Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	2260
Target ID:	0
Parent PID:	584
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Size:	27641504
MD5:	5FB0A0F93382ECD19F5F499A5CAA59F0
Time:	21:31:40
Date:	26/01/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13fbe0000
Modulesize:	27758592
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary,
Spawns processes	System Summary,	Process Injection

C:\Windows\System32\rundll32.exe

'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer

Details

Is windows:	true
Is dropped:	false
PID:	2464
Target ID:	3
Parent PID:	2260
Name:	rundll32.exe
Class:	rundll32
Path:	C:\Windows\System32\rundll32.exe
Commandline:	'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer
Size:	45568
MD5:	DD81D91FF3B0763C392422865C9AC12E
Time:	21:31:46
Date:	26/01/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xff4d0000
Modulesize:	61440
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Document exploit detected (process start blacklist hit)	Software Vulnerabilities,	Exploitation for Client Execution
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary,
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Runs a DLL by calling functions	System Summary,	Rundll32
Spawns processes	System Summary,	Process Injection

C:\Windows\SysWOW64\rundll32.exe

'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer

Details

Is windows:	true
Is dropped:	false
PID:	2364
Target ID:	4
Parent PID:	2464
Name:	rundll32.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\rundll32.exe
Commandline:	'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer
Size:	44544
MD5:	51138BEEA3E2C21EC44D0932C71762A8
Time:	21:31:46
Date:	26/01/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x390000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Document exploit detected (process start blacklist hit)	Software Vulnerabilities,	Exploitation for Client Execution
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary,
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Runs a DLL by calling functions	System Summary,	Rundll32
Spawns processes	System Summary,	Process Injection

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe

Details

Is windows:	true
Is dropped:	false
PID:	2416
Target ID:	5
Parent PID:	2364
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\msiexec.exe
Commandline:	msiexec.exe
Size:	73216
MD5:	4315D6ECAE85024A0567DF2CB253B7B0
Time:	21:32:14
Date:	26/01/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x510000
Modulesize:	81920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Spawns processes	System Summary,	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary,

URLs

Name

Malicious

https://rnollg.com/kev/scfrd.dll

unknown

http://wmwifbajxxbcxmucxmlc.com/files/april24.dll)

unknown

http://www.windows.com/pctv.

unknown

http://investor.msn.com

unknown

http://www.msnbc.com/news/ticker.txt

unknown

http://crl.entrust.net/server1.crl0

unknown

https://govemedico.tk/7

unknown

http://crl3.digicert

unknown

http://ocsp.entrust.net03

unknown

https://homesoapmolds.com/post.phpr

unknown

http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0

unknown

https://gadgetswolf.com/

unknown

http://www.diginotar.nl/cps/pkioverheid0

unknown

https://gadgetswolf.com/post.php

unknown

http://crt.comod

unknown

https://govemedico.tk/

unknown

https://homesoapmolds.com/post.php

unknown

http://windowsmedia.com/redir/services.asp?WMPFriendly=true

unknown

http://www.hotmail.com/oe

unknown

http://crl3.digicertP

unknown

http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check

unknown

http://crl.pkioverheid.nl/DomOvLatestCRL.crl0

unknown

http://www.icra.org/vocabulary/.

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.

unknown

http://investor.msn.com/

unknown

http://www.%s.comPA

unknown

https://gadgetswolf.com/post.phpi

unknown

http://wmwifbajxxbcxmucxmlc.com/files/april24.dll~

unknown

http://ocsp.entrust.net0D

unknown

https://rnollg.com/kev/scfrd.dll$8

unknown

https://secure.comodo.com/CPS0

unknown

https://homesoapmolds.com/

unknown

http://crl.entrust.net/2048ca.crl0

unknown

https://gadgetswolf.com/post.php_

unknown

https://govemedico.tk/post.php

unknown

There are 25 hidden URLs, click here to show them.

Domains

Name

Malicious

homesoapmolds.com

104.21.60.169

Details

Name:	homesoapmolds.com
IP:	104.21.60.169
TargetID:	5
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Urls found in memory or binary data	Networking,
Uses secure TLS version for HTTPS connections	Compliance, Networking,

rnollg.com

172.67.150.228

Details

Name:	rnollg.com
IP:	172.67.150.228
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities,	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities,	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities,	Exploitation for Client Execution
Performs DNS lookups	Networking,	Application Layer Protocol Non-Application Layer Protocol
Urls found in memory or binary data	Networking,
Uses secure TLS version for HTTPS connections	Compliance, Networking,

gadgetswolf.com

172.67.200.147

Details

Name:	gadgetswolf.com
IP:	172.67.200.147
TargetID:	5
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Urls found in memory or binary data	Networking,
Uses secure TLS version for HTTPS connections	Compliance, Networking,

govemedico.tk

104.21.73.69

Details

Name:	govemedico.tk
IP:	104.21.73.69
TargetID:	5
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Urls found in memory or binary data	Networking,
Uses secure TLS version for HTTPS connections	Compliance, Networking,

IPs

Domain

Country

Active

Malicious

172.67.150.228

unknown

United States

unknown

Details

IP:	172.67.150.228
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities,	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities,	Exploitation for Client Execution
Uses secure TLS version for HTTPS connections	Compliance, Networking,

104.21.60.169

unknown

United States

unknown

Details

IP:	104.21.60.169
TargetID:	5
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking,

172.67.200.147

unknown

United States

unknown

Details

IP:	172.67.200.147
TargetID:	5
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking,

104.21.73.69

unknown

United States

unknown

Details

IP:	104.21.73.69
TargetID:	5
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking,

Registry

Path

Value

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

/!7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

MTTT

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ReviewToken

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EDC0D

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

VBAFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DefaultSheetR2L

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

UseSystemSeparators

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ThousandsSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DecimalSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EE36C

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EE734

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EE7D0

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} {000214E6-0000-0000-C000-000000000046} 0xFFFF

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

<07

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

@%SystemRoot%\system32\qagentrt.dll,-10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

@%SystemRoot%\System32\fveui.dll,-843

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

@%SystemRoot%\System32\fveui.dll,-844

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

@%SystemRoot%\System32\wuaueng.dll,-400

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F32F2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F3350

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 21

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

LastPurgeTime

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EXCELFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SavedLegacySettings

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F32F2

C:\Windows\SysWOW64\msiexec.exe

ilyo

C:\Windows\SysWOW64\msiexec.exe

ywizacy

C:\Windows\SysWOW64\msiexec.exe

ywizacy

C:\Windows\SysWOW64\msiexec.exe

ywizacy

C:\Windows\SysWOW64\msiexec.exe

SavedLegacySettings

There are 112 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

4CB000

heap default

page read and write

F0000

unkown

page read and write

2D4000

heap default

page read and write

2B0000

heap default

page read and write

700000

unkown

page readonly

6B0000

unkown

page readonly

27FE000

unkown

page read and write

30C000

heap default

page read and write

1B70000

unkown

page readonly

28C000

unkown

page read and write

180000

unkown

page execute and read and write

1D10000

heap private

page read and write

324000

heap default

page read and write

2B7000

heap default

page read and write

1D57000

unkown

page readonly

487000

heap default

page read and write

350000

heap default

page read and write

850000

unkown

page readonly

45B000

unkown

page read and write

2B0000

unkown

page execute and read and write

2137000

unkown

page readonly

3AA000

unkown

page read and write

470000

heap private

page read and write

2F60000

unkown

page read and write

23C0000

heap private

page read and write

460000

unkown

page read and write

8C000

unkown

page read and write

240F000

unkown image

page read and write

E0000

heap private

page read and write

90000

unkown

page execute and read and write

2D0C000

unkown

page read and write

2A0000

unkown

page readonly

23C9000

heap private

page read and write

1F50000

unkown

page readonly

120000

unkown

page read and write

350000

heap default

page read and write

7EFDF000

unkown

page read and write

2426000

unkown image

page readonly

308000

heap default

page read and write

284E000

unkown

page read and write

2EA000

heap default

page read and write

2424000

unkown image

page read and write

1D64000

unkown

page read and write

140000

unkown

page read and write

2330000

unkown image

page readonly

460000

unkown

page read and write

190000

unkown

page execute and read and write

1ECE000

unkown

page read and write

7EFDF000

unkown

page read and write

3130000

heap private

page read and write

530000

unkown

page readonly

480000

unkown

page readonly

3B0000

unkown

page readonly

126000

unkown

page read and write

160000

unkown

page readonly

312000

heap default

page read and write

2B61000

unkown

page read and write

2900000

heap private

page read and write

D0000

unkown

page read and write

580000

unkown

page readonly

18B000

unkown

page read and write

2F50000

heap private

page read and write

1F10000

unkown

page readonly

29CE000

unkown

page read and write

506000

heap private

page read and write

2330000

unkown image

page readonly

5D0000

unkown

page readonly

36E000

heap default

page read and write

2B1E000

unkown

page read and write

2350000

unkown image

page readonly

20000

unkown

page readonly

23E7000

heap private

page read and write

2A80000

unkown

page read and write

60000

unkown

page readonly

170000

unkown

page readonly

4A4000

heap default

page read and write

2352000

unkown image

page read and write

24B0000

heap private

page read and write

20000

unkown

page readonly

B40000

heap private

page read and write

2356000

unkown image

page execute read

480000

heap default

page read and write

1ED4000

heap private

page read and write

D0000

unkown

page readonly

1D4F000

unkown

page read and write

2630000

heap private

page read and write

1D20000

unkown

page read and write

1FB0000

heap private

page read and write

2330000

unkown image

page readonly

39B000

unkown

page read and write

950000

heap private

page read and write

A80000

heap private

page read and write

38E000

heap default

page read and write

2355000

unkown image

page readonly

357000

heap default

page read and write

2330000

unkown image

page readonly

23AE000

unkown

page read and write

11C000

unkown

page read and write

490000

heap private

page read and write

1E0000

heap default

page read and write

1D3D000

unkown

page read and write

290000

unkown

page readonly

500000

heap private

page read and write

2410000

unkown image

page execute and read and write

1ED0000

heap private

page read and write

2331000

unkown image

page execute read

1E8D000

unkown

page read and write

2B70000

heap private

page read and write

4B7000

heap default

page read and write

4BD000

heap default

page read and write

1D5F000

unkown

page read and write

1EF2000

heap private

page read and write

368000

heap default

page read and write

2C5E000

unkown

page read and write

2414000

unkown image

page read and write

D0000

unkown

page write copy

234F000

unkown

page read and write

1B0000

heap default

page read and write

2400000

unkown

page readonly

1F0000

unkown

page read and write

2330000

unkown image

page readonly

29D0000

unkown

page readonly

2400000

unkown image

page readonly

4DD000

unkown

page read and write

20000

unkown

page readonly

2AD000

stack

page read and write

2A71000

unkown

page read and write

2EF000

heap default

page read and write

36E000

unkown

page read and write

E4000

heap private

page read and write

39B000

heap default

page read and write

319000

heap default

page read and write

450000

unkown

page readonly

2990000

unkown

page read and write

There are 124 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Files

Processes

URLs

Domains

IPs

Registry

Memdumps