B32000

heap

page read and write

1D5A3CE7000

heap

page read and write

1D5A6606000

heap

page read and write

1D5A6654000

heap

page read and write

A94000

heap

page read and write

1D5A6660000

heap

page read and write

1D5A6672000

heap

page read and write

2EA1000

heap

page read and write

1D5A3D40000

heap

page read and write

1D5A5F0B000

heap

page read and write

1D5A65C0000

heap

page read and write

1D5A5F2B000

heap

page read and write

452ABFE000

stack

page read and write

1D5A5F06000

heap

page read and write

1D5A667C000

heap

page read and write

1D5A3CC1000

heap

page read and write

1D5A5F25000

heap

page read and write

4AD000

unkown

page readonly

1D5A3D04000

heap

page read and write

1D5A667C000

heap

page read and write

AC3000

heap

page read and write

1D5A5F0A000

heap

page read and write

1D5A5F33000

heap

page read and write

AA8000

heap

page read and write

1D5A3D5D000

heap

page read and write

1D5A6663000

heap

page read and write

1D5A6650000

heap

page read and write

1D5A6672000

heap

page read and write

1D5A5B49000

heap

page read and write

1D5A5F25000

heap

page read and write

1D5A3D01000

heap

page read and write

4908000

heap

page read and write

4529F94000

stack

page read and write

1D5A3CE7000

heap

page read and write

4AF9000

heap

page read and write

1D5A5EE3000

heap

page read and write

1D5A5780000

heap

page read and write

8BE000

stack

page read and write

1D5A3CE7000

heap

page read and write

1D5A6654000

heap

page read and write

1D5A5F20000

heap

page read and write

452A5FE000

stack

page read and write

1D5A5F25000

heap

page read and write

4C0000

unkown

page readonly

1D5A5F10000

heap

page read and write

1D5A667C000

heap

page read and write

1D5A5F17000

heap

page read and write

1D5A6672000

heap

page read and write

1D5A3C8A000

heap

page read and write

1D5A5F06000

heap

page read and write

1D5A5F0A000

heap

page read and write

1D5A666B000

heap

page read and write

190000

heap

page read and write

AE8000

heap

page read and write

1D5A5F33000

heap

page read and write

1D5A5D00000

heap

page read and write

1D5A6632000

heap

page read and write

ACF000

heap

page read and write

4846000

heap

page read and write

1D5A661B000

heap

page read and write

1D5A65F0000

heap

page read and write

1D5A5F1F000

heap

page read and write

1D5A6632000

heap

page read and write

1D5A5F20000

heap

page read and write

1B7000

heap

page read and write

1D5A667C000

heap

page read and write

1D5A5F06000

heap

page read and write

1D5A5F21000

heap

page read and write

1D5A3C40000

heap

page read and write

1D5A667C000

heap

page read and write

1D5A6663000

heap

page read and write

1D5A3C90000

heap

page read and write

1D5A3D4B000

heap

page read and write

1D5A3C95000

heap

page read and write

1D5A3CE7000

heap

page read and write

4843000

heap

page read and write

1D5A5FDE000

heap

page read and write

100000

heap

page read and write

1D5A66B2000

heap

page read and write

1D5A57B5000

heap

page read and write

1D5A65CB000

heap

page read and write

400000

unkown

page readonly

AB7000

heap

page read and write

1D5A3C10000

heap

page read and write

1D5A5F36000

heap

page read and write

1D5A5F20000

heap

page read and write

4D4000

unkown

page read and write

1D5A5F3B000

heap

page read and write

1D5A60B0000

heap

page read and write

1D5A3D0F000

heap

page read and write

1D5A3CBF000

heap

page read and write

4C0000

unkown

page readonly

1D5A5F20000

heap

page read and write

1D5A666E000

heap

page read and write

1D5A665E000

heap

page read and write

1D5A660A000

heap

page read and write

1B0000

heap

page read and write

1D5A6672000

heap

page read and write

1D5A6672000

heap

page read and write

1D5A5F15000

heap

page read and write

1D5A5FDE000

heap

page read and write

1D5A3C8F000

heap

page read and write

18E000

stack

page read and write

1D5A5F20000

heap

page read and write

1D5A3D5D000

heap

page read and write

F9E000

stack

page read and write

1D5A5F13000

heap

page read and write

1D5A5EF2000

heap

page read and write

1D5A3D40000

heap

page read and write

1D5A5F17000

heap

page read and write

1D5A6632000

heap

page read and write

400000

unkown

page readonly

452A9FE000

stack

page read and write

1D5A5F20000

heap

page read and write

139F000

stack

page read and write

1D5A664F000

heap

page read and write

1D5A5F12000

heap

page read and write

1D5A5EF5000

heap

page read and write

1D5A666C000

heap

page read and write

1D5A5F20000

heap

page read and write

1D5A666E000

heap

page read and write

1D5A3C9F000

heap

page read and write

AC8000

heap

page read and write

1D5A5F21000

heap

page read and write

1D5A5F17000

heap

page read and write

2D90000

heap

page read and write

1D5A667C000

heap

page read and write

1D5A64C0000

heap

page read and write

1D5A5B4B000

heap

page read and write

1D5A6653000

heap

page read and write

1D5A665E000

heap

page read and write

1D5A667C000

heap

page read and write

452A6FF000

stack

page read and write

401000

unkown

page execute read

1D5A666E000

heap

page read and write

452AEFF000

stack

page read and write

1D5A65ED000

heap

page read and write

1D5A6668000

heap

page read and write

1D5A667C000

heap

page read and write

1D5A666C000

heap

page read and write

1D5A666E000

heap

page read and write

9A000

stack

page read and write

1D5A3CB1000

heap

page read and write

1D5A5F16000

heap

page read and write

1D5A3ECA000

heap

page read and write

1D5A6672000

heap

page read and write

1D5A6659000

heap

page read and write

1D5A5F17000

heap

page read and write

1D5A3D40000

heap

page read and write

8CF000

stack

page read and write

4AC3000

heap

page read and write

1D5A3C60000

heap

page read and write

1D5A667C000

heap

page read and write

1D5A666E000

heap

page read and write

1B5000

heap

page read and write

1D5A667C000

heap

page read and write

ACB000

heap

page read and write

1D5A5FDE000

heap

page read and write

2EA0000

heap

page read and write

4DE000

unkown

page readonly

8C5000

stack

page read and write

1D5A6672000

heap

page read and write

1D5A65C1000

heap

page read and write

1D5A3EC5000

heap

page read and write

452ACFB000

stack

page read and write

4D4000

unkown

page write copy

9C0000

heap

page read and write

1D5A6653000

heap

page read and write

1D5A5EE0000

heap

page read and write

4937000

heap

page read and write

1D5A5FDE000

heap

page read and write

1D5A6604000

heap

page read and write

1D5A3C90000

heap

page read and write

1D5A5F15000

heap

page read and write

1D5A57B0000

heap

page read and write

1D5A6654000

heap

page read and write

1D5A65C9000

heap

page read and write

1D5A6632000

heap

page read and write

8EC000

stack

page read and write

452AAFF000

stack

page read and write

1D5A3CAD000

heap

page read and write

1D5A6661000

heap

page read and write

1D5A5EC0000

heap

page read and write

1D5A5F25000

heap

page read and write

1D5A665F000

heap

page read and write

1D5A3C96000

heap

page read and write

1D5A661D000

heap

page read and write

1D5A5F21000

heap

page read and write

AA0000

heap

page read and write

1D5A5FDE000

heap

page read and write

1D5A5F25000

heap

page read and write

1D5A3CC1000

heap

page read and write

1D5A5F1F000

heap

page read and write

1D5A3CBF000

heap

page read and write

1D5A5F35000

heap

page read and write

1D5A5F36000

heap

page read and write

1D5A6672000

heap

page read and write

4918000

heap

page read and write

1D5A3C8B000

heap

page read and write

1D5A663C000

heap

page read and write

1D5A666E000

heap

page read and write

1D5A5F21000

heap

page read and write

1D5A6672000

heap

page read and write

1D5A3EC0000

heap

page read and write

8DF000

stack

page read and write

1D5A5F20000

heap

page read and write

1D5A661D000

heap

page read and write

1D5A3C20000

heap

page read and write

1D5A666E000

heap

page read and write

1D5A6661000

heap

page read and write

1D5A5F05000

heap

page read and write

1D5A3D19000

heap

page read and write

452A2FE000

stack

page read and write

1D5A3CAE000

heap

page read and write

1D5A5D20000

heap

page read and write

1D5A662E000

heap

page read and write

1D5A6672000

heap

page read and write

1D5A6659000

heap

page read and write

1D5A6672000

heap

page read and write

1490000

heap

page read and write

8DB000

stack

page read and write

1D5A65C1000

heap

page read and write

1D5A3D4D000

heap

page read and write

AD0000

heap

page read and write

1D5A5F29000

heap

page read and write

1D5A5F25000

heap

page read and write

4910000

heap

page read and write

1D5A5B32000

heap

page read and write

1D5A665B000

heap

page read and write

1D5A6672000

heap

page read and write

1D5A5F25000

heap

page read and write

1D5A6672000

heap

page read and write

1D5A6659000

heap

page read and write

1D5A5FDE000

heap

page read and write

2DA0000

direct allocation

page read and write

1D5A662F000

heap

page read and write

1D5A5F2B000

heap

page read and write

1D5A5F31000

heap

page read and write

1D5A3CAF000

heap

page read and write

8B3000

stack

page read and write

1D5A65C2000

heap

page read and write

1D5A5FDE000

heap

page read and write

401000

unkown

page execute read

1D5A665B000

heap

page read and write

A90000

heap

page read and write

1D5A6604000

heap

page read and write

1D5A5F36000

heap

page read and write

1D5A3D13000

heap

page read and write

1D5A667C000

heap

page read and write

2D40000

trusted library allocation

page read and write

1D5A6656000

heap

page read and write

1D5A60C0000

trusted library allocation

page read and write

1D5A6665000

heap

page read and write

452A3FE000

stack

page read and write

1D5A6672000

heap

page read and write

1D5A5F06000

heap

page read and write

1D5A5F31000

heap

page read and write

1D5A57E0000

heap

page read and write

1D5A5F06000

heap

page read and write

1D5A6653000

heap

page read and write

2C51000

heap

page read and write

452A7FF000

stack

page read and write

4DE000

unkown

page readonly

1D5A3C9E000

heap

page read and write

1D5A5FDE000

heap

page read and write

2C40000

heap

page read and write

4AD1000

heap

page read and write

1D5A666E000

heap

page read and write

1D5A663C000

heap

page read and write

There are 303 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
ndvdikok.vbs

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportndvdikok.vbs

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
ndvdikok.vbs