Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	1464
Target ID:	0
Parent PID:	584
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Size:	27641504
MD5:	5FB0A0F93382ECD19F5F499A5CAA59F0
Time:	04:09:38
Date:	27/01/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13f0b0000
Modulesize:	27758592
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary,
Spawns processes	System Summary,	Process Injection

C:\Windows\System32\rundll32.exe

'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer

Details

Is windows:	true
Is dropped:	false
PID:	2480
Target ID:	2
Parent PID:	1464
Name:	rundll32.exe
Class:	rundll32
Path:	C:\Windows\System32\rundll32.exe
Commandline:	'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer
Size:	45568
MD5:	DD81D91FF3B0763C392422865C9AC12E
Time:	04:09:44
Date:	27/01/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xff1c0000
Modulesize:	61440
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Document exploit detected (process start blacklist hit)	Software Vulnerabilities,	Exploitation for Client Execution
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary,
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Runs a DLL by calling functions	System Summary,	Rundll32
Spawns processes	System Summary,	Process Injection

C:\Windows\SysWOW64\rundll32.exe

'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer

Details

Is windows:	true
Is dropped:	false
PID:	2484
Target ID:	3
Parent PID:	2480
Name:	rundll32.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\rundll32.exe
Commandline:	'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer
Size:	44544
MD5:	51138BEEA3E2C21EC44D0932C71762A8
Time:	04:09:44
Date:	27/01/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xb20000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Document exploit detected (process start blacklist hit)	Software Vulnerabilities,	Exploitation for Client Execution
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary,
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Runs a DLL by calling functions	System Summary,	Rundll32
Spawns processes	System Summary,	Process Injection

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe

Details

Is windows:	true
Is dropped:	false
PID:	2692
Target ID:	4
Parent PID:	2484
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\msiexec.exe
Commandline:	msiexec.exe
Size:	73216
MD5:	4315D6ECAE85024A0567DF2CB253B7B0
Time:	04:10:11
Date:	27/01/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x520000
Modulesize:	81920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Spawns processes	System Summary,	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary,

URLs

Name

Malicious

https://rnollg.com/kev/scfrd.dll

unknown

http://wmwifbajxxbcxmucxmlc.com/files/april24.dll)

unknown

http://www.windows.com/pctv.

unknown

http://investor.msn.com

unknown

http://www.msnbc.com/news/ticker.txt

unknown

https://govemedico.tk/t

unknown

http://crl.entrust.net/server1.crl0

unknown

http://crl3.digicert

unknown

http://ocsp.entrust.net03

unknown

https://homesoapmolds.com/post.phpx

unknown

http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0

unknown

https://gadgetswolf.com/

unknown

http://www.diginotar.nl/cps/pkioverheid0

unknown

https://gadgetswolf.com/post.php

unknown

https://govemedico.tk/

unknown

https://homesoapmolds.com/post.php

unknown

http://windowsmedia.com/redir/services.asp?WMPFriendly=true

unknown

http://www.hotmail.com/oe

unknown

https://gadgetswolf.com/post.phpF/

unknown

http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check

unknown

http://crl.pkioverheid.nl/DomOvLatestCRL.crl0

unknown

http://www.icra.org/vocabulary/.

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.

unknown

http://investor.msn.com/

unknown

http://www.%s.comPA

unknown

http://wmwifbajxxbcxmucxmlc.com/files/april24.dll~

unknown

http://ocsp.entrust.net0D

unknown

https://rnollg.com/kev/scfrd.dll$8

unknown

https://secure.comodo.com/CPS0

unknown

https://homesoapmolds.com/

unknown

http://crl.entrust.net/2048ca.crl0

unknown

Https://homesoapmolds.com/post.php

unknown

https://govemedico.tk/post.php

unknown

There are 23 hidden URLs, click here to show them.

Domains

Name

Malicious

homesoapmolds.com

172.67.198.109

Details

Name:	homesoapmolds.com
IP:	172.67.198.109
TargetID:	4
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Urls found in memory or binary data	Networking,
Uses secure TLS version for HTTPS connections	Compliance, Networking,

rnollg.com

172.67.150.228

Details

Name:	rnollg.com
IP:	172.67.150.228
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities,	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities,	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities,	Exploitation for Client Execution
Performs DNS lookups	Networking,	Application Layer Protocol Non-Application Layer Protocol
Urls found in memory or binary data	Networking,
Uses secure TLS version for HTTPS connections	Compliance, Networking,

gadgetswolf.com

172.67.200.147

Details

Name:	gadgetswolf.com
IP:	172.67.200.147
TargetID:	4
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Urls found in memory or binary data	Networking,
Uses secure TLS version for HTTPS connections	Compliance, Networking,

govemedico.tk

172.67.158.184

Details

Name:	govemedico.tk
IP:	172.67.158.184
TargetID:	4
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Urls found in memory or binary data	Networking,
Uses secure TLS version for HTTPS connections	Compliance, Networking,

IPs

Domain

Country

Active

Malicious

172.67.158.184

unknown

United States

unknown

Details

IP:	172.67.158.184
TargetID:	4
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking,

172.67.150.228

unknown

United States

unknown

Details

IP:	172.67.150.228
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities,	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities,	Exploitation for Client Execution
Uses secure TLS version for HTTPS connections	Compliance, Networking,

172.67.200.147

unknown

United States

unknown

Details

IP:	172.67.200.147
TargetID:	4
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking,

172.67.198.109

unknown

United States

unknown

Details

IP:	172.67.198.109
TargetID:	4
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking,

Registry

Path

Value

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

9z6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

MTTT

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ReviewToken

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ED604

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

VBAFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DefaultSheetR2L

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

UseSystemSeparators

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ThousandsSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DecimalSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EDCF7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EE08F

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EE12B

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} {000214E6-0000-0000-C000-000000000046} 0xFFFF

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

7i6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

@%SystemRoot%\system32\qagentrt.dll,-10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

@%SystemRoot%\System32\fveui.dll,-843

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

@%SystemRoot%\System32\fveui.dll,-844

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

@%SystemRoot%\System32\wuaueng.dll,-400

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F2B35

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F2B83

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 21

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

LastPurgeTime

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EXCELFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SavedLegacySettings

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F2B35

C:\Windows\SysWOW64\msiexec.exe

ilyo

C:\Windows\SysWOW64\msiexec.exe

obizypb

C:\Windows\SysWOW64\msiexec.exe

obizypb

C:\Windows\SysWOW64\msiexec.exe

obizypb

C:\Windows\SysWOW64\msiexec.exe

SavedLegacySettings

There are 112 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

25C000

unkown

page read and write

350000

unkown

page read and write

1A0000

unkown

page read and write

6D4000

heap default

page read and write

414000

heap private

page read and write

360000

unkown

page readonly

350000

unkown

page read and write

2A61000

unkown

page read and write

A64000

unkown image

page read and write

930000

unkown

page readonly

970000

unkown image

page readonly

22C0000

unkown

page read and write

59E000

unkown

page read and write

190000

unkown

page write copy

60000

unkown

page read and write

2BFD000

unkown

page read and write

2460000

heap private

page read and write

770000

heap default

page read and write

500000

unkown

page readonly

20000

unkown

page readonly

708000

heap default

page read and write

6DB000

heap default

page read and write

90000

unkown

page readonly

20B000

unkown

page read and write

A54000

unkown image

page read and write

7EFDF000

unkown

page read and write

2980000

unkown

page readonly

2117000

unkown

page readonly

43F000

unkown

page read and write

6EA000

heap default

page read and write

686000

heap private

page read and write

3050000

heap private

page read and write

70000

unkown

page read and write

1ED0000

unkown

page readonly

2E0000

heap private

page read and write

33E000

unkown

page read and write

1B40000

unkown

page readonly

2B0E000

unkown

page read and write

2B8E000

unkown

page read and write

690000

heap default

page read and write

680000

unkown

page readonly

480000

heap default

page read and write

A4F000

unkown image

page read and write

2F6000

unkown

page read and write

697000

heap default

page read and write

238D000

unkown

page read and write

6EF000

heap default

page read and write

AD0000

unkown

page readonly

5A0000

unkown

page readonly

A66000

unkown image

page readonly

2D2C000

unkown

page read and write

150000

heap default

page read and write

D0000

unkown

page read and write

11C000

unkown

page read and write

5F0000

heap private

page read and write

960000

heap private

page read and write

970000

unkown image

page readonly

23A1000

unkown

page read and write

380000

heap default

page read and write

20000

heap private

page read and write

420000

unkown

page readonly

285E000

unkown

page read and write

130000

unkown

page readonly

18E000

heap default

page read and write

157000

heap default

page read and write

27EA000

unkown

page read and write

A50000

unkown image

page execute and read and write

7B0000

unkown

page readonly

713000

heap default

page read and write

6CD000

heap default

page read and write

971000

unkown image

page execute read

250000

heap private

page read and write

140000

unkown

page execute and read and write

90000

unkown

page readonly

1F30000

unkown

page readonly

290000

heap private

page read and write

6B4000

heap default

page read and write

2040000

heap private

page read and write

2EC0000

unkown

page read and write

120000

unkown

page readonly

1B0000

heap private

page read and write

2880000

heap private

page read and write

23FE000

unkown

page read and write

2D30000

unkown

page read and write

2ED000

stack

page read and write

717000

heap default

page read and write

2469000

heap private

page read and write

380000

heap private

page read and write

2980000

unkown

page read and write

970000

unkown image

page readonly

992000

unkown image

page read and write

2C5E000

unkown

page read and write

2C0000

unkown

page read and write

2487000

heap private

page read and write

1D27000

unkown

page readonly

100000

unkown

page read and write

400000

unkown

page read and write

24F000

unkown

page read and write

7EFDF000

unkown

page read and write

294000

heap private

page read and write

995000

unkown image

page readonly

150000

unkown

page execute and read and write

680000

heap private

page read and write

6B7000

heap default

page read and write

772000

unkown

page read and write

732000

heap default

page read and write

120000

unkown

page readonly

2EB0000

heap private

page read and write

71B000

heap default

page read and write

A40000

unkown image

page readonly

24A0000

unkown

page readonly

90000

unkown

page execute and read and write

410000

heap private

page read and write

41D000

unkown

page read and write

2F0000

unkown

page execute and read and write

970000

unkown image

page readonly

996000

unkown image

page execute read

230E000

unkown

page read and write

2460000

heap private

page read and write

234E000

unkown

page read and write

42F000

unkown

page read and write

990000

unkown image

page readonly

2B2000

heap private

page read and write

444000

unkown

page read and write

6C7000

heap default

page read and write

250000

unkown

page readonly

340000

unkown

page readonly

20000

unkown

page readonly

76F000

unkown

page read and write

410000

heap private

page read and write

970000

unkown image

page readonly

6B0000

heap default

page read and write

13C000

unkown

page read and write

There are 123 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Files

Processes

URLs

Domains

IPs

Registry

Memdumps