Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	2320
Target ID:	0
Parent PID:	584
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Size:	27641504
MD5:	5FB0A0F93382ECD19F5F499A5CAA59F0
Time:	22:50:35
Date:	22/02/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13ff80000
Modulesize:	27758592
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary,
Spawns processes	System Summary,	Process Injection

C:\Windows\System32\rundll32.exe

rundll32 ..\JDFR.hdfgr,DllRegisterServer

Details

Is windows:	true
Is dropped:	false
PID:	2704
Target ID:	4
Parent PID:	2320
Name:	rundll32.exe
Class:	rundll32
Path:	C:\Windows\System32\rundll32.exe
Commandline:	rundll32 ..\JDFR.hdfgr,DllRegisterServer
Size:	45568
MD5:	DD81D91FF3B0763C392422865C9AC12E
Time:	22:51:04
Date:	22/02/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xff820000
Modulesize:	61440
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Document exploit detected (process start blacklist hit)	Software Vulnerabilities,	Exploitation for Client Execution
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary,
Runs a DLL by calling functions	System Summary,	Rundll32
Spawns processes	System Summary,	Process Injection

C:\Windows\System32\rundll32.exe

rundll32 ..\JDFR.hdfgr1,DllRegisterServer

Details

Is windows:	true
Is dropped:	false
PID:	960
Target ID:	5
Parent PID:	2320
Name:	rundll32.exe
Class:	rundll32
Path:	C:\Windows\System32\rundll32.exe
Commandline:	rundll32 ..\JDFR.hdfgr1,DllRegisterServer
Size:	45568
MD5:	DD81D91FF3B0763C392422865C9AC12E
Time:	22:51:04
Date:	22/02/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xff820000
Modulesize:	61440
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Document exploit detected (process start blacklist hit)	Software Vulnerabilities,	Exploitation for Client Execution
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary,
Runs a DLL by calling functions	System Summary,	Rundll32
Spawns processes	System Summary,	Process Injection

C:\Windows\System32\rundll32.exe

rundll32 ..\JDFR.hdfgr2,DllRegisterServer

Details

Is windows:	true
Is dropped:	false
PID:	2472
Target ID:	6
Parent PID:	2320
Name:	rundll32.exe
Class:	rundll32
Path:	C:\Windows\System32\rundll32.exe
Commandline:	rundll32 ..\JDFR.hdfgr2,DllRegisterServer
Size:	45568
MD5:	DD81D91FF3B0763C392422865C9AC12E
Time:	22:51:05
Date:	22/02/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xff820000
Modulesize:	61440
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Document exploit detected (process start blacklist hit)	Software Vulnerabilities,	Exploitation for Client Execution
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary,
Runs a DLL by calling functions	System Summary,	Rundll32
Spawns processes	System Summary,	Process Injection

C:\Windows\System32\rundll32.exe

rundll32 ..\JDFR.hdfgr3,DllRegisterServer

Details

Is windows:	true
Is dropped:	false
PID:	2296
Target ID:	7
Parent PID:	2320
Name:	rundll32.exe
Class:	rundll32
Path:	C:\Windows\System32\rundll32.exe
Commandline:	rundll32 ..\JDFR.hdfgr3,DllRegisterServer
Size:	45568
MD5:	DD81D91FF3B0763C392422865C9AC12E
Time:	22:51:05
Date:	22/02/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xff820000
Modulesize:	61440
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Document exploit detected (process start blacklist hit)	Software Vulnerabilities,	Exploitation for Client Execution
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary,
Runs a DLL by calling functions	System Summary,	Rundll32
Spawns processes	System Summary,	Process Injection

C:\Windows\System32\rundll32.exe

rundll32 ..\JDFR.hdfgr4,DllRegisterServer

Details

Is windows:	true
Is dropped:	false
PID:	2444
Target ID:	8
Parent PID:	2320
Name:	rundll32.exe
Class:	rundll32
Path:	C:\Windows\System32\rundll32.exe
Commandline:	rundll32 ..\JDFR.hdfgr4,DllRegisterServer
Size:	45568
MD5:	DD81D91FF3B0763C392422865C9AC12E
Time:	22:51:05
Date:	22/02/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xff820000
Modulesize:	61440
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Document exploit detected (process start blacklist hit)	Software Vulnerabilities,	Exploitation for Client Execution
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary,
Runs a DLL by calling functions	System Summary,	Rundll32
Spawns processes	System Summary,	Process Injection

URLs

Name

Malicious

http://chandni.pk/cgi-sys/suspendedpage.cgi

192.185.16.95

http://batikentklinik.com/qtuofsxtov/44249951829861100000.dat

2.59.117.215

http://7ruzezendegi.com/samsgtlfwzt/44249951829861100000.dat

185.159.153.72

http://7ruzezendegi.com/cgi-sys/suspendedpage.cgi

185.159.153.72

http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check

unknown

http://www.windows.com/pctv.

unknown

http://investor.msn.com

unknown

http://www.msnbc.com/news/ticker.txt

unknown

http://www.icra.org/vocabulary/.

unknown

http://investor.msn.com/

unknown

http://chandni.pk/ictrljsfuh/44249951829861100000.dat

192.185.16.95

http://dindorf.com.ar/ntpnttfypqs/44249951829861100000.dat

181.88.192.136

http://windowsmedia.com/redir/services.asp?WMPFriendly=true

unknown

http://www.hotmail.com/oe

unknown

There are 4 hidden URLs, click here to show them.

Domains

Name

Malicious

dindorf.com.ar

181.88.192.136

Details

Name:	dindorf.com.ar
IP:	181.88.192.136
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities,	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities,	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities,	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking,	Application Layer Protocol
Downloads files from webservers via HTTP	Networking,	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking,	Application Layer Protocol Non-Application Layer Protocol

batikentklinik.com

2.59.117.215

Details

Name:	batikentklinik.com
IP:	2.59.117.215
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Uses a known web browser user agent for HTTP communication	Networking,	Application Layer Protocol
Downloads files from webservers via HTTP	Networking,	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)	Networking,	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

chandni.pk

192.185.16.95

Details

Name:	chandni.pk
IP:	192.185.16.95
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Uses a known web browser user agent for HTTP communication	Networking,	Application Layer Protocol
Downloads files from webservers via HTTP	Networking,	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

miaovideo.com

112.125.131.128

7ruzezendegi.com

185.159.153.72

Details

Name:	7ruzezendegi.com
IP:	185.159.153.72
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Uses a known web browser user agent for HTTP communication	Networking,	Application Layer Protocol
Downloads files from webservers via HTTP	Networking,	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

IPs

Domain

Country

Active

Malicious

185.159.153.72

unknown

Iran (ISLAMIC Republic Of)

unknown

Details

IP:	185.159.153.72
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	Iran (ISLAMIC Republic Of)
Countrycode:	IRN
ASN number:	201999
ASN name:	SERVERPARSIR
Private:	false

181.88.192.136

unknown

Argentina

unknown

Details

IP:	181.88.192.136
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	Argentina
Countrycode:	ARG
ASN number:	7303
ASN name:	TelecomArgentinaSAAR
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities,	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities,	Exploitation for Client Execution

112.125.131.128

unknown

China

unknown

Details

IP:	112.125.131.128
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	China
Countrycode:	CHN
ASN number:	37963
ASN name:	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd
Private:	false

2.59.117.215

unknown

Turkey

unknown

Details

IP:	2.59.117.215
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	Turkey
Countrycode:	TUR
ASN number:	42926
ASN name:	RADORETR
Private:	false

192.185.16.95

unknown

United States

unknown

Details

IP:	192.185.16.95
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	United States
Countrycode:	USA
ASN number:	46606
ASN name:	UNIFIEDLAYER-AS-1US
Private:	false

Registry

Path

Value

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

)'4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

MTTT

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ReviewToken

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EC996

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

VBAFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DefaultSheetR2L

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

UseSystemSeparators

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ThousandsSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DecimalSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ECBC8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ECC92

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ECD4E

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ECDEA

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} {000214E6-0000-0000-C000-000000000046} 0xFFFF

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

u*4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

LastPurgeTime

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

FCBB8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

FCD5D

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EXCELFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SavedLegacySettings

There are 96 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

26C2000

unkown

page readonly

2886000

unkown

page readonly

2812000

unkown

page readonly

1CD7000

unkown

page readonly

2B0B000

heap private

page read and write

60000

unkown

page readonly

2602000

unkown

page readonly

270000

unkown

page read and write

2B52000

unkown

page readonly

228B000

heap private

page read and write

2892000

unkown

page readonly

1C50000

unkown

page readonly

29F2000

unkown

page readonly

30D0000

unkown

page read and write

1F30000

heap private

page read and write

2472000

unkown

page readonly

2AA0000

unkown

page readonly

2999000

unkown

page readonly

28B6000

unkown

page readonly

2962000

unkown

page readonly

2A25000

heap private

page read and write

2A79000

unkown

page readonly

D0000

unkown

page read and write

2A46000

unkown

page readonly

D0000

unkown

page read and write

27F4000

unkown

page readonly

380000

unkown

page readonly

70000

heap private

page read and write

2D20000

unkown

page readonly

2BE000

heap default

page read and write

2832000

unkown

page readonly

1AC0000

unkown

page readonly

2379000

heap private

page read and write

2A0000

unkown

page readonly

2502000

unkown

page readonly

86E000

unkown

page read and write

2AD0000

heap private

page read and write

275D000

unkown

page readonly

2375000

heap private

page read and write

4F0000

unkown

page readonly

2C55000

heap private

page read and write

2A30000

unkown

page readonly

880000

unkown

page readonly

2814000

unkown

page readonly

2668000

unkown

page readonly

2922000

unkown

page readonly

2478000

unkown

page readonly

2954000

unkown

page readonly

2B80000

unkown

page readonly

27F2000

unkown

page readonly

2D6000

unkown

page read and write

2255000

heap private

page read and write

27A2000

unkown

page readonly

2219000

heap private

page read and write

28D5000

unkown

page readonly

2AC2000

unkown

page readonly

2BA0000

unkown

page readonly

2962000

unkown

page readonly

20D0000

unkown

page readonly

29E0000

unkown

page readonly

27E6000

unkown

page readonly

1ED0000

heap private

page read and write

390000

unkown

page read and write

2638000

unkown

page readonly

2245000

heap private

page read and write

2974000

unkown

page readonly

2C0000

unkown

page read and write

1C87000

unkown

page readonly

106000

unkown

page read and write

2869000

unkown

page readonly

29C0000

unkown

page readonly

2C82000

unkown

page readonly

2A50000

unkown

page readonly

1F50000

unkown

page write copy

28D5000

unkown

page readonly

14C000

unkown

page read and write

2160000

unkown

page readonly

2795000

unkown

page readonly

157000

heap default

page read and write

2DE5000

heap private

page read and write

2AF2000

unkown

page readonly

29B000

unkown

page read and write

2992000

unkown

page readonly

D0000

unkown

page read and write

2839000

unkown

page readonly

2732000

unkown

page readonly

29C2000

unkown

page readonly

2055000

heap private

page read and write

2772000

unkown

page readonly

19B000

heap default

page read and write

2775000

unkown

page readonly

20F0000

unkown

page readonly

E0000

heap private

page read and write

28C2000

unkown

page readonly

2798000

unkown

page readonly

2672000

unkown

page readonly

670000

unkown

page readonly

2652000

unkown

page readonly

2905000

unkown

page readonly

27F5000

unkown

page readonly

520000

heap private

page read and write

2AE5000

unkown

page readonly

2905000

unkown

page readonly

27E9000

unkown

page readonly

2955000

unkown

page readonly

524000

heap private

page read and write

1FB0000

unkown

page write copy

2745000

unkown

page readonly

2916000

unkown

page readonly

2A99000

unkown

page readonly

2050000

heap private

page read and write

6B0000

unkown

page readonly

E0000

unkown

page read and write

2842000

unkown

page readonly

28E6000

unkown

page readonly

32E000

heap default

page read and write

100000

unkown

page read and write

2059000

heap private

page read and write

2BD0000

unkown

page readonly

2B60000

unkown

page readonly

16E000

heap default

page read and write

2A35000

unkown

page readonly

2A92000

unkown

page readonly

2AB5000

unkown

page readonly

60000

unkown

page read and write

2B15000

unkown

page readonly

2674000

unkown

page readonly

280000

heap default

page read and write

1ED0000

unkown

page write copy

60000

unkown

page readonly

2FA0000

unkown

page read and write

2B80000

unkown

page readonly

2180000

unkown

page readonly

2090000

heap private

page read and write

2634000

unkown

page readonly

2A16000

unkown

page readonly

2939000

unkown

page readonly

196000

heap default

page read and write

2786000

unkown

page readonly

26E2000

unkown

page readonly

28B6000

unkown

page readonly

21B000

unkown

page read and write

4B0000

heap private

page read and write

2919000

unkown

page readonly

2802000

unkown

page readonly

297000

heap default

page read and write

230000

unkown

page readonly

2972000

unkown

page readonly

26A2000

unkown

page readonly

2932000

unkown

page readonly

74000

heap private

page read and write

2892000

unkown

page readonly

2C50000

heap private

page read and write

2AF9000

unkown

page readonly

2E50000

unkown

page read and write

2969000

unkown

page readonly

E4000

heap private

page read and write

2892000

unkown

page readonly

2994000

unkown

page readonly

60000

unkown

page readonly

1E0000

heap private

page read and write

2249000

heap private

page read and write

2999000

unkown

page readonly

1E4000

heap private

page read and write

2745000

unkown

page readonly

2702000

unkown

page readonly

2370000

heap private

page read and write

164000

heap private

page read and write

520000

unkown

page readonly

29A0000

unkown

page readonly

2946000

unkown

page readonly

2834000

unkown

page readonly

2654000

unkown

page readonly

2792000

unkown

page readonly

2E00000

unkown

page readonly

2215000

heap private

page read and write

2090000

heap private

page read and write

2CC0000

unkown

page readonly

2A70000

unkown

page readonly

27D9000

unkown

page readonly

294D000

unkown

page readonly

2F7000

heap default

page read and write

290000

heap default

page read and write

2726000

unkown

page readonly

2732000

unkown

page readonly

2732000

unkown

page readonly

26B5000

unkown

page readonly

2BB0000

unkown

page readonly

2F00000

unkown

page read and write

460000

heap default

page read and write

1C10000

unkown

page readonly

2E1B000

heap private

page read and write

2A22000

unkown

page readonly

2825000

unkown

page readonly

2779000

unkown

page readonly

2110000

unkown

page readonly

2756000

unkown

page readonly

2809000

unkown

page readonly

2715000

unkown

page readonly

2250000

heap private

page read and write

2A76000

unkown

page readonly

1D0000

unkown

page read and write

2632000

unkown

page readonly

2969000

unkown

page readonly

2962000

unkown

page readonly

291D000

unkown

page readonly

2210000

heap private

page read and write

2824000

unkown

page readonly

29C9000

unkown

page readonly

20E9000

heap private

page read and write

20000

unkown

page readonly

2632000

unkown

page readonly

2875000

unkown

page readonly

1CA7000

unkown

page readonly

3F0000

unkown

page read and write

2A20000

heap private

page read and write

2864000

unkown

page readonly

27ED000

unkown

page readonly

2B22000

unkown

page readonly

2885000

unkown

page readonly

160000

heap private

page read and write

22B0000

unkown

page readonly

29E6000

unkown

page readonly

1F0000

unkown

page read and write

2992000

unkown

page readonly

29C2000

unkown

page readonly

2759000

unkown

page readonly

2792000

unkown

page readonly

2C8B000

heap private

page read and write

2832000

unkown

page readonly

27A5000

unkown

page readonly

20000

unkown

page readonly

3C6000

unkown

page read and write

2916000

unkown

page readonly

2A65000

unkown

page readonly

170000

unkown

page read and write

28A5000

unkown

page readonly

29F2000

unkown

page readonly

1F90000

unkown

page readonly

2AC9000

unkown

page readonly

220000

unkown

page write copy

2762000

unkown

page readonly

20E5000

heap private

page read and write

18D000

heap default

page read and write

26C4000

unkown

page readonly

2844000

unkown

page readonly

2702000

unkown

page readonly

2949000

unkown

page readonly

2B50000

unkown

page readonly

2E60000

unkown

page readonly

530000

unkown

page readonly

2C30000

unkown

page readonly

2704000

unkown

page readonly

29E5000

unkown

page readonly

2985000

unkown

page readonly

150000

unkown

page read and write

137000

heap default

page read and write

250000

unkown

page readonly

2985000

unkown

page readonly

2A05000

unkown

page readonly

287000

heap default

page read and write

2756000

unkown

page readonly

2B90000

unkown

page readonly

2A7D000

unkown

page readonly

27C5000

unkown

page readonly

49E000

heap default

page read and write

2862000

unkown

page readonly

2DE0000

heap private

page read and write

2D00000

unkown

page readonly

20000

unkown

page readonly

4B4000

heap private

page read and write

2855000

unkown

page readonly

2F6000

unkown

page read and write

100000

unkown

page readonly

27D2000

unkown

page readonly

1E37000

unkown

page readonly

2572000

unkown

page readonly

60000

unkown

page readonly

23F0000

unkown

page readonly

2862000

unkown

page readonly

FC000

unkown

page read and write

2A0000

unkown

page read and write

26E4000

unkown

page readonly

27D5000

unkown

page readonly

2240000

heap private

page read and write

2762000

unkown

page readonly

2CE0000

unkown

page readonly

1DF7000

unkown

page readonly

6DF000

unkown

page read and write

2130000

unkown

page write copy

28A5000

unkown

page readonly

20E0000

heap private

page read and write

20000

unkown

page readonly

28F2000

unkown

page readonly

27C2000

unkown

page readonly

22C0000

unkown

page readonly

1AA0000

unkown

page readonly

2952000

unkown

page readonly

28F2000

unkown

page readonly

2508000

unkown

page readonly

2410000

unkown

page readonly

2110000

unkown

page read and write

426000

unkown

page read and write

2CD0000

unkown

page readonly

2935000

unkown

page readonly

467000

heap default

page read and write

2A5B000

heap private

page read and write

28E6000

unkown

page readonly

26F6000

unkown

page readonly

420000

unkown

page readonly

2CE000

heap default

page read and write

29B5000

unkown

page readonly

21C000

unkown

page read and write

2290000

unkown

page readonly

27A9000

unkown

page readonly

2A52000

unkown

page readonly

29B5000

unkown

page readonly

ED000

unkown

page read and write

1A6000

unkown

page read and write

3A0000

unkown

page readonly

130000

heap default

page read and write

150000

heap default

page read and write

27B6000

unkown

page readonly

20000

unkown

page readonly

2862000

unkown

page readonly

29D5000

unkown

page readonly

22E0000

unkown

page readonly

F0000

unkown

page read and write

2662000

unkown

page readonly

20B0000

heap private

page read and write

2AD5000

heap private

page read and write

2992000

unkown

page readonly

2F0000

heap default

page read and write

26D2000

unkown

page readonly

2822000

unkown

page readonly

5BF000

unkown

page read and write

26E5000

unkown

page readonly

1AF0000

unkown

page readonly

26C6000

unkown

page readonly

500000

unkown

page readonly

28C2000

unkown

page readonly

120000

unkown

page readonly

There are 332 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Files

Processes

URLs

Domains

IPs

Registry

Memdumps