Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	2556
Target ID:	2
Parent PID:	584
Name:	EQNEDT32.EXE
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Size:	543304
MD5:	A87236E214F6D42A65F5DEDAC816AEC8
Time:	20:35:06
Date:	27/01/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	581632
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Droppers Exploiting CVE-2017-11882	System Summary,
Sigma detected: File Dropped By EQNEDT32EXE	System Summary,
Sigma detected: Executables Started in Suspicious Folder	System Summary,
Sigma detected: Execution in Non-Executable Folder	System Summary,
Sigma detected: Suspicious Program Location Process Starts	System Summary,
Office Equation Editor has been started	Exploits,
Spawns processes	System Summary,	Process Injection

C:\Users\Public\vbc.exe

'C:\Users\Public\vbc.exe'

Details

Is windows:	false
Is dropped:	true
PID:	2720
Target ID:	4
Parent PID:	2556
Name:	vbc.exe
Path:	C:\Users\Public\vbc.exe
Commandline:	'C:\Users\Public\vbc.exe'
Size:	508928
MD5:	C7B2B0FA4A71FE33536148C2584DA7DB
Time:	20:35:10
Date:	27/01/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xbf0000
Modulesize:	532480
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Droppers Exploiting CVE-2017-11882	System Summary,
Sigma detected: Scheduled temp file as task from temp location	System Summary,
Yara detected AntiVM_3	Malware Analysis System Evasion,
Drops PE files to the user root directory	Boot Survival,	Masquerading
Office equation editor drops PE file	System Summary,
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits,	Exploitation for Client Execution
Sigma detected: Executables Started in Suspicious Folder	System Summary,
Sigma detected: Execution in Non-Executable Folder	System Summary,
Sigma detected: Suspicious Program Location Process Starts	System Summary,
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Drops PE files	Persistence and Installation Behavior,
Drops PE files to the user directory	Persistence and Installation Behavior,	Masquerading
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection,	System Information Discovery
Spawns processes	System Summary,	Process Injection

C:\Windows\System32\schtasks.exe

'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XaHKwnPuj' /XML 'C:\Users\user\AppData\Local\Temp\tmp2222.tmp'

Details

Is windows:	true
Is dropped:	false
PID:	2920
Target ID:	5
Parent PID:	2720
Name:	schtasks.exe
Class:	system-tools
Path:	C:\Windows\System32\schtasks.exe
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XaHKwnPuj' /XML 'C:\Users\user\AppData\Local\Temp\tmp2222.tmp'
Size:	285696
MD5:	97E0EC3D6D99E8CC2B17EF2D3760E8FC
Time:	20:35:13
Date:	27/01/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xffa90000
Modulesize:	294912
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Scheduled temp file as task from temp location	System Summary,
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival,	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Spawns processes	System Summary,	Process Injection

C:\Users\Public\vbc.exe

Details

Is windows:	false
Is dropped:	true
PID:	2928
Target ID:	7
Parent PID:	2720
Name:	vbc.exe
Path:	C:\Users\Public\vbc.exe
Commandline:	C:\Users\Public\vbc.exe
Size:	508928
MD5:	C7B2B0FA4A71FE33536148C2584DA7DB
Time:	20:35:13
Date:	27/01/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xbf0000
Modulesize:	532480
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Droppers Exploiting CVE-2017-11882	System Summary,
Sigma detected: Scheduled temp file as task from temp location	System Summary,
Yara detected AntiVM_3	Malware Analysis System Evasion,
Drops PE files to the user root directory	Boot Survival,	Masquerading
Office equation editor drops PE file	System Summary,
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits,	Exploitation for Client Execution
Sigma detected: Executables Started in Suspicious Folder	System Summary,
Sigma detected: Execution in Non-Executable Folder	System Summary,
Sigma detected: Suspicious Program Location Process Starts	System Summary,
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Drops PE files	Persistence and Installation Behavior,
Drops PE files to the user directory	Persistence and Installation Behavior,	Masquerading
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection,	System Information Discovery
Spawns processes	System Summary,	Process Injection

C:\Users\Public\vbc.exe

Details

Is windows:	false
Is dropped:	true
PID:	2476
Target ID:	8
Parent PID:	2720
Name:	vbc.exe
Path:	C:\Users\Public\vbc.exe
Commandline:	C:\Users\Public\vbc.exe
Size:	508928
MD5:	C7B2B0FA4A71FE33536148C2584DA7DB
Time:	20:35:14
Date:	27/01/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xbf0000
Modulesize:	532480
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Droppers Exploiting CVE-2017-11882	System Summary,
Sigma detected: Scheduled temp file as task from temp location	System Summary,
Yara detected AntiVM_3	Malware Analysis System Evasion,
Drops PE files to the user root directory	Boot Survival,	Masquerading
Office equation editor drops PE file	System Summary,
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits,	Exploitation for Client Execution
Sigma detected: Executables Started in Suspicious Folder	System Summary,
Sigma detected: Execution in Non-Executable Folder	System Summary,
Sigma detected: Suspicious Program Location Process Starts	System Summary,
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Drops PE files	Persistence and Installation Behavior,
Drops PE files to the user directory	Persistence and Installation Behavior,	Masquerading
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection,	System Information Discovery
Spawns processes	System Summary,	Process Injection

C:\Users\Public\vbc.exe

Details

Is windows:	false
Is dropped:	true
PID:	2472
Target ID:	9
Parent PID:	2720
Name:	vbc.exe
Path:	C:\Users\Public\vbc.exe
Commandline:	C:\Users\Public\vbc.exe
Size:	508928
MD5:	C7B2B0FA4A71FE33536148C2584DA7DB
Time:	20:35:14
Date:	27/01/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xbf0000
Modulesize:	532480
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Droppers Exploiting CVE-2017-11882	System Summary,
Sigma detected: Scheduled temp file as task from temp location	System Summary,
Yara detected AntiVM_3	Malware Analysis System Evasion,
Drops PE files to the user root directory	Boot Survival,	Masquerading
Office equation editor drops PE file	System Summary,
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits,	Exploitation for Client Execution
Sigma detected: Executables Started in Suspicious Folder	System Summary,
Sigma detected: Execution in Non-Executable Folder	System Summary,
Sigma detected: Suspicious Program Location Process Starts	System Summary,
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Drops PE files	Persistence and Installation Behavior,
Drops PE files to the user directory	Persistence and Installation Behavior,	Masquerading
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection,	System Information Discovery
Spawns processes	System Summary,	Process Injection

C:\Users\Public\vbc.exe

Details

Is windows:	false
Is dropped:	true
PID:	2456
Target ID:	10
Parent PID:	2720
Name:	vbc.exe
Path:	C:\Users\Public\vbc.exe
Commandline:	C:\Users\Public\vbc.exe
Size:	508928
MD5:	C7B2B0FA4A71FE33536148C2584DA7DB
Time:	20:35:15
Date:	27/01/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xbf0000
Modulesize:	532480
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Droppers Exploiting CVE-2017-11882	System Summary,
Sigma detected: Scheduled temp file as task from temp location	System Summary,
Yara detected AntiVM_3	Malware Analysis System Evasion,
Drops PE files to the user root directory	Boot Survival,	Masquerading
Office equation editor drops PE file	System Summary,
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits,	Exploitation for Client Execution
Sigma detected: Executables Started in Suspicious Folder	System Summary,
Sigma detected: Execution in Non-Executable Folder	System Summary,
Sigma detected: Suspicious Program Location Process Starts	System Summary,
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Drops PE files	Persistence and Installation Behavior,
Drops PE files to the user directory	Persistence and Installation Behavior,	Masquerading
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection,	System Information Discovery
Spawns processes	System Summary,	Process Injection

C:\Users\Public\vbc.exe

Details

Is windows:	false
Is dropped:	true
PID:	2884
Target ID:	11
Parent PID:	2720
Name:	vbc.exe
Path:	C:\Users\Public\vbc.exe
Commandline:	C:\Users\Public\vbc.exe
Size:	508928
MD5:	C7B2B0FA4A71FE33536148C2584DA7DB
Time:	20:35:15
Date:	27/01/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xbf0000
Modulesize:	532480
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Droppers Exploiting CVE-2017-11882	System Summary,
Sigma detected: Scheduled temp file as task from temp location	System Summary,
Yara detected AntiVM_3	Malware Analysis System Evasion,
Drops PE files to the user root directory	Boot Survival,	Masquerading
Office equation editor drops PE file	System Summary,
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits,	Exploitation for Client Execution
Sigma detected: Executables Started in Suspicious Folder	System Summary,
Sigma detected: Execution in Non-Executable Folder	System Summary,
Sigma detected: Suspicious Program Location Process Starts	System Summary,
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Drops PE files	Persistence and Installation Behavior,
Drops PE files to the user directory	Persistence and Installation Behavior,	Masquerading
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection,	System Information Discovery
Spawns processes	System Summary,	Process Injection

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	1100
Target ID:	0
Parent PID:	584
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Size:	27641504
MD5:	5FB0A0F93382ECD19F5F499A5CAA59F0
Time:	20:34:46
Date:	27/01/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13fba0000
Modulesize:	27758592
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary,	Process Injection

URLs

Name

Malicious

http://www.%s.comPA

unknown

Details

Name:	http://www.%s.comPA
TargetID:	4
From Memory:	true
Current Path:	C:\Users\Public\vbc.exe
Source:	vbc.exe, 00000004.00000002.2170919142.000000001BA40000.00000002.00000001.sdmp
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Urls found in memory or binary data	Networking,

http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
TargetID:	4
From Memory:	true
Current Path:	C:\Users\Public\vbc.exe
Source:	vbc.exe, 00000004.00000002.2170919142.000000001BA40000.00000002.00000001.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Urls found in memory or binary data	Networking,

http://www.day.com/dam/1.0

unknown

Details

Name:	http://www.day.com/dam/1.0
TargetID:	0
From Memory:	true
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Source:	BADF7393.emf.0.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Urls found in memory or binary data	Networking,

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	4
From Memory:	true
Current Path:	C:\Users\Public\vbc.exe
Source:	vbc.exe, 00000004.00000002.2169176262.0000000002371000.00000004.00000001.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Urls found in memory or binary data	Networking,

Domains

Name

Malicious

spicesherbs.in

162.241.148.128

Details

Name:	spicesherbs.in
IP:	162.241.148.128
TargetID:	2
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities,	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities,	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities,	Exploitation for Client Execution
Performs DNS lookups	Networking,	Application Layer Protocol Non-Application Layer Protocol
Uses secure TLS version for HTTPS connections	Compliance, Networking,

IPs

Domain

Country

Active

Malicious

162.241.148.128

unknown

United States

unknown

Details

IP:	162.241.148.128
TargetID:	2
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Country:	United States
Countrycode:	USA
ASN number:	46606
ASN name:	UNIFIEDLAYER-AS-1US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities,	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities,	Exploitation for Client Execution
Uses secure TLS version for HTTPS connections	Compliance, Networking,

Registry

Path

Value

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

d|6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

MTTT

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ReviewToken

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EF4CA

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

VBAFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DefaultSheetR2L

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

UseSystemSeparators

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ThousandsSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DecimalSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

7c6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F3BD8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F4EDB

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 21

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

LastPurgeTime

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EXCELFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F3BD8

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

EquationEditorFilesIntl_1033

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

SavedLegacySettings

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Blob

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Blob

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Blob

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Blob

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Blob

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Blob

There are 56 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

12381000

unkown

page read and write

23DE000

unkown

page read and write

C6E000

unkown image

page readonly

1ED000

heap default

page read and write

4E0000

unkown

page read and write

7FE8AC60000

unkown

page execute and read and write

4D9000

unkown

page read and write

C6E000

unkown image

page readonly

9F0000

unkown

page readonly

1A970000

unkown

page readonly

5A0000

unkown

page read and write

510000

unkown

page read and write

1A820000

unkown

page read and write

BF2000

unkown image

page execute read

1B710000

unkown

page read and write

3F0000

unkown

page read and write

1A840000

unkown

page read and write

230000

unkown

page readonly

1B05F000

unkown

page read and write

1237D000

unkown

page read and write

BF0000

unkown image

page readonly

1AC80000

unkown

page read and write

410000

unkown

page read and write

1B89A000

unkown

page read and write

21A000

heap default

page read and write

4CB000

unkown

page read and write

BF0000

unkown image

page readonly

4D2000

unkown

page read and write

7FE8AB50000

unkown

page read and write

1A782000

unkown

page read and write

3F0000

heap private

page read and write

50E000

unkown

page read and write

1ACF0000

unkown

page read and write

1B2A0000

heap private

page execute and read and write

4C0000

unkown

page read and write

BF0000

unkown image

page readonly

444000

heap private

page read and write

4C0000

unkown

page read and write

1A84C000

unkown

page read and write

12371000

unkown

page read and write

1A7F0000

unkown

page read and write

1A84E000

unkown

page read and write

1B180000

unkown

page read and write

1AED4000

unkown

page read and write

4C2000

unkown

page read and write

1AD20000

unkown

page read and write

BF2000

unkown image

page execute read

1A830000

unkown

page read and write

1A7E0000

unkown

page read and write

4F4000

heap private

page read and write

1AC7A000

unkown

page read and write

1B691000

unkown

page read and write

BF0000

unkown image

page readonly

5D6000

unkown

page read and write

41F000

unkown

page read and write

1AD7B000

heap private

page read and write

1B0000

heap default

page read and write

1B600000

unkown

page read and write

432000

unkown

page read and write

1B600000

unkown

page read and write

222000

heap default

page read and write

4DE000

unkown

page read and write

3E0000

unkown

page read and write

1ACC0000

unkown

page read and write

BF2000

unkown image

page execute read

1AD00000

heap private

page read and write

1AD20000

unkown

page read and write

7FE8AB43000

unkown

page read and write

4D0000

unkown

page readonly

2190000

unkown

page readonly

1B17D000

unkown

page read and write

C6E000

unkown image

page readonly

4C0000

unkown

page read and write

BF2000

unkown image

page execute read

43B000

unkown

page read and write

1B600000

unkown

page read and write

236F000

unkown

page read and write

1BA40000

unkown

page readonly

1A7AD000

unkown

page read and write

1A840000

unkown

page read and write

1B7000

heap default

page read and write

1A7AD000

unkown

page read and write

510000

unkown

page read and write

3D0000

unkown

page readonly

224000

heap default

page read and write

1AD10000

unkown

page read and write

BF0000

unkown image

page readonly

820000

unkown

page readonly

430000

unkown

page read and write

4D0000

unkown

page read and write

7FE8AC16000

unkown

page execute and read and write

430000

unkown

page read and write

4D0000

unkown

page read and write

BF2000

unkown image

page execute read

BF0000

unkown image

page readonly

1B6E0000

unkown

page read and write

9D2000

unkown

page read and write

C6E000

unkown image

page readonly

1AC70000

unkown

page read and write

1C70F000

unkown

page read and write

7FE8ACB1000

unkown

page read and write

1AEE0000

unkown

page read and write

4C0000

unkown

page read and write

4C0000

unkown

page read and write

1A850000

unkown

page read and write

C6E000

unkown image

page readonly

3A0000

unkown

page read and write

BF0000

unkown image

page readonly

4C2000

unkown

page read and write

1B6D0000

unkown

page read and write

4C0000

unkown

page read and write

1A704000

unkown

page read and write

21C000

heap default

page read and write

BF2000

unkown image

page execute read

4D0000

unkown

page read and write

1B83D000

unkown

page read and write

4D5000

unkown

page read and write

1B841000

unkown

page read and write

1AD10000

unkown

page read and write

1A778000

unkown

page read and write

7FFFFF00000

unkown

page execute and read and write

9C0000

unkown

page read and write

510000

unkown

page read and write

4D0000

unkown

page read and write

A90000

unkown

page read and write

20000

unkown

page read and write

190000

unkown

page read and write

1A781000

unkown

page read and write

1A96C000

unkown

page read and write

4C0000

unkown

page read and write

12378000

unkown

page read and write

4D0000

unkown

page read and write

1A850000

unkown

page read and write

BF0000

unkown image

page readonly

1ACB0000

unkown

page read and write

4C0000

unkown

page read and write

1A800000

unkown

page readonly

1ACD0000

unkown

page read and write

C6E000

unkown image

page readonly

165000

unkown

page read and write

1A7B0000

unkown

page read and write

4C0000

unkown

page read and write

3C0000

unkown

page read and write

9D0000

unkown

page readonly

1AC90000

unkown

page read and write

C6E000

unkown image

page readonly

1AD45000

heap private

page read and write

4C2000

unkown

page read and write

BF2000

unkown image

page execute read

4D5000

unkown

page read and write

1AEF0000

unkown

page read and write

520000

heap private

page execute and read and write

9E0000

unkown

page read and write

7FE8ABE0000

unkown

page read and write

1B320000

unkown

page readonly

1AC50000

unkown

page read and write

271C000

unkown

page read and write

400000

unkown

page read and write

1B6B0000

unkown

page read and write

1ACF0000

unkown

page read and write

4D0000

unkown

page read and write

500000

unkown

page read and write

7FE8AC50000

unkown

page read and write

1AED1000

unkown

page read and write

7FE8AC59000

unkown

page read and write

1A850000

unkown

page read and write

7FE8ABF0000

unkown

page execute and read and write

4E0000

unkown

page read and write

4E5000

unkown

page read and write

4C0000

unkown

page read and write

BF0000

unkown image

page readonly

500000

unkown

page read and write

1C33F000

unkown

page read and write

4C0000

unkown

page read and write

4C0000

unkown

page read and write

6A0000

unkown

page readonly

1A860000

unkown

page read and write

4C0000

unkown

page read and write

500000

unkown

page read and write

4E0000

unkown

page read and write

1B6C0000

unkown

page read and write

1ACEC000

unkown

page read and write

1B700000

unkown

page read and write

9C0000

unkown

page read and write

BF0000

unkown image

page readonly

1A840000

unkown

page read and write

4E7000

unkown

page read and write

4D0000

unkown

page read and write

4CB000

unkown

page read and write

BF2000

unkown image

page execute read

4E0000

unkown

page read and write

BF0000

unkown image

page readonly

BF0000

unkown image

page readonly

4E0000

unkown

page read and write

1A74E000

unkown

page read and write

7FE8AB34000

unkown

page read and write

4F0000

heap private

page read and write

BF0000

unkown image

page readonly

3D0000

unkown

page read and write

1AC40000

unkown

page readonly

BF0000

unkown image

page readonly

7FE8AB4D000

unkown

page execute and read and write

4C0000

unkown

page read and write

1ACD0000

unkown

page read and write

450000

unkown

page readonly

BF0000

unkown image

page readonly

1C53F000

unkown

page read and write

1BF5F000

unkown

page read and write

1B840000

unkown

page read and write

BF0000

unkown image

page readonly

1AF00000

unkown

page read and write

BF2000

unkown image

page execute read

1AD30000

unkown

page read and write

4C7000

unkown

page read and write

BF2000

unkown image

page execute read

1A79E000

unkown

page read and write

2A0000

unkown

page read and write

4C0000

unkown

page read and write

1ACC0000

unkown

page read and write

4C2000

unkown

page read and write

BF2000

unkown image

page execute read

7FE8ABEC000

unkown

page execute and read and write

1AC61000

unkown

page read and write

1B6A0000

unkown

page read and write

1B627000

unkown

page read and write

1AEC0000

unkown

page read and write

1ACE0000

unkown

page read and write

C6E000

unkown image

page readonly

1B6F0000

unkown

page read and write

2D6000

unkown

page read and write

9F0000

unkown

page read and write

4D6000

unkown

page read and write

C6E000

unkown image

page readonly

1ACA0000

unkown

page read and write

9E0000

unkown

page read and write

1AD04000

heap private

page read and write

B90000

unkown

page read and write

4C0000

unkown

page read and write

1AD40000

heap private

page read and write

9E0000

unkown

page read and write

437000

unkown

page read and write

4CE000

unkown

page read and write

1ADF6000

unkown

page read and write

B00000

unkown

page read and write

4C0000

unkown

page read and write

4D0000

unkown

page read and write

1AC40000

unkown

page read and write

4C0000

unkown

page read and write

3C2000

unkown

page read and write

1A800000

unkown

page read and write

BF2000

unkown image

page execute read

430000

unkown

page read and write

C6E000

unkown image

page readonly

1ACB0000

unkown

page read and write

430000

unkown

page read and write

500000

unkown

page read and write

3E0000

unkown

page read and write

9CB000

unkown

page read and write

C6E000

unkown image

page readonly

1AEE0000

unkown

page read and write

1A860000

unkown

page read and write

4D0000

unkown

page read and write

1AF30000

unkown

page read and write

420000

unkown

page read and write

1ACE0000

unkown

page read and write

7FE8AB3D000

unkown

page execute and read and write

2371000

unkown

page read and write

7FE8AB40000

unkown

page read and write

1B600000

unkown

page read and write

4D0000

unkown

page read and write

1ADC0000

unkown

page read and write

41A000

unkown

page read and write

4E0000

unkown

page read and write

1AEC0000

unkown

page read and write

BF0000

unkown image

page readonly

9D0000

unkown

page read and write

4D0000

unkown

page read and write

1A79E000

unkown

page read and write

4EE000

unkown

page read and write

4D0000

unkown

page read and write

504000

unkown

page read and write

7FE8ACA0000

unkown

page read and write

B10000

heap private

page read and write

C6E000

unkown image

page readonly

4C0000

unkown

page read and write

BF0000

unkown image

page readonly

7FE8ABE6000

unkown

page read and write

1A760000

unkown

page read and write

1C70E000

unkown

page read and write | page guard

1C12F000

unkown

page read and write

440000

heap private

page read and write

7FE8AB8C000

unkown

page execute and read and write

B00000

unkown

page readonly

A00000

unkown

page read and write

7FE8AB5D000

unkown

page execute and read and write

1A810000

unkown

page read and write

A10000

heap private

page execute and read and write

There are 287 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Files

Processes

URLs

Domains

IPs

Registry

Memdumps