Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	2332
Target ID:	0
Parent PID:	584
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Size:	27641504
MD5:	5FB0A0F93382ECD19F5F499A5CAA59F0
Time:	20:13:46
Date:	22/02/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13fd60000
Modulesize:	27758592
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary,
Spawns processes	System Summary,	Process Injection

C:\Windows\System32\rundll32.exe

rundll32 ..\idefje.ekfd,DllRegisterServer

Details

Is windows:	true
Is dropped:	false
PID:	2324
Target ID:	3
Parent PID:	2332
Name:	rundll32.exe
Class:	rundll32
Path:	C:\Windows\System32\rundll32.exe
Commandline:	rundll32 ..\idefje.ekfd,DllRegisterServer
Size:	45568
MD5:	DD81D91FF3B0763C392422865C9AC12E
Time:	20:13:56
Date:	22/02/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xff420000
Modulesize:	61440
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected IcedID	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Document exploit detected (process start blacklist hit)	Software Vulnerabilities,	Exploitation for Client Execution
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary,
Runs a DLL by calling functions	System Summary,	Rundll32
Spawns processes	System Summary,	Process Injection

URLs

Name

Malicious

http://oskolko.uno/

206.189.10.247

https://twitter.com/awscloud

unknown

https://a0.awsstatic.com/libra-css/images/logo

unknown

https://a0.awsstatic.com/libra/1.0.373/libra-head.js

unknown

https://amazon.com/Y

unknown

https://aws.amazon.com/terms/?nc1=f_pr

unknown

https://dc.ads.linkedin.com/collect/?pid=3038&fmt=gif

unknown

https://s0.awsstatic.com/en_US/nav/v3/panel-content/mobile/index.html

unknown

https://aws.amazon.com/cn/

unknown

http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0

unknown

http://www.diginotar.nl/cps/pkioverheid0

unknown

https://a0.awsstatic.com/libra-css/images

unknown

https://a0.awsstatic.com/target/1.0.112/aws-target-mediator.js

unknown

https://a0.awsstatic.com/psf/null

unknown

https://aws.amazon.com/ar/

unknown

https://www.honeycode.aws/?&trk=el_a134p000003yC6YAAU&trkCampaign=pac-edm-2020-honeycode-hom

unknown

https://pages.awscloud.com/zillow-case-study?hp=tile&story=zllw

unknown

https://pages.awscloud.com/communication-preferences?trk=homepage

unknown

http://ocsp.rootg2.amazontrust.com08

unknown

https://aws.amazon.com/cn/?nc1=h_ls

unknown

https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc1=f_ct&src=default

unknown

https://aws.amazon.com/ru/

unknown

https://aws.amazon.com/tw/?nc1=h_ls

unknown

https://fls-na.amazon.com/1/action-impressions/1/OE/aws-mktg/action/awsm_:comp_DeprecatedBrowser

unknown

https://i18n-string.us-west-2.prod.pricing.aws.a2z.com

unknown

https://aws.amazon.com/ko/

unknown

https://aws.amazon.com/ru/?nc1=h_ls

unknown

https://a0.awsstatic.com/libra-css/images/site/fav/favicon.ico

unknown

https://aws.amazon.com/es/

unknown

http://crl.sca1b.amazontrust.com/sca1b.crl0

unknown

https://docs.aws.amazon.com/index.html?nc2=h_ql_doc

unknown

https://aws.amazon.com/ar/?nc1=h_ls

unknown

https://a0.awsstatic.com/libra-css/css/1.0.373/style-awsm.css

unknown

https://aws.amazon.com/th/

unknown

http://www.windows.com/pctv.

unknown

https://a0.awsstatic.com/pricing-calculator/js/1.0.2

unknown

https://aws.amazon.com/marketplace/?nc2=h_mo

unknown

http://ocsp.sca1b.amazontrust.com06

unknown

http://oskolko.uno/om/

unknown

https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_179x109.png

unknown

https://console.aws.amazon.com/support/home/?nc2=h_ql_cu

unknown

http://crl.rootca1.amazontrust.com/rootca1.crl0

unknown

https://aws.amazon.com/search/

unknown

https://console.aws.amazon.com/iam/home?nc2=h_m_sc#security_credential

unknown

https://aws.amazon.com/?nc2=h_lg

unknown

http://ocsp.rootca1.amazontrust.com0:

unknown

https://console.aws.amazon.com/support/home/?nc1=f_dr

unknown

https://aws.amazon.com/fr/

unknown

http://windowsmedia.com/redir/services.asp?WMPFriendly=true

unknown

https://console.aws.amazon.com/console/home?nc1=f_ct&src=footer-signin-mobile

unknown

https://aws.amazon.com/vi/

unknown

https://www.twitch.tv/aws

unknown

https://a0.awsstatic.com/aws-blog/1.0.34/js

unknown

https://aws.amazon.com/marketplace/?nc2=h_ql_mp

unknown

https://aws.amazon.com/search

unknown

http://crl.rootg2.amazontrust.com/rootg2.crl0

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.

unknown

https://a0.awsstatic.com/da/js/1.0.47/aws-da.js

unknown

https://aws.amazon.com/tw/

unknown

https://aws.amazon.com/tr/?nc1=h_ls

unknown

https://console.aws.amazon.com/?nc2=h_m_mc

unknown

https://aws.amazon.com/fr/?nc1=h_ls

unknown

http://o.ss2.us/0

unknown

https://aws.amazon.com/search/?searchQuery=

unknown

https://a0.awsstatic.com/libra-search/1.0.13/js

unknown

https://aws.amazon.com/privacy/?nc1=f_pr

unknown

https://a0.awsstatic.com/libra/1.0.373/libra-cardsui

unknown

https://aws.amazon.com/pt/?nc1=h_ls

unknown

https://aws.amazon.com/jp/?nc1=h_ls

unknown

http://crl.entrust.net/2048ca.crl0

unknown

https://aws.amazon.com/marketplace?aws=hp

unknown

https://aws.amazon.com/

unknown

http://www.msnbc.com/news/ticker.txt

unknown

https://a0.awsstatic.com/libra-css/images/site/touch-icon-ipad-144-smile.png

unknown

https://a0.awsstatic.com/s_code/js/3.0/awshome_s_code.js

unknown

http://ocsp.sectigo.com0

unknown

https://aws.amazon.com/podcasts/aws-podcast/

unknown

http://ocsp.entrust.net03

unknown

https://aws.amazon.com/jp/

unknown

http://crt.rootg2.amazontrust.com/rootg2.cer0=

unknown

https://aws.amazon.com/pt/

unknown

https://a0.awsstatic.com/plc/js/1.0.107/plc

unknown

https://aws.amazon.com/?nc1=h_ls

unknown

https://s0.awsstatic.com/en_US/nav/v3/panel-content/desktop/index.html

unknown

https://aws.amazon.com/es/?nc1=h_ls

unknown

http://www.icra.org/vocabulary/.

unknown

https://d1.awsstatic.com

unknown

https://aws.amazon.com/de/

unknown

http://investor.msn.com/

unknown

https://phd.aws.amazon.com/?nc2=h_m_sc

unknown

https://aws.amazon.com/id/?nc1=h_ls

unknown

https://miraclecollagen.co.za/ds/1802.Dc

unknown

https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_1200x630.png

unknown

https://sectigo.com/CPS0D

unknown

http://www.%s.comPA

unknown

https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc2=h_ct&src=default

unknown

https://a0.awsstatic.com

unknown

http://ocsp.entrust.net0D

unknown

https://pages.awscloud.com/fico-case-study.html?hp=tile&story=fico

unknown

http://s.ss2.us/r.crl0

unknown

There are 90 hidden URLs, click here to show them.

Domains

Name

Malicious

oskolko.uno

206.189.10.247

Details

Name:	oskolko.uno
IP:	206.189.10.247
TargetID:	3
Current Path:	C:\Windows\System32\rundll32.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
System process connects to network (likely due to code injection or exploit)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
HTTP GET or POST without a user agent	Networking,
Downloads files from webservers via HTTP	Networking,	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)	Networking,	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Urls found in memory or binary data	Networking,

dr49lng3n1n2s.cloudfront.net

143.204.4.74

Details

Name:	dr49lng3n1n2s.cloudfront.net
IP:	143.204.4.74
TargetID:	3
Current Path:	C:\Windows\System32\rundll32.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
System process connects to network (likely due to code injection or exploit)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking,

miraclecollagen.co.za

197.242.147.47

Details

Name:	miraclecollagen.co.za
IP:	197.242.147.47
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities,	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities,	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities,	Exploitation for Client Execution
Performs DNS lookups	Networking,	Application Layer Protocol Non-Application Layer Protocol
Urls found in memory or binary data	Networking,
Uses secure TLS version for HTTPS connections	Compliance, Networking,

aws.amazon.com

unknown

IPs

Domain

Country

Active

Malicious

206.189.10.247

unknown

United States

unknown

Details

IP:	206.189.10.247
TargetID:	3
Current Path:	C:\Windows\System32\rundll32.exe
Country:	United States
Countrycode:	USA
ASN number:	14061
ASN name:	DIGITALOCEAN-ASNUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
System process connects to network (likely due to code injection or exploit)	HIPS / PFW / Operating System Protection Evasion,	Process Injection

197.242.147.47

unknown

South Africa

unknown

Details

IP:	197.242.147.47
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	South Africa
Countrycode:	ZAF
ASN number:	37611
ASN name:	AfrihostZA
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities,	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities,	Exploitation for Client Execution
Uses secure TLS version for HTTPS connections	Compliance, Networking,

143.204.4.74

unknown

United States

unknown

Details

IP:	143.204.4.74
TargetID:	3
Current Path:	C:\Windows\System32\rundll32.exe
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
System process connects to network (likely due to code injection or exploit)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking,

Registry

Path

Value

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

291

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

MTTT

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ReviewToken

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EF528

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

VBAFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DefaultSheetR2L

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

UseSystemSeparators

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ThousandsSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DecimalSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EF93D

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EFA94

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EFD62

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EFE2D

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} {000214E6-0000-0000-C000-000000000046} 0xFFFF

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

m(1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

@%SystemRoot%\system32\qagentrt.dll,-10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

@%SystemRoot%\System32\fveui.dll,-843

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

@%SystemRoot%\System32\fveui.dll,-844

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

@%SystemRoot%\System32\wuaueng.dll,-400

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F7FE9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F81FC

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

LastPurgeTime

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EXCELFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SavedLegacySettings

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Windows\System32\rundll32.exe

Blob

C:\Windows\System32\rundll32.exe

Blob

There are 108 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

37F000

heap default

page read and write

7FEEA7C5000

unkown image

page read and write

2DA0000

unkown

page readonly

7FEEAC2F000

unkown image

page readonly

3F5000

heap default

page read and write

2B50000

heap private

page read and write

23B000

heap default

page read and write

850000

unkown

page readonly

2D20000

heap private

page read and write

7FEEA7C4000

unkown image

page readonly

120000

unkown

page readonly

130000

heap private

page read and write

1C80000

unkown

page readonly

405000

unkown

page read and write

22D000

heap default

page read and write

219C000

unkown

page read and write

7FEEA7C7000

unkown image

page execute read

446000

unkown

page read and write

326000

unkown

page read and write

1F7000

heap default

page read and write

410000

unkown

page read and write

3EB000

heap default

page read and write

230000

unkown

page readonly

560000

unkown

page readonly

2F0000

unkown

page read and write

554000

heap private

page read and write

379000

heap default

page read and write

2A10000

unkown

page read and write

28E0000

heap private

page read and write

26A9000

heap private

page read and write

283F000

unkown

page read and write

2192000

unkown

page read and write

6E0000

unkown

page readonly

11D000

unkown

page read and write

7FEEA7C6000

unkown image

page readonly

D0000

unkown

page read and write

60000

unkown

page readonly

6CF000

unkown

page read and write

550000

heap private

page read and write

34E000

heap default

page read and write

2B63000

heap private

page read and write

2240000

unkown

page readonly

2A4B000

unkown

page read and write

310000

heap default

page read and write

20000

unkown

page readonly

56E000

unkown

page read and write

1F0000

heap default

page read and write

21C5000

heap private

page read and write

21FB000

heap private

page read and write

7FEEA7C0000

unkown image

page readonly

110000

unkown

page read and write

2A79000

unkown

page read and write

E0000

unkown

page read and write

46F000

unkown

page read and write

110000

unkown

page read and write

268C000

unkown

page read and write

BDF000

unkown

page read and write

21C0000

heap private

page read and write

2A0C000

unkown

page read and write

4C0000

heap private

page read and write

7FEEA7C0000

unkown image

page readonly

236000

heap default

page read and write

36B000

heap default

page read and write

2510000

unkown

page write copy

4C4000

heap private

page read and write

1E67000

unkown

page readonly

26DF000

heap private

page read and write

317000

heap default

page read and write

110000

unkown

page read and write

100000

unkown

page readonly

3ED000

heap default

page read and write

7FEEA7C1000

unkown image

page execute read

2CAF000

unkown

page read and write

40F000

heap default

page read and write

22C000

unkown

page read and write

26A0000

heap private

page read and write

There are 66 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Files

Processes

URLs

Domains

IPs

Registry

Memdumps