Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	2492
Target ID:	2
Parent PID:	584
Name:	EQNEDT32.EXE
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Size:	543304
MD5:	A87236E214F6D42A65F5DEDAC816AEC8
Time:	13:17:04
Date:	13/01/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	581632
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Droppers Exploiting CVE-2017-11882	System Summary
Sigma detected: EQNEDT32.EXE connecting to internet	System Summary
Sigma detected: File Dropped By EQNEDT32EXE	System Summary
Sigma detected: Executables Started in Suspicious Folder	System Summary
Sigma detected: Execution in Non-Executable Folder	System Summary
Sigma detected: Suspicious Program Location Process Starts	System Summary
Office Equation Editor has been started	Exploits
Spawns processes	System Summary	Process Injection

C:\Users\Public\vbc.exe

'C:\Users\Public\vbc.exe'

Details

Is windows:	false
Is dropped:	true
PID:	1616
Target ID:	4
Parent PID:	2492
Name:	vbc.exe
Path:	C:\Users\Public\vbc.exe
Commandline:	'C:\Users\Public\vbc.exe'
Size:	843776
MD5:	B232B5C7754D932B07C0D47F934EFBFE
Time:	13:17:08
Date:	13/01/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x1030000
Modulesize:	868352
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Droppers Exploiting CVE-2017-11882	System Summary
Yara detected AgentTesla	Stealing of Sensitive InformationRemote Access Functionality
Yara detected AntiVM_3	Malware Analysis System Evasion
Drops PE files to the user root directory	Boot Survival	Masquerading
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Office equation editor drops PE file	System Summary
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits	Exploitation for Client Execution
Sigma detected: Executables Started in Suspicious Folder	System Summary
Sigma detected: Execution in Non-Executable Folder	System Summary
Sigma detected: Suspicious Program Location Process Starts	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Drops PE files to the user directory	Persistence and Installation Behavior	Masquerading
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Yara detected Credential Stealer	Stealing of Sensitive Information
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Spawns processes	System Summary	Process Injection

C:\Users\Public\vbc.exe

Details

Is windows:	false
Is dropped:	true
PID:	552
Target ID:	5
Parent PID:	1616
Name:	vbc.exe
Path:	C:\Users\Public\vbc.exe
Commandline:	C:\Users\Public\vbc.exe
Size:	843776
MD5:	B232B5C7754D932B07C0D47F934EFBFE
Time:	13:17:15
Date:	13/01/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x1030000
Modulesize:	868352
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Droppers Exploiting CVE-2017-11882	System Summary
Yara detected AgentTesla	Stealing of Sensitive InformationRemote Access Functionality
Yara detected AntiVM_3	Malware Analysis System Evasion
Drops PE files to the user root directory	Boot Survival	Masquerading
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Office equation editor drops PE file	System Summary
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits	Exploitation for Client Execution
Sigma detected: Executables Started in Suspicious Folder	System Summary
Sigma detected: Execution in Non-Executable Folder	System Summary
Sigma detected: Suspicious Program Location Process Starts	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Drops PE files to the user directory	Persistence and Installation Behavior	Masquerading
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Yara detected Credential Stealer	Stealing of Sensitive Information
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Spawns processes	System Summary	Process Injection

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	1296
Target ID:	0
Parent PID:	584
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Size:	27641504
MD5:	5FB0A0F93382ECD19F5F499A5CAA59F0
Time:	13:16:43
Date:	13/01/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13fe00000
Modulesize:	27758592
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://globuserinessserverfiletransferprotocol.mangospot.net/csrss/vbc.exe

192.210.214.178

https://jUxNbkiTmoSYxyvoDh.net

http://127.0.0.1:HTTP/1.1

unknown

http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0

unknown

http://www.a-cert.at0E

unknown

http://www.e-me.lv/repository0

unknown

http://www.acabogacia.org/doc0

unknown

http://crl.chambersign.org/chambersroot.crl0

unknown

http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0

unknown

http://www.certifikat.dk/repository0

unknown

http://www.chambersign.org1

unknown

http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0

unknown

http://www.diginotar.nl/cps/pkioverheid0

unknown

http://www.pkioverheid.nl/policies/root-policy0

unknown

http://crl.ssc.lt/root-c/cacrl.crl0

unknown

https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0

unknown

http://ca.disig.sk/ca/crl/ca_disig.crl0

unknown

http://www.certplus.com/CRL/class3P.crl0

unknown

http://repository.infonotary.com/cps/qcps.html0$

unknown

http://www.post.trust.ie/reposit/cps.html0

unknown

http://www.certplus.com/CRL/class2.crl0

unknown

http://www.disig.sk/ca/crl/ca_disig.crl0

unknown

http://ocsp.infonotary.com/responder.cgi0V

unknown

http://www.sk.ee/cps/0

unknown

https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E

unknown

https://api.ipify.org%

unknown

https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip

unknown

http://servername/isapibackend.dll

unknown

http://www.ssc.lt/cps03

unknown

http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#

unknown

http://crl.oces.certifikat.dk/oces.crl0

unknown

https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

unknown

http://www.certicamara.com/dpc/0Z

unknown

http://crl.pki.wellsfargo.com/wsprca.crl0

unknown

http://www.dnie.es/dpc0

unknown

http://www.rootca.or.kr/rca/cps.html0

unknown

http://www.trustcenter.de/guidelines0

unknown

http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0

unknown

http://certificates.starfieldtech.com/repository/1604

unknown

http://smtp.privateemail.com

unknown

http://www.entrust.net/CRL/Client1.crl0

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.

unknown

http://www.disig.sk/ca0f

unknown

http://www.sk.ee/juur/crl/0

unknown

http://crl.chambersign.org/chambersignroot.crl0

unknown

http://crl.xrampsecurity.com/XGCA.crl0

unknown

http://www.quovadis.bm0

unknown

http://crl.ssc.lt/root-a/cacrl.crl0

unknown

http://www.firmaprofesional.com0

unknown

https://www.netlock.net/docs

unknown

http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl

unknown

http://crl.entrust.net/2048ca.crl0

unknown

http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0

unknown

http://cps.chambersign.org/cps/publicnotaryroot.html0

unknown

http://www.e-trust.be/CPS/QNcerts

unknown

http://www.certicamara.com/certicamaraca.crl0

unknown

http://fedir.comsign.co.il/crl/ComSignCA.crl0

unknown

http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0

unknown

http://ocsp.sectigo.com0

unknown

http://ocsp.entrust.net03

unknown

http://cps.chambersign.org/cps/chambersroot.html0

unknown

http://www.acabogacia.org0

unknown

http://MLrjrg.com

unknown

https://ca.sia.it/seccli/repository/CPS0

unknown

http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0

unknown

http://crl.securetrust.com/STCA.crl0

unknown

http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0

unknown

http://www.certicamara.com/certicamaraca.crl0;

unknown

http://www.e-szigno.hu/RootCA.crt0

unknown

http://www.quovadisglobal.com/cps0

unknown

http://www.valicert.com/1

unknown

http://www.e-szigno.hu/SZSZ/0

unknown

https://api.ipify.org%GETMozilla/5.0

unknown

http://www.%s.comPA

unknown

http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0

unknown

https://ocsp.quovadisoffshore.com0

unknown

http://ocsp.entrust.net0D

unknown

http://cps.chambersign.org/cps/chambersignroot.html0

unknown

http://DynDns.comDynDNS

unknown

https://sectigo.com/CPS0

unknown

http://crl.entrust.net/server1.crl0

unknown

http://www.ancert.com/cps0

unknown

http://ca.sia.it/seccli/repository/CRL.der0J

unknown

https://rca.e-szigno.hu/ocsp0-

unknown

https://www.netlock.hu/docs/

unknown

http://www.a-cert.at/certificate-policy.html0;

unknown

http://www.crc.bg0

unknown

http://crl.chambersign.org/publicnotaryroot.crl0

unknown

http://crl.pkioverheid.nl/DomOvLatestCRL.crl0

unknown

http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0

unknown

http://www.a-cert.at/certificate-policy.html0

unknown

https://secure.a-cert.at/cgi-bin/a-cert-advanced.cgi0

unknown

http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0

unknown

http://www.e-certchile.cl/html/productos/download/CPSv1.7.pdf01

unknown

http://www.wellsfargo.com/certpolicy0

unknown

https://secure.comodo.com/CPS0

unknown

http://www.comsign.co.il/cps0

unknown

There are 87 hidden URLs, click here to show them.

Domains

Name

Malicious

globuserinessserverfiletransferprotocol.mangospot.net

192.210.214.178

Details

Name:	globuserinessserverfiletransferprotocol.mangospot.net
IP:	192.210.214.178
TargetID:	2
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: EQNEDT32.EXE connecting to internet	System Summary
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

smtp.privateemail.com

199.193.7.228

Details

Name:	smtp.privateemail.com
IP:	199.193.7.228
TargetID:	5
Current Path:	C:\Users\Public\vbc.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Uses SMTP (mail sending)	Networking	Application Layer Protocol
Urls found in memory or binary data	Networking

IPs

Domain

Country

Active

Malicious

192.210.214.178

unknown

United States

unknown

Details

IP:	192.210.214.178
TargetID:	2
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Country:	United States
Countrycode:	USA
ASN number:	36352
ASN name:	AS-COLOCROSSINGUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: EQNEDT32.EXE connecting to internet	System Summary
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution

199.193.7.228

unknown

United States

unknown

Details

IP:	199.193.7.228
TargetID:	5
Current Path:	C:\Users\Public\vbc.exe
Country:	United States
Countrycode:	USA
ASN number:	22612
ASN name:	NAMECHEAP-NETUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Uses SMTP (mail sending)	Networking	Application Layer Protocol

Registry

Path

Value

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

3o7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

MTTT

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ReviewToken

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EEB49

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

VBAFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DefaultSheetR2L

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

UseSystemSeparators

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ThousandsSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DecimalSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

#v7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F3469

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F46B1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 21

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

LastPurgeTime

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EXCELFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F3469

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

EquationEditorFilesIntl_1033

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

SavedLegacySettings

C:\Users\Public\vbc.exe

Blob

C:\Users\Public\vbc.exe

Blob

C:\Users\Public\vbc.exe

Blob

C:\Users\Public\vbc.exe

Blob

C:\Users\Public\vbc.exe

Blob

C:\Users\Public\vbc.exe

Blob

There are 56 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

2511000

unkown

page read and write

402000

unkown

page execute and read and write

2511000

unkown

page read and write

259A000

unkown

page read and write

3519000

unkown

page read and write

17A000

unkown

page read and write

3879000

unkown

page read and write

340000

unkown

page read and write

3881000

unkown

page read and write

340000

unkown

page read and write

C50000

unkown

page read and write

880000

unkown

page read and write

9C4000

unkown

page read and write

6A20000

unkown

page read and write

C30000

unkown

page read and write

1100000

unkown image

page readonly

890000

unkown

page read and write

D26000

unkown

page read and write

3888000

unkown

page read and write

4FBD000

unkown

page read and write

E2E000

unkown

page read and write

337000

stack

page read and write

5183000

unkown

page read and write

584000

unkown

page read and write

345000

unkown

page read and write

890000

unkown

page read and write

6A8E000

unkown

page read and write

564E000

unkown

page read and write | page guard

3881000

unkown

page read and write

510000

heap default

page read and write

3880000

unkown

page read and write

585000

unkown

page read and write

440000

unkown

page read and write

580000

unkown

page read and write

3886000

unkown

page read and write

5101000

unkown

page read and write

3894000

unkown

page read and write

63DE000

unkown

page read and write

5158000

unkown

page read and write

C20000

unkown

page read and write

440000

unkown

page read and write

1100000

unkown image

page readonly

49EE000

unkown

page read and write

9B0000

unkown

page read and write

860000

unkown

page readonly

20000

unkown

page read and write

3890000

unkown

page read and write

50E000

unkown

page read and write

585000

unkown

page read and write

297000

unkown

page execute and read and write

345000

unkown

page read and write

3883000

unkown

page read and write

D80000

unkown

page read and write

580000

unkown

page read and write

C40000

unkown

page read and write

583000

unkown

page read and write

3872000

unkown

page read and write

528E000

unkown

page read and write

9A1000

unkown

page read and write

3893000

unkown

page read and write

9A0000

unkown

page read and write

1E0000

unkown

page read and write

4EFF000

unkown

page read and write

590000

unkown

page readonly

5BCC000

unkown

page read and write

3882000

unkown

page read and write

2648000

unkown

page read and write

48DF000

stack

page read and write

340000

unkown

page read and write

750000

unkown

page read and write

880000

unkown

page read and write

345000

unkown

page read and write

580000

unkown

page read and write

3897000

unkown

page read and write

170000

unkown

page read and write

387F000

unkown

page read and write

2A83000

unkown

page read and write

3F0000

unkown

page execute and read and write

3876000

unkown

page read and write

710000

unkown

page readonly

388F000

unkown

page read and write

880000

unkown

page read and write

FDD000

unkown

page read and write

585000

unkown

page read and write

387C000

unkown

page read and write

7FF000

unkown

page read and write

7EFDF000

unkown

page read and write

345000

unkown

page read and write

19B000

unkown

page execute and read and write

880000

unkown

page read and write

DEE000

unkown

page read and write

3C8000

heap private

page read and write

D00000

unkown

page read and write

6E50000

unkown

page readonly

345000

unkown

page read and write

880000

unkown

page read and write

585000

unkown

page read and write

5158000

unkown

page read and write

123000

unkown

page execute and read and write

1032000

unkown image

page execute read

9B0000

unkown

page read and write

348000

unkown

page read and write

582000

unkown

page read and write

230000

unkown

page read and write

387C000

unkown

page read and write

163000

unkown

page execute and read and write

2567000

unkown

page read and write

2609000

unkown

page read and write

880000

unkown

page read and write

2669000

unkown

page read and write

3883000

unkown

page read and write

D50000

heap private

page execute and read and write

860000

unkown

page read and write

210000

unkown

page read and write

580000

unkown

page read and write

4E2E000

unkown

page read and write

890000

unkown

page read and write

6A4B000

unkown

page read and write

388B000

unkown

page read and write

5183000

unkown

page read and write

4F9D000

unkown

page read and write

760000

heap default

page read and write

B6B000

unkown

page read and write

440000

unkown

page read and write

80000

unkown

page readonly

387D000

unkown

page read and write

9A0000

unkown

page read and write

DD0000

unkown

page readonly

345000

unkown

page read and write

589000

unkown

page read and write

197000

unkown

page execute and read and write

9AA000

unkown

page read and write

580000

unkown

page read and write

388D000

unkown

page read and write

D00000

unkown

page read and write

9B0000

unkown

page read and write

50A0000

unkown

page read and write

580000

unkown

page read and write

B60000

unkown

page read and write

590000

heap default

page read and write

5158000

unkown

page read and write

569E000

unkown

page read and write

3882000

unkown

page read and write

340000

unkown

page read and write

3887000

unkown

page read and write

62AE000

unkown

page read and write

890000

unkown

page read and write

580000

unkown

page read and write

6AB4000

unkown

page read and write

580000

unkown

page read and write

729F000

unkown

page read and write

264E000

unkown

page read and write

54B8000

heap private

page read and write

585000

unkown

page read and write

B24000

heap private

page read and write

345000

unkown

page read and write

57FE000

stack

page read and write

345000

unkown

page read and write

3884000

unkown

page read and write

3893000

unkown

page read and write

880000

unkown

page read and write

9B0000

unkown

page read and write

340000

unkown

page read and write

287000

unkown

page read and write

200000

heap private

page read and write

3888000

unkown

page read and write

7AC000

heap default

page read and write

580000

unkown

page read and write

390000

unkown

page read and write

295000

unkown

page execute and read and write

1032000

unkown image

page execute read

857000

heap default

page read and write

C39000

unkown

page read and write

1F0000

unkown

page read and write

3895000

unkown

page read and write

6A1F000

unkown

page read and write

1032000

unkown image

page execute read

340000

unkown

page read and write

3C0000

heap private

page read and write

2546000

unkown

page read and write

54F0000

unkown

page read and write

9A0000

unkown

page read and write

585000

unkown

page read and write

2676000

unkown

page read and write

890000

unkown

page read and write

387A000

unkown

page read and write

760000

heap default

page read and write

292000

unkown

page read and write

F50000

heap private

page read and write

345000

unkown

page read and write

3879000

unkown

page read and write

585000

unkown

page read and write

390000

unkown

page read and write

350000

unkown

page read and write

F50000

unkown

page read and write

110000

unkown

page read and write

3883000

unkown

page read and write

54D6000

heap private

page read and write

164000

unkown

page read and write

345000

unkown

page read and write

675F000

unkown

page read and write

6A96000

unkown

page read and write

7A0000

heap default

page read and write

340000

unkown

page read and write

387D000

unkown

page read and write

871000

unkown

page read and write

A2E000

unkown

page read and write

130000

unkown

page read and write

340000

unkown

page read and write

1030000

unkown image

page readonly

17D000

unkown

page execute and read and write

51EE000

unkown

page read and write | page guard

D10000

unkown

page read and write

4510000

unkown

page readonly

C10000

unkown

page read and write

450000

unkown

page read and write

880000

unkown

page read and write

460000

heap private

page execute and read and write

13D000

unkown

page execute and read and write

4E6E000

unkown

page read and write

18A000

unkown

page execute and read and write

3874000

unkown

page read and write

580000

unkown

page read and write

50CE000

stack

page read and write

9A0000

unkown

page read and write

E80000

unkown

page readonly

3E0000

unkown

page read and write

9C0000

unkown

page read and write

54AE000

unkown

page read and write

345000

unkown

page read and write

3511000

unkown

page read and write

9B0000

unkown

page read and write

739000

heap private

page read and write

880000

unkown

page read and write

440000

unkown

page read and write

124000

unkown

page read and write

610000

unkown

page readonly

3887000

unkown

page read and write

50ED000

unkown

page read and write

880000

unkown

page read and write

9A0000

unkown

page read and write

340000

unkown

page read and write

580000

unkown

page read and write

58D0000

heap private

page read and write

340000

unkown

page read and write

456E000

unkown

page read and write

9A0000

unkown

page read and write

663E000

unkown

page read and write

3874000

unkown

page read and write

340000

unkown

page read and write

9A1000

unkown

page read and write

880000

unkown

page read and write

5169000

unkown

page read and write

580000

unkown

page read and write

3884000

unkown

page read and write

9C0000

unkown

page read and write

1020000

heap private

page read and write

29B000

unkown

page execute and read and write

4592000

heap private

page read and write

2F0000

heap private

page execute and read and write

6F0000

unkown

page read and write

387F000

unkown

page read and write

345000

unkown

page read and write

9C0000

unkown

page read and write

767000

heap default

page read and write

210000

unkown

page read and write

3885000

unkown

page read and write

360000

heap private

page execute and read and write

3876000

unkown

page read and write

9A0000

unkown

page read and write

4B0F000

unkown

page read and write

880000

unkown

page read and write

9D0000

heap private

page read and write

C0000

unkown

page readonly

754000

unkown

page read and write

9A0000

unkown

page read and write

890000

unkown

page read and write

580000

unkown

page read and write

440000

unkown

page read and write

6A53000

unkown

page read and write

186000

unkown

page execute and read and write

6A76000

unkown

page read and write

3872000

unkown

page read and write

3878000

unkown

page read and write

6F0000

unkown

page read and write

580000

unkown

page read and write

345000

unkown

page read and write

4575000

heap private

page read and write

585000

unkown

page read and write

1D0000

unkown

page execute and read and write

52F0000

unkown

page write copy

340000

unkown

page read and write

890000

unkown

page read and write

340000

unkown

page read and write

599F000

stack

page read and write

D5E000

unkown

page read and write | page guard

700000

heap private

page read and write

890000

unkown

page read and write

450000

unkown

page read and write

890000

unkown

page read and write

2D0000

unkown

page execute and read and write

7F2000

heap default

page read and write

9B0000

unkown

page read and write

440000

unkown

page read and write

388C000

unkown

page read and write

390000

unkown

page read and write

E40000

heap private

page read and write

740000

unkown

page execute and read and write

514E000

unkown

page read and write

6F0000

unkown

page read and write

387A000

unkown

page read and write

2650000

unkown

page read and write

387B000

unkown

page read and write

345000

unkown

page read and write

46CE000

unkown

page read and write

580000

unkown

page read and write

50D0000

unkown

page read and write

4570000

heap private

page read and write

585000

unkown

page read and write

340000

unkown

page read and write

890000

unkown

page read and write

D30000

unkown

page read and write

345000

unkown

page read and write

340000

unkown

page read and write

890000

unkown

page read and write

340000

unkown

page read and write

3885000

unkown

page read and write

B20000

heap private

page read and write

340000

unkown

page read and write

3D0000

unkown

page readonly

580000

unkown

page read and write

3875000

unkown

page read and write

3511000

unkown

page read and write

890000

unkown

page execute and read and write

1100000

unkown image

page readonly

FE0000

heap private

page execute and read and write

4E2E000

unkown

page read and write

560000

unkown

page readonly

585000

unkown

page read and write

890000

unkown

page read and write

387E000

unkown

page read and write

51D0000

unkown

page read and write

388E000

unkown

page read and write

6F0000

unkown

page read and write

9D7000

heap private

page read and write

340000

unkown

page read and write

12D000

unkown

page execute and read and write

3B0000

unkown

page readonly

740000

unkown

page read and write

880000

unkown

page read and write

3873000

unkown

page read and write

9C0000

unkown

page read and write

52CE000

unkown

page read and write

880000

unkown

page read and write

495C000

unkown

page read and write

340000

unkown

page read and write

3872000

unkown

page read and write

340000

unkown

page read and write

340000

unkown

page read and write

2E0000

unkown

page read and write

3892000

unkown

page read and write

345000

unkown

page read and write

340000

unkown

page read and write

345000

unkown

page read and write

6A6A000

unkown

page read and write

6AA2000

unkown

page read and write

340000

unkown

page read and write

6D50000

unkown

page read and write

720000

unkown

page read and write

570000

unkown

page read and write

345000

unkown

page read and write

A30000

unkown

page readonly

880000

unkown

page read and write

7EFDF000

unkown

page read and write

20000

unkown

page read and write

885000

unkown

page read and write

387A000

unkown

page read and write

C4E000

unkown

page read and write

450000

unkown

page read and write

580000

unkown

page read and write

4AB0000

unkown

page readonly

340000

unkown

page execute and read and write

340000

unkown

page read and write

767000

heap default

page read and write

6F0000

unkown

page read and write

340000

unkown

page read and write

388A000

unkown

page read and write

880000

unkown

page read and write

99E000

unkown

page read and write | page guard

880000

unkown

page read and write

180000

unkown

page read and write

585000

unkown

page read and write

885000

unkown

page read and write

3877000

unkown

page read and write

9A1000

unkown

page read and write

389A000

unkown

page read and write

6A9A000

unkown

page read and write

345000

unkown

page read and write

893000

unkown

page read and write

3878000

unkown

page read and write

340000

unkown

page read and write

4E90000

unkown

page read and write

345000

unkown

page read and write

7A0000

heap default

page read and write

580000

unkown

page read and write

DCE000

unkown

page read and write

440000

unkown

page read and write

4AAF000

stack

page read and write

387A000

unkown

page read and write

7370000

unkown

page read and write

340000

unkown

page read and write

730000

heap private

page read and write

3896000

unkown

page read and write

B42000

heap private

page read and write

450000

unkown

page read and write

B10000

unkown

page read and write

519D000

unkown

page read and write

3877000

unkown

page read and write

890000

unkown

page read and write

886000

unkown

page read and write

B80000

unkown

page read and write

34B000

unkown

page read and write

3884000

unkown

page read and write

784000

heap default

page read and write

1100000

unkown image

page readonly

267A000

unkown

page read and write

4E50000

heap private

page execute and read and write

9B0000

unkown

page read and write

585000

unkown

page read and write

6F0000

unkown

page readonly

2658000

unkown

page read and write

6D4F000

unkown

page read and write

3899000

unkown

page read and write

720000

unkown

page read and write

890000

unkown

page read and write

6A21000

unkown

page read and write

345000

unkown

page read and write

3898000

unkown

page read and write

D90000

unkown

page read and write

59DD000

unkown

page read and write

3889000

unkown

page read and write

9E0000

unkown

page readonly

6F0000

unkown

page read and write

64A0000

heap private

page read and write

5167000

unkown

page read and write

1EE000

unkown

page read and write

1030000

unkown image

page readonly

580000

unkown

page read and write

345000

unkown

page read and write

689F000

unkown

page read and write

6A6A000

unkown

page read and write

890000

unkown

page read and write

387C000

unkown

page read and write

387E000

unkown

page read and write

580000

unkown

page read and write

514E000

unkown

page read and write

C0C000

unkown

page read and write

B60000

unkown

page readonly

345000

unkown

page read and write

D5F000

unkown

page read and write

1032000

unkown image

page execute read

582E000

unkown

page read and write

350000

unkown

page read and write

1030000

unkown image

page readonly

747C000

unkown

page read and write

589E000

unkown

page read and write

3875000

unkown

page read and write

345000

unkown

page read and write

580000

unkown

page read and write

D40000

unkown

page read and write

882000

unkown

page read and write

9C5000

unkown

page read and write

580000

unkown

page read and write

564F000

unkown

page read and write

340000

unkown

page read and write

340000

unkown

page read and write

890000

unkown

page read and write

580000

unkown

page read and write

89B000

unkown

page read and write

1030000

unkown image

page readonly

340000

unkown

page read and write

740000

unkown

page readonly

580000

unkown

page read and write

54B0000

heap private

page read and write

F0000

unkown

page read and write

580000

unkown

page read and write

585000

unkown

page read and write

18A000

unkown

page execute and read and write

AA000

unkown

page read and write

880000

unkown

page read and write

51EF000

unkown

page read and write

7AD000

heap default

page read and write

1030000

unkown image

page readonly

182000

unkown

page read and write

538E000

unkown

page read and write

5152000

unkown

page read and write

580000

unkown

page execute and read and write

387B000

unkown

page read and write

784000

heap default

page read and write

99F000

unkown

page read and write

D60000

unkown

page read and write

890000

unkown

page read and write

5A8D000

unkown

page read and write

4FA0000

unkown

page read and write

B70000

unkown

page read and write

580000

unkown

page read and write

340000

unkown

page read and write

860000

unkown

page read and write

3887000

unkown

page read and write

580000

unkown

page read and write

1030000

unkown image

page readonly

2C0000

unkown

page read and write

400000

unkown

page execute and read and write

4B10000

unkown

page readonly

3876000

unkown

page read and write

47E000

unkown

page read and write

740000

unkown

page read and write

387E000

unkown

page read and write

890000

unkown

page read and write

3891000

unkown

page read and write

4D90000

unkown

page read and write

3870000

unkown

page read and write

D70000

unkown

page read and write

FE0000

heap private

page read and write

81D000

heap default

page read and write

9C0000

unkown

page read and write

3874000

unkown

page read and write

860000

unkown

page read and write

580000

unkown

page read and write

3A8000

unkown

page read and write

580000

unkown

page read and write

345000

unkown

page read and write

46D0000

unkown

page readonly

210000

unkown

page read and write

582000

unkown

page read and write

9B0000

unkown

page read and write

55C000

unkown

page read and write

57AD000

unkown

page read and write

3871000

unkown

page read and write

D20000

unkown

page read and write

580000

unkown

page read and write

580000

unkown

page read and write

9A0000

unkown

page read and write

3873000

unkown

page read and write

7C4000

heap default

page read and write

585000

unkown

page read and write

7AA000

heap default

page read and write

F4D000

stack

page read and write

D00000

unkown

page read and write

348000

unkown

page read and write

340000

unkown

page read and write

580000

unkown

page read and write

9A0000

unkown

page read and write

704000

heap private

page read and write

D00000

unkown

page read and write

3881000

unkown

page read and write

580000

unkown

page read and write

5183000

unkown

page read and write

38D000

unkown

page read and write

3880000

unkown

page read and write

440000

unkown

page read and write

D4E000

unkown

page read and write

3884000

unkown

page read and write

614E000

unkown

page read and write

388A000

unkown

page read and write

150000

unkown

page read and write

B90000

heap private

page read and write

340000

unkown

page read and write

880000

unkown

page read and write

340000

unkown

page read and write

345000

unkown

page read and write

740000

unkown

page read and write

3886000

unkown

page read and write

5183000

unkown

page read and write

5BD0000

unkown

page readonly

16D000

unkown

page execute and read and write

1110000

unkown

page readonly

722000

heap private

page read and write

4E91000

unkown

page read and write

580000

unkown

page read and write

890000

unkown

page read and write

345000

unkown

page read and write

6F0000

unkown

page read and write

2607000

unkown

page read and write

There are 574 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Files

Processes

URLs

Domains

IPs

Registry

Memdumps