Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	1252
Target ID:	0
Parent PID:	584
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Size:	27641504
MD5:	5FB0A0F93382ECD19F5F499A5CAA59F0
Time:	21:24:39
Date:	26/01/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13f0e0000
Modulesize:	27758592
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary,
Spawns processes	System Summary,	Process Injection

C:\Windows\System32\rundll32.exe

'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer

Details

Is windows:	true
Is dropped:	false
PID:	2392
Target ID:	3
Parent PID:	1252
Name:	rundll32.exe
Class:	rundll32
Path:	C:\Windows\System32\rundll32.exe
Commandline:	'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer
Size:	45568
MD5:	DD81D91FF3B0763C392422865C9AC12E
Time:	21:24:44
Date:	26/01/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xff2b0000
Modulesize:	61440
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Document exploit detected (process start blacklist hit)	Software Vulnerabilities,	Exploitation for Client Execution
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary,
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Runs a DLL by calling functions	System Summary,	Rundll32
Spawns processes	System Summary,	Process Injection

C:\Windows\SysWOW64\rundll32.exe

'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer

Details

Is windows:	true
Is dropped:	false
PID:	2332
Target ID:	4
Parent PID:	2392
Name:	rundll32.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\rundll32.exe
Commandline:	'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer
Size:	44544
MD5:	51138BEEA3E2C21EC44D0932C71762A8
Time:	21:24:44
Date:	26/01/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xd10000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Document exploit detected (process start blacklist hit)	Software Vulnerabilities,	Exploitation for Client Execution
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary,
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Runs a DLL by calling functions	System Summary,	Rundll32
Spawns processes	System Summary,	Process Injection

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe

Details

Is windows:	true
Is dropped:	false
PID:	1616
Target ID:	5
Parent PID:	2332
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\msiexec.exe
Commandline:	msiexec.exe
Size:	73216
MD5:	4315D6ECAE85024A0567DF2CB253B7B0
Time:	21:25:12
Date:	26/01/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x4e0000
Modulesize:	81920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Spawns processes	System Summary,	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary,

URLs

Name

Malicious

https://rnollg.com/kev/scfrd.dll

unknown

http://wmwifbajxxbcxmucxmlc.com/files/april24.dll)

unknown

http://www.windows.com/pctv.

unknown

http://investor.msn.com

unknown

http://www.msnbc.com/news/ticker.txt

unknown

http://crl.entrust.net/server1.crl0

unknown

http://crl3.digicert

unknown

http://ocsp.entrust.net03

unknown

http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0

unknown

http://www.diginotar.nl/cps/pkioverheid0

unknown

https://homesoapmolds.com/post.phpv

unknown

https://gadgetswolf.com/post.php

unknown

https://govemedico.tk/

unknown

https://homesoapmolds.com/post.php

unknown

http://windowsmedia.com/redir/services.asp?WMPFriendly=true

unknown

http://www.hotmail.com/oe

unknown

http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check

unknown

https://gadgetswolf.com/post.phpx

unknown

http://crl.pkioverheid.nl/DomOvLatestCRL.crl0

unknown

http://www.icra.org/vocabulary/.

unknown

https://gadgetswolf.com/A

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.

unknown

https://gadgetswolf.com/post.phpr

unknown

https://gadgetswolf.com/y

unknown

https://homesoapmolds.com/=

unknown

http://investor.msn.com/

unknown

https://govemedico.tk/O

unknown

http://www.%s.comPA

unknown

http://wmwifbajxxbcxmucxmlc.com/files/april24.dll~

unknown

http://ocsp.entrust.net0D

unknown

https://rnollg.com/kev/scfrd.dll$8

unknown

https://secure.comodo.com/CPS0

unknown

https://homesoapmolds.com/

unknown

http://crl.entrust.net/2048ca.crl0

unknown

https://govemedico.tk/post.php

unknown

Https://homesoapmolds.com/post.phpZ

unknown

There are 26 hidden URLs, click here to show them.

Domains

Name

Malicious

homesoapmolds.com

172.67.198.109

Details

Name:	homesoapmolds.com
IP:	172.67.198.109
TargetID:	5
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Urls found in memory or binary data	Networking,
Uses secure TLS version for HTTPS connections	Compliance, Networking,

rnollg.com

172.67.150.228

Details

Name:	rnollg.com
IP:	172.67.150.228
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities,	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities,	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities,	Exploitation for Client Execution
Performs DNS lookups	Networking,	Application Layer Protocol Non-Application Layer Protocol
Urls found in memory or binary data	Networking,
Uses secure TLS version for HTTPS connections	Compliance, Networking,

gadgetswolf.com

104.21.44.135

Details

Name:	gadgetswolf.com
IP:	104.21.44.135
TargetID:	5
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Urls found in memory or binary data	Networking,
Uses secure TLS version for HTTPS connections	Compliance, Networking,

govemedico.tk

172.67.158.184

Details

Name:	govemedico.tk
IP:	172.67.158.184
TargetID:	5
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Urls found in memory or binary data	Networking,
Uses secure TLS version for HTTPS connections	Compliance, Networking,

IPs

Domain

Country

Active

Malicious

172.67.158.184

unknown

United States

unknown

Details

IP:	172.67.158.184
TargetID:	5
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking,

172.67.150.228

unknown

United States

unknown

Details

IP:	172.67.150.228
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities,	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities,	Exploitation for Client Execution
Uses secure TLS version for HTTPS connections	Compliance, Networking,

104.21.44.135

unknown

United States

unknown

Details

IP:	104.21.44.135
TargetID:	5
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking,

172.67.198.109

unknown

United States

unknown

Details

IP:	172.67.198.109
TargetID:	5
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking,

Registry

Path

Value

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

k(3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

MTTT

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ReviewToken

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ED7AA

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

VBAFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DefaultSheetR2L

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

UseSystemSeparators

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ThousandsSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DecimalSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EDE3E

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EE15A

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EE1F6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} {000214E6-0000-0000-C000-000000000046} 0xFFFF

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

r63

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

@%SystemRoot%\system32\qagentrt.dll,-10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

@%SystemRoot%\System32\fveui.dll,-843

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

@%SystemRoot%\System32\fveui.dll,-844

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

@%SystemRoot%\System32\wuaueng.dll,-400

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F2F3B

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F2F89

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 21

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

LastPurgeTime

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EXCELFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SavedLegacySettings

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F2F3B

C:\Windows\SysWOW64\msiexec.exe

ilyo

C:\Windows\SysWOW64\msiexec.exe

ewuwkope

C:\Windows\SysWOW64\msiexec.exe

ewuwkope

C:\Windows\SysWOW64\msiexec.exe

ewuwkope

C:\Windows\SysWOW64\msiexec.exe

SavedLegacySettings

There are 112 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

1EBF000

unkown

page read and write

20000

unkown

page readonly

1E9D000

unkown

page read and write

3E4000

heap default

page read and write

2490000

heap private

page read and write

A20000

heap private

page read and write

376000

heap private

page read and write

2120000

unkown

page readonly

2990000

unkown

page read and write

468000

heap default

page read and write

874000

heap private

page read and write

248E000

unkown

page read and write

24D0000

unkown

page readonly

1E0000

unkown

page execute and read and write

370000

heap private

page read and write

180000

heap default

page read and write

4C0000

unkown

page read and write

2B6E000

unkown

page read and write

4BF000

heap default

page read and write

2307000

unkown

page readonly

3030000

heap private

page read and write

20000

heap private

page read and write

45D000

heap default

page read and write

1F90000

unkown

page readonly

150000

unkown

page readonly

866000

unkown image

page execute read

1D0000

unkown

page execute and read and write

2DAC000

unkown

page read and write

1BC000

unkown

page read and write

3FF000

heap default

page read and write

2A71000

unkown

page read and write

24000

heap private

page read and write

3C7000

heap default

page read and write

BC000

unkown

page read and write

280000

unkown

page read and write

3C0000

heap default

page read and write

7EFDF000

unkown

page read and write

290000

heap private

page read and write

1BC000

unkown

page read and write

41D000

heap default

page read and write

870000

heap private

page read and write

90000

unkown

page execute and read and write

924000

unkown image

page read and write

840000

unkown image

page readonly

1C0000

unkown

page execute and read and write

841000

unkown image

page execute read

A3E000

unkown

page read and write

46B000

heap default

page read and write

840000

unkown image

page readonly

160000

unkown

page read and write

2AD0000

heap private

page read and write

910000

unkown image

page readonly

500000

unkown

page readonly

2CDE000

unkown

page read and write

2820000

unkown

page read and write

680000

unkown

page readonly

187000

heap default

page read and write

23EF000

unkown

page read and write

990000

heap private

page read and write

20000

unkown

page readonly

2B0000

heap default

page read and write

E0000

unkown

page readonly

4C0000

unkown

page read and write

170000

unkown

page readonly

2950000

heap private

page read and write

160000

unkown

page readonly

120000

unkown

page read and write

1E80000

unkown

page read and write

2499000

heap private

page read and write

418000

heap default

page read and write

1C0000

unkown

page readonly

444000

heap default

page read and write

45D000

heap default

page read and write

7EFDF000

unkown

page read and write

D0000

unkown

page write copy

47D000

unkown

page read and write

1C87000

unkown

page readonly

865000

unkown image

page readonly

294E000

unkown

page read and write

26E000

unkown

page read and write

29FA000

unkown

page read and write

DD000

stack

page read and write

85E000

unkown

page read and write

840000

unkown image

page readonly

24B7000

heap private

page read and write

936000

unkown image

page readonly

170000

unkown

page read and write

380000

unkown

page readonly

1BE000

heap default

page read and write

862000

unkown image

page read and write

47D000

heap default

page read and write

840000

unkown image

page readonly

2901000

unkown

page read and write

4D0000

unkown

page readonly

2BA0000

heap private

page read and write

934000

unkown image

page read and write

2080000

heap private

page read and write

91F000

unkown image

page read and write

170000

heap private

page read and write

2B6000

unkown

page read and write

840000

unkown image

page readonly

1F80000

unkown

page readonly

2D4D000

unkown

page read and write

360000

unkown

page readonly

A80000

unkown

page readonly

A30000

heap private

page read and write

90000

unkown

page read and write

1AA0000

unkown

page readonly

4BD000

unkown

page read and write

427000

heap default

page read and write

11B000

unkown

page read and write

C00000

heap private

page read and write

500000

unkown

page readonly

457000

heap default

page read and write

90E000

unkown

page read and write

860000

unkown image

page readonly

A70000

heap private

page read and write

BB0000

heap private

page read and write

2820000

unkown

page readonly

9EE000

unkown

page read and write

420000

heap default

page read and write

E0000

unkown

page readonly

3FA000

heap default

page read and write

520000

unkown

page readonly

1EC4000

unkown

page read and write

3040000

unkown

page read and write

47D000

unkown

page read and write

892000

heap private

page read and write

280000

heap default

page read and write

4BA000

unkown

page read and write

1EAF000

unkown

page read and write

6A0000

unkown

page readonly

420000

heap default

page read and write

2A7D000

unkown

page read and write

920000

unkown image

page execute and read and write

There are 125 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Files

Processes

URLs

Domains

IPs

Registry

Memdumps