Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	2240
Target ID:	0
Parent PID:	584
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Size:	27641504
MD5:	5FB0A0F93382ECD19F5F499A5CAA59F0
Time:	21:34:38
Date:	26/01/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13fb80000
Modulesize:	27758592
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary,
Spawns processes	System Summary,	Process Injection

C:\Windows\System32\rundll32.exe

'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer

Details

Is windows:	true
Is dropped:	false
PID:	2312
Target ID:	3
Parent PID:	2240
Name:	rundll32.exe
Class:	rundll32
Path:	C:\Windows\System32\rundll32.exe
Commandline:	'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer
Size:	45568
MD5:	DD81D91FF3B0763C392422865C9AC12E
Time:	21:34:43
Date:	26/01/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xffc80000
Modulesize:	61440
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Document exploit detected (process start blacklist hit)	Software Vulnerabilities,	Exploitation for Client Execution
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary,
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Runs a DLL by calling functions	System Summary,	Rundll32
Spawns processes	System Summary,	Process Injection

C:\Windows\SysWOW64\rundll32.exe

'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer

Details

Is windows:	true
Is dropped:	false
PID:	2408
Target ID:	4
Parent PID:	2312
Name:	rundll32.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\rundll32.exe
Commandline:	'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer
Size:	44544
MD5:	51138BEEA3E2C21EC44D0932C71762A8
Time:	21:34:44
Date:	26/01/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x6a0000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Document exploit detected (process start blacklist hit)	Software Vulnerabilities,	Exploitation for Client Execution
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary,
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Runs a DLL by calling functions	System Summary,	Rundll32
Spawns processes	System Summary,	Process Injection

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe

Details

Is windows:	true
Is dropped:	false
PID:	2848
Target ID:	5
Parent PID:	2408
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\msiexec.exe
Commandline:	msiexec.exe
Size:	73216
MD5:	4315D6ECAE85024A0567DF2CB253B7B0
Time:	21:35:12
Date:	26/01/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x2a0000
Modulesize:	81920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Spawns processes	System Summary,	Process Injection

URLs

Name

Malicious

https://rnollg.com/kev/scfrd.dll

unknown

http://wmwifbajxxbcxmucxmlc.com/files/april24.dll)

unknown

http://www.windows.com/pctv.

unknown

http://investor.msn.com

unknown

http://www.msnbc.com/news/ticker.txt

unknown

http://crl.entrust.net/server1.crl0

unknown

http://ocsp.entrust.net03

unknown

https://gadgetswolf.com/post.phpMb

unknown

http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0

unknown

https://gadgetswolf.com/

unknown

http://www.diginotar.nl/cps/pkioverheid0

unknown

http://windowsmedia.com/redir/services.asp?WMPFriendly=true

unknown

http://www.hotmail.com/oe

unknown

https://gadgetswolf.com/f

unknown

http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check

unknown

http://crl.pkioverheid.nl/DomOvLatestCRL.crl0

unknown

http://www.icra.org/vocabulary/.

unknown

https://gadgetswolf.com/post.phpab

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.

unknown

http://investor.msn.com/

unknown

http://www.%s.comPA

unknown

http://wmwifbajxxbcxmucxmlc.com/files/april24.dll~

unknown

http://ocsp.entrust.net0D

unknown

https://rnollg.com/kev/scfrd.dll$8

unknown

https://secure.comodo.com/CPS0

unknown

https://homesoapmolds.com/

unknown

http://crl.entrust.net/2048ca.crl0

unknown

https://govemedico.tk/post.php

unknown

There are 18 hidden URLs, click here to show them.

Domains

Name

Malicious

homesoapmolds.com

104.21.60.169

Details

Name:	homesoapmolds.com
IP:	104.21.60.169
TargetID:	5
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Urls found in memory or binary data	Networking,
Uses secure TLS version for HTTPS connections	Compliance, Networking,

rnollg.com

172.67.150.228

Details

Name:	rnollg.com
IP:	172.67.150.228
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities,	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities,	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities,	Exploitation for Client Execution
Performs DNS lookups	Networking,	Application Layer Protocol Non-Application Layer Protocol
Urls found in memory or binary data	Networking,
Uses secure TLS version for HTTPS connections	Compliance, Networking,

gadgetswolf.com

172.67.200.147

Details

Name:	gadgetswolf.com
IP:	172.67.200.147
TargetID:	5
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Urls found in memory or binary data	Networking,
Uses secure TLS version for HTTPS connections	Compliance, Networking,

govemedico.tk

104.21.73.69

Details

Name:	govemedico.tk
IP:	104.21.73.69
TargetID:	5
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Urls found in memory or binary data	Networking,
Uses secure TLS version for HTTPS connections	Compliance, Networking,

IPs

Domain

Country

Active

Malicious

172.67.150.228

unknown

United States

unknown

Details

IP:	172.67.150.228
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities,	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities,	Exploitation for Client Execution
Uses secure TLS version for HTTPS connections	Compliance, Networking,

104.21.60.169

unknown

United States

unknown

Details

IP:	104.21.60.169
TargetID:	5
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking,

172.67.200.147

unknown

United States

unknown

Details

IP:	172.67.200.147
TargetID:	5
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking,

104.21.73.69

unknown

United States

unknown

Details

IP:	104.21.73.69
TargetID:	5
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking,

Registry

Path

Value

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

qy6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

MTTT

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ReviewToken

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ED45F

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

VBAFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DefaultSheetR2L

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

UseSystemSeparators

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ThousandsSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DecimalSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EDB52

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EDEBB

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EDF67

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} {000214E6-0000-0000-C000-000000000046} 0xFFFF

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

c'7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

@%SystemRoot%\system32\qagentrt.dll,-10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

@%SystemRoot%\System32\fveui.dll,-843

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

@%SystemRoot%\System32\fveui.dll,-844

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

@%SystemRoot%\System32\wuaueng.dll,-400

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F28C5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F2942

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 21

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

LastPurgeTime

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EXCELFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SavedLegacySettings

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F28C5

C:\Windows\SysWOW64\msiexec.exe

ilyo

C:\Windows\SysWOW64\msiexec.exe

azimboqy

C:\Windows\SysWOW64\msiexec.exe

azimboqy

C:\Windows\SysWOW64\msiexec.exe

azimboqy

C:\Windows\SysWOW64\msiexec.exe

SavedLegacySettings

There are 112 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

360000

unkown image

page readonly

2D0000

unkown

page readonly

580000

unkown

page execute and read and write

210000

heap private

page read and write

1F07000

heap private

page read and write

D0000

unkown

page execute and read and write

420000

heap default

page read and write

17D000

stack

page read and write

53D000

unkown

page read and write

1DD0000

unkown

page readonly

290000

unkown

page readonly

4B7000

heap default

page read and write

366000

unkown image

page execute read

4F0000

heap default

page read and write

180000

unkown

page read and write

1D37000

unkown

page readonly

4A4000

heap default

page read and write

520000

unkown

page read and write

341000

unkown image

page execute read

6B0000

unkown

page readonly

830000

unkown

page readonly

487000

heap default

page read and write

1E8E000

unkown

page read and write

2C0000

heap default

page read and write

2E0000

heap default

page read and write

240000

heap private

page read and write

190000

unkown

page read and write

20000

unkown

page readonly

1A6000

unkown

page read and write

1DB000

unkown

page read and write

200000

heap private

page read and write

4EC000

unkown

page read and write

670000

heap private

page read and write

686000

heap private

page read and write

478000

heap default

page read and write

2E7000

heap default

page read and write

2450000

unkown

page readonly

5B4000

heap private

page read and write

45A000

heap default

page read and write

7EFDF000

unkown

page read and write

2C0000

unkown

page read and write

427000

heap default

page read and write

4C2000

heap default

page read and write

2BCD000

unkown

page read and write

CB000

unkown

page read and write

A30000

unkown

page readonly

560000

unkown

page readonly

2A10000

unkown

page read and write

4F0000

unkown

page read and write

2020000

heap private

page read and write

2060000

unkown

page readonly

5B0000

heap private

page read and write

2024000

heap private

page read and write

D0000

unkown

page readonly

60000

unkown

page read and write

2890000

unkown

page readonly

340000

unkown image

page readonly

4CB000

heap default

page read and write

170000

unkown

page read and write

2C4D000

unkown

page read and write

3E0000

unkown

page readonly

25F000

unkown

page read and write

410000

unkown image

page readonly

41F000

unkown image

page read and write

436000

unkown image

page readonly

2AEF000

unkown

page read and write

2A5E000

unkown

page read and write

A20000

heap private

page read and write

CC000

unkown

page read and write

280000

unkown

page readonly

20000

unkown

page readonly

340000

unkown image

page readonly

3160000

unkown

page read and write

1D0000

unkown

page execute and read and write

2AF1000

unkown

page read and write

434000

unkown image

page read and write

2D20000

heap private

page read and write

29BE000

unkown

page read and write

7EFDF000

unkown

page read and write

1F6E000

unkown

page read and write

201A000

unkown

page read and write

9E0000

heap private

page read and write

365000

unkown image

page readonly

330000

heap default

page read and write

65E000

unkown

page read and write

180000

unkown

page write copy

3060000

heap private

page read and write

480000

heap default

page read and write

2C0000

unkown

page read and write

3120000

heap private

page read and write

444000

heap default

page read and write

424000

unkown image

page read and write

2A0000

heap private

page read and write

4BD000

heap default

page read and write

690000

unkown

page readonly

810000

unkown

page readonly

1F40000

heap private

page read and write

1A0000

unkown

page readonly

1C0000

unkown

page execute and read and write

1FB7000

unkown

page readonly

1B50000

unkown

page readonly

279E000

unkown

page read and write

564000

unkown

page read and write

110000

unkown

page readonly

70000

unkown

page read and write

680000

heap private

page read and write

3FE000

unkown

page read and write

31E000

heap default

page read and write

48D000

heap default

page read and write

20000

unkown

page readonly

420000

unkown image

page execute and read and write

FC000

unkown

page read and write

45F000

heap default

page read and write

4F0000

unkown

page read and write

1B0000

unkown

page readonly

2A0F000

unkown

page read and write

54F000

unkown

page read and write

4E5000

heap default

page read and write

340000

unkown image

page readonly

362000

unkown image

page read and write

2890000

unkown

page read and write

100000

unkown

page readonly

1EE9000

heap private

page read and write

2042000

heap private

page read and write

340000

unkown image

page readonly

340000

unkown image

page readonly

2B6E000

unkown

page read and write

1EE0000

heap private

page read and write

2971000

unkown

page read and write

55F000

unkown

page read and write

2F0000

heap private

page read and write

22F0000

heap private

page read and write

There are 122 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Files

Processes

URLs

Domains

IPs

Registry

Memdumps