Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	2032
Target ID:	0
Parent PID:	584
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Size:	27641504
MD5:	5FB0A0F93382ECD19F5F499A5CAA59F0
Time:	03:19:33
Date:	20/02/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13f2d0000
Modulesize:	27758592
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary,
Allocates a big amount of memory (probably used for heap spraying)	Software Vulnerabilities,	Extra Window Memory Injection
Spawns processes	System Summary,	Process Injection

C:\Windows\System32\rundll32.exe

rundll32 ..\BASE.BABAA,DllRegisterServer

Details

Is windows:	true
Is dropped:	false
PID:	2344
Target ID:	3
Parent PID:	2032
Name:	rundll32.exe
Class:	rundll32
Path:	C:\Windows\System32\rundll32.exe
Commandline:	rundll32 ..\BASE.BABAA,DllRegisterServer
Size:	45568
MD5:	DD81D91FF3B0763C392422865C9AC12E
Time:	03:19:38
Date:	20/02/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xffba0000
Modulesize:	61440
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected Trickbot	Stealing of Sensitive Information, Remote Access Functionality
Document exploit detected (process start blacklist hit)	Software Vulnerabilities,	Exploitation for Client Execution
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary,
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Runs a DLL by calling functions	System Summary,	Rundll32
Spawns processes	System Summary,	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary,

C:\Windows\SysWOW64\rundll32.exe

rundll32 ..\BASE.BABAA,DllRegisterServer

Details

Is windows:	true
Is dropped:	false
PID:	2296
Target ID:	4
Parent PID:	2344
Name:	rundll32.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\rundll32.exe
Commandline:	rundll32 ..\BASE.BABAA,DllRegisterServer
Size:	44544
MD5:	51138BEEA3E2C21EC44D0932C71762A8
Time:	03:19:38
Date:	20/02/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x980000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Trickbot	Stealing of Sensitive Information, Remote Access Functionality
Document exploit detected (process start blacklist hit)	Software Vulnerabilities,	Exploitation for Client Execution
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary,
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Runs a DLL by calling functions	System Summary,	Rundll32
Spawns processes	System Summary,	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary,

C:\Windows\System32\wermgr.exe

C:\Windows\system32\wermgr.exe

Details

Is windows:	true
Is dropped:	false
PID:	2424
Target ID:	5
Parent PID:	2296
Name:	wermgr.exe
Path:	C:\Windows\System32\wermgr.exe
Commandline:	C:\Windows\system32\wermgr.exe
Size:	50688
MD5:	41DF7355A5A907E2C1D7804EC028965D
Time:	03:19:40
Date:	20/02/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xffcb0000
Modulesize:	69632
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Spawns processes	System Summary,	Process Injection

C:\Windows\System32\wermgr.exe

C:\Windows\system32\wermgr.exe

Details

Is windows:	true
Is dropped:	false
PID:	2352
Target ID:	6
Parent PID:	2296
Name:	wermgr.exe
Path:	C:\Windows\System32\wermgr.exe
Commandline:	C:\Windows\system32\wermgr.exe
Size:	50688
MD5:	41DF7355A5A907E2C1D7804EC028965D
Time:	03:19:40
Date:	20/02/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xffcb0000
Modulesize:	69632
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Spawns processes	System Summary,	Process Injection

URLs

Name

Malicious

http://www.chipmania.it/mails/open.php

185.81.0.78

http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check

unknown

http://www.windows.com/pctv.

unknown

http://investor.msn.com

unknown

http://www.msnbc.com/news/ticker.txt

unknown

http://crl.pkioverheid.nl/DomOvLatestCRL.crl0

unknown

http://www.icra.org/vocabulary/.

unknown

https://194.5.249.156/rob60/651689_W617601.4E09BB1E4C0BB7F7B798E195EF9953B3/5/file/

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.

unknown

http://crl.entrust.net/server1.crl0

unknown

https://45.155.173.242/rob60/651689_W617601.4E09BB1E4C0BB7F7B798E195EF9953B3/5/file/

unknown

http://ocsp.entrust.net03

unknown

http://investor.msn.com/

unknown

https://142.202.191.164/rob60/651689_W617601.4E09BB1E4C0BB7F7B798E195EF9953B3/5/file/

unknown

http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0

unknown

http://www.%s.comPA

unknown

http://www.diginotar.nl/cps/pkioverheid0

unknown

http://windowsmedia.com/redir/services.asp?WMPFriendly=true

unknown

http://www.hotmail.com/oe

unknown

http://ocsp.entrust.net0D

unknown

https://secure.comodo.com/CPS0

unknown

http://servername/isapibackend.dll

unknown

http://crl.entrust.net/2048ca.crl0

unknown

https://200.52.147.93/rob60/651689_W617601.4E09BB1E4C0BB7F7B798E195EF9953B3/5/file/

unknown

There are 14 hidden URLs, click here to show them.

Domains

Name

Malicious

ident.me

176.58.123.25

chipmania.it

185.81.0.78

Details

Name:	chipmania.it
IP:	185.81.0.78
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities,	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities,	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking,	Application Layer Protocol
Downloads files from webservers via HTTP	Networking,	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking,	Application Layer Protocol Non-Application Layer Protocol

www.chipmania.it

unknown

Details

Name:	www.chipmania.it
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities,	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking,	Application Layer Protocol
Downloads files from webservers via HTTP	Networking,	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking,	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Active

Malicious

142.202.191.164

unknown

Reserved

unknown

Details

IP:	142.202.191.164
TargetID:	6
Current Path:	C:\Windows\System32\wermgr.exe
Country:	Reserved
Countrycode:	ZZZ
ASN number:	398019
ASN name:	DYNUUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)	Networking,
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking,
Connects to IPs without corresponding DNS lookups	Networking,
Urls found in memory or binary data	Networking,

45.155.173.242

unknown

Germany

unknown

Details

IP:	45.155.173.242
TargetID:	6
Current Path:	C:\Windows\System32\wermgr.exe
Country:	Germany
Countrycode:	DEU
ASN number:	30823
ASN name:	COMBAHTONcombahtonGmbHDE
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)	Networking,
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking,
Connects to IPs without corresponding DNS lookups	Networking,
Urls found in memory or binary data	Networking,

200.52.147.93

unknown

Honduras

unknown

Details

IP:	200.52.147.93
TargetID:	6
Current Path:	C:\Windows\System32\wermgr.exe
Country:	Honduras
Countrycode:	HND
ASN number:	27932
ASN name:	RedesyTelecomunicacionesHN
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)	Networking,
Connects to IPs without corresponding DNS lookups	Networking,
Urls found in memory or binary data	Networking,

94.140.114.136

unknown

Latvia

unknown

Details

IP:	94.140.114.136
TargetID:	6
Current Path:	C:\Windows\System32\wermgr.exe
Country:	Latvia
Countrycode:	LVA
ASN number:	43513
ASN name:	NANO-ASLV
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)	Networking,
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities,	Exploitation for Client Execution
Connects to IPs without corresponding DNS lookups	Networking,

185.81.0.78

unknown

Italy

unknown

Details

IP:	185.81.0.78
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	Italy
Countrycode:	ITA
ASN number:	52030
ASN name:	SERVERPLAN-ASIT
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities,	Exploitation for Client Execution

194.5.249.156

unknown

Romania

unknown

Details

IP:	194.5.249.156
TargetID:	6
Current Path:	C:\Windows\System32\wermgr.exe
Country:	Romania
Countrycode:	ROU
ASN number:	64398
ASN name:	NXTHOST-64398NXTHOSTCOM-NXTSERVERSSRLRO
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking,
Urls found in memory or binary data	Networking,

Registry

Path

Value

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ll2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

MTTT

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ReviewToken

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EBEAD

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

VBAFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DefaultSheetR2L

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

UseSystemSeparators

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ThousandsSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DecimalSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EC284

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EC40A

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EC716

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EC793

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} {000214E6-0000-0000-C000-000000000046} 0xFFFF

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ix2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F3D9D

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F41D1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

LastPurgeTime

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EXCELFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SavedLegacySettings

C:\Windows\System32\wermgr.exe

@%SystemRoot%\system32\qagentrt.dll,-10

C:\Windows\System32\wermgr.exe

@%SystemRoot%\System32\fveui.dll,-843

C:\Windows\System32\wermgr.exe

@%SystemRoot%\System32\fveui.dll,-844

C:\Windows\System32\wermgr.exe

@%SystemRoot%\System32\wuaueng.dll,-400

C:\Windows\System32\wermgr.exe

Blob

C:\Windows\System32\wermgr.exe

Blob

C:\Windows\System32\wermgr.exe

Blob

C:\Windows\System32\wermgr.exe

Blob

C:\Windows\System32\wermgr.exe

Blob

C:\Windows\System32\wermgr.exe

Blob

There are 105 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

684000

unkown

page read and write

684000

unkown

page read and write

650000

heap default

page read and write

8C8000

unkown

page read and write

290000

unkown

page execute and read and write

880000

unkown

page read and write

32D41000

heap private

page read and write

180000

unkown

page readonly

341D0000

unkown

page readonly

66C000

unkown

page read and write

31A000

heap default

page read and write

3A3000

unkown

page read and write

1C0000

unkown

page read and write

33F72000

unkown

page read and write

E0000

unkown

page read and write

690000

unkown

page read and write

330000

heap private

page read and write

33F4E000

unkown

page read and write

384000

heap default

page read and write

17C000

unkown

page read and write

33F4E000

unkown

page read and write

328000

heap default

page read and write

2290000

heap private

page read and write

690000

unkown

page read and write

33F62000

unkown

page read and write

33540000

heap private

page read and write

5F0000

heap default

page read and write

5A0000

unkown

page execute and read and write

33F0F000

unkown

page read and write

38B000

heap default

page read and write

2294000

heap private

page read and write

32E7C000

heap private

page read and write

238C000

unkown

page read and write

D0000

unkown

page readonly

33F4D000

unkown

page read and write

6E899000

unkown image

page readonly

33EF1000

unkown

page read and write

62D000

heap default

page read and write

344D1000

unkown

page read and write

10001000

unkown

page execute and read and write

67A000

unkown

page read and write

340B0000

heap private

page read and write

2470000

heap private

page read and write

651000

unkown

page read and write

B2000

stack

page read and write

1F77000

unkown

page readonly

6E8D4000

unkown image

page readonly

6E470000

unkown image

page readonly

614000

heap default

page read and write

CB000

unkown

page read and write

627000

heap default

page read and write

34513000

unkown

page read and write

2180000

heap private

page read and write

2D0000

heap private

page read and write

590000

unkown

page readonly

336AF000

unkown

page read and write

1D97000

unkown

page readonly

2B0000

heap default

page read and write

316000

unkown

page read and write

33F4E000

unkown

page read and write

1D90000

unkown

page readonly

33F54000

unkown

page read and write

630000

unkown

page readonly

38D000

heap default

page read and write

2EE000

heap default

page read and write

33F29000

unkown

page read and write

333B0000

heap private

page read and write

6B1000

unkown

page read and write

2B7000

heap default

page read and write

33490000

heap private

page read and write

651000

unkown

page read and write

22D0000

heap private

page read and write

D0000

unkown

page read and write

32A000

unkown

page read and write

33F49000

unkown

page read and write

7D0000

unkown

page readonly

33F4C000

unkown

page read and write

382000

heap default

page read and write

310000

heap default

page read and write

1B0000

unkown

page readonly

33F26000

unkown

page read and write

6E471000

unkown image

page execute read

33EF0000

unkown

page read and write

484000

heap private

page read and write

1E8F000

unkown

page read and write

67A000

unkown

page read and write

E0000

unkown

page execute and read and write

690000

unkown

page read and write

190000

unkown

page execute and read and write

690000

unkown

page read and write

7EFDF000

unkown

page read and write

1BB0000

unkown

page readonly

390000

heap default

page read and write

333B5000

heap private

page read and write

33F98000

unkown

page read and write

1E0000

heap default

page read and write

33F65000

unkown

page read and write

4B0000

unkown

page readonly

410000

unkown

page readonly

32B43000

heap private

page read and write

340000

unkown

page execute and read and write

480000

heap private

page read and write

344D0000

unkown

page read and write

1B0000

unkown

page readonly

22B2000

heap private

page read and write

160000

unkown

page readonly

651000

unkown

page read and write

6B0000

unkown

page read and write

5F7000

heap default

page read and write

21E000

heap default

page read and write

20000

unkown

page readonly

651000

unkown

page read and write

1D0000

unkown

page read and write

344F5000

unkown

page read and write

6B2000

unkown

page read and write

33F62000

unkown

page read and write

110000

unkown

page readonly

33F49000

unkown

page read and write

60000

unkown

page readonly

1E7000

heap default

page read and write

33F4E000

unkown

page read and write

274000

heap private

page read and write

3B0000

unkown

page read and write

33CF7000

unkown

page readonly

2150000

heap private

page read and write

203D000

unkown

page read and write

333EB000

heap private

page read and write

6E8BC000

unkown image

page readonly

344F5000

unkown

page read and write

33F26000

unkown

page read and write

33F4E000

unkown

page read and write

610000

unkown

page readonly

1D0000

unkown

page read and write

6E8BA000

unkown image

page read and write

32E41000

heap private

page read and write

32E90000

unkown

page readonly

33270000

unkown

page readonly

20000

unkown

page read and write

140000

unkown

page read and write

490000

unkown

page readonly

344D1000

unkown

page read and write

2E0000

unkown

page execute and read and write

3E6000

unkown

page read and write

31C000

unkown

page read and write

3326C000

unkown

page read and write

270000

heap private

page read and write

1EE0000

heap private

page read and write

33720000

unkown

page readonly

39F000

heap default

page read and write

334A3000

heap private

page read and write

6E470000

unkown image

page readonly

6B2000

unkown

page read and write

2E0000

unkown

page read and write

20000

unkown

page readonly

33F4E000

unkown

page read and write

32E40000

heap private

page read and write

1AB000

unkown

page read and write

3406F000

unkown

page read and write

2256000

stack

page read and write

2040000

unkown

page write copy

1C50000

heap private

page read and write

65E000

unkown

page read and write

32E46000

heap private

page read and write

651000

unkown

page read and write

33B10000

unkown

page readonly

33F4E000

unkown

page read and write

1DBF000

unkown

page read and write

There are 157 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Files

Processes

URLs

Domains

IPs

Registry

Memdumps