Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	2060
Target ID:	0
Parent PID:	584
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Size:	27641504
MD5:	5FB0A0F93382ECD19F5F499A5CAA59F0
Time:	16:16:32
Date:	23/02/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13ffb0000
Modulesize:	27758592
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\rundll32.exe

rundll32 ..\KLSD.ggsso,DllRegisterServer

Details

Is windows:	true
Is dropped:	false
PID:	2768
Target ID:	4
Parent PID:	2060
Name:	rundll32.exe
Class:	rundll32
Path:	C:\Windows\System32\rundll32.exe
Commandline:	rundll32 ..\KLSD.ggsso,DllRegisterServer
Size:	45568
MD5:	DD81D91FF3B0763C392422865C9AC12E
Time:	16:17:17
Date:	23/02/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xffb50000
Modulesize:	61440
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Document exploit detected (process start blacklist hit)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Windows\System32\rundll32.exe

rundll32 ..\KLSD.ggsso1,DllRegisterServer

Details

Is windows:	true
Is dropped:	false
PID:	2792
Target ID:	5
Parent PID:	2060
Name:	rundll32.exe
Class:	rundll32
Path:	C:\Windows\System32\rundll32.exe
Commandline:	rundll32 ..\KLSD.ggsso1,DllRegisterServer
Size:	45568
MD5:	DD81D91FF3B0763C392422865C9AC12E
Time:	16:17:17
Date:	23/02/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xffb50000
Modulesize:	61440
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Document exploit detected (process start blacklist hit)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Windows\System32\rundll32.exe

rundll32 ..\KLSD.ggsso2,DllRegisterServer

Details

Is windows:	true
Is dropped:	false
PID:	2748
Target ID:	6
Parent PID:	2060
Name:	rundll32.exe
Class:	rundll32
Path:	C:\Windows\System32\rundll32.exe
Commandline:	rundll32 ..\KLSD.ggsso2,DllRegisterServer
Size:	45568
MD5:	DD81D91FF3B0763C392422865C9AC12E
Time:	16:17:18
Date:	23/02/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xffb50000
Modulesize:	61440
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Document exploit detected (process start blacklist hit)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Windows\System32\rundll32.exe

rundll32 ..\KLSD.ggsso3,DllRegisterServer

Details

Is windows:	true
Is dropped:	false
PID:	2472
Target ID:	7
Parent PID:	2060
Name:	rundll32.exe
Class:	rundll32
Path:	C:\Windows\System32\rundll32.exe
Commandline:	rundll32 ..\KLSD.ggsso3,DllRegisterServer
Size:	45568
MD5:	DD81D91FF3B0763C392422865C9AC12E
Time:	16:17:18
Date:	23/02/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xffb50000
Modulesize:	61440
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Document exploit detected (process start blacklist hit)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

C:\Windows\System32\rundll32.exe

rundll32 ..\KLSD.ggsso4,DllRegisterServer

Details

Is windows:	true
Is dropped:	false
PID:	2404
Target ID:	8
Parent PID:	2060
Name:	rundll32.exe
Class:	rundll32
Path:	C:\Windows\System32\rundll32.exe
Commandline:	rundll32 ..\KLSD.ggsso4,DllRegisterServer
Size:	45568
MD5:	DD81D91FF3B0763C392422865C9AC12E
Time:	16:17:18
Date:	23/02/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xffb50000
Modulesize:	61440
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Document exploit detected (process start blacklist hit)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check

unknown

http://www.windows.com/pctv.

unknown

http://jayshreewoods.com/gvazzbwlvyk/44250678185879600000.dat

13.126.100.34

http://investor.msn.com

unknown

http://www.msnbc.com/news/ticker.txt

unknown

http://sportsmarquee.com/hmffuzbolyio/44250678185879600000.dat

70.32.104.19

http://www.icra.org/vocabulary/.

unknown

http://windowsmedia.com/redir/services.asp?WMPFriendly=true

unknown

http://www.hotmail.com/oe

unknown

http://investor.msn.com/

unknown

http://raivens.com/zdmqwymhhza/44250678185879600000.dat

159.89.174.35

http://erp.demosoftware.biz/focahjqevd/44250678185879600000.dat

58.96.102.67

There are 2 hidden URLs, click here to show them.

Domains

Name

Malicious

parama-college.id

203.142.76.236

Details

Name:	parama-college.id
IP:	203.142.76.236
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

erp.demosoftware.biz

58.96.102.67

Details

Name:	erp.demosoftware.biz
IP:	58.96.102.67
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

sportsmarquee.com

70.32.104.19

Details

Name:	sportsmarquee.com
IP:	70.32.104.19
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

raivens.com

159.89.174.35

Details

Name:	raivens.com
IP:	159.89.174.35
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Uses secure TLS version for HTTPS connections	Compliance, Networking

jayshreewoods.com

13.126.100.34

Details

Name:	jayshreewoods.com
IP:	13.126.100.34
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Active

Malicious

13.126.100.34

unknown

United States

unknown

Details

IP:	13.126.100.34
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

159.89.174.35

unknown

United States

unknown

Details

IP:	159.89.174.35
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	United States
Countrycode:	USA
ASN number:	14061
ASN name:	DIGITALOCEAN-ASNUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Uses secure TLS version for HTTPS connections	Compliance, Networking

58.96.102.67

unknown

Australia

unknown

Details

IP:	58.96.102.67
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	Australia
Countrycode:	AUS
ASN number:	10143
ASN name:	EXETEL-AS-APExetelPtyLtdAU
Private:	false

203.142.76.236

unknown

Indonesia

unknown

Details

IP:	203.142.76.236
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	Indonesia
Countrycode:	IDN
ASN number:	17451
ASN name:	BIZNET-AS-APBIZNETNETWORKSID
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution

70.32.104.19

unknown

United States

unknown

Details

IP:	70.32.104.19
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	United States
Countrycode:	USA
ASN number:	398110
ASN name:	GO-DADDY-COM-LLCUS
Private:	false

Registry

Path

Value

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

e~6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

MTTT

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ReviewToken

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EBE40

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

VBAFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DefaultSheetR2L

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

UseSystemSeparators

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ThousandsSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DecimalSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EC081

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EC14C

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EC246

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EC2D2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} {000214E6-0000-0000-C000-000000000046} 0xFFFF

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ng6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

@%SystemRoot%\system32\qagentrt.dll,-10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

@%SystemRoot%\System32\fveui.dll,-843

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

@%SystemRoot%\System32\fveui.dll,-844

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

@%SystemRoot%\System32\wuaueng.dll,-400

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

LastPurgeTime

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

100030

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

100232

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EXCELFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SavedLegacySettings

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

There are 108 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

2965000

unkown

page readonly

2AD2000

unkown

page readonly

20000

unkown

page readonly

2852000

unkown

page readonly

E0000

unkown

page read and write

21D0000

unkown

page readonly

31E000

heap default

page read and write

2975000

unkown

page readonly

2BB000

heap default

page read and write

2BB0000

unkown

page read and write

29A2000

unkown

page readonly

2804000

unkown

page readonly

1BC0000

unkown

page readonly

2050000

heap private

page read and write

1FA0000

unkown

page write copy

22A0000

unkown

page readonly

1D0000

heap private

page read and write

1D4000

heap private

page read and write

2C6000

unkown

page read and write

2962000

unkown

page readonly

2825000

unkown

page readonly

2A26000

unkown

page readonly

2C52000

unkown

page readonly

2389000

heap private

page read and write

2648000

unkown

page readonly

2E90000

heap private

page read and write

2768000

unkown

page readonly

2839000

unkown

page readonly

2100000

unkown

page readonly

100000

unkown

page write copy

2552000

unkown

page readonly

2055000

heap private

page read and write

2909000

unkown

page readonly

D0000

unkown

page read and write

3C0000

unkown

page readonly

2B02000

unkown

page readonly

2802000

unkown

page readonly

28D5000

unkown

page readonly

1AE000

heap default

page read and write

28C6000

unkown

page readonly

2A99000

unkown

page readonly

2AF5000

unkown

page readonly

2CB0000

heap private

page read and write

2A62000

unkown

page readonly

60000

unkown

page read and write

2A62000

unkown

page readonly

60000

unkown

page readonly

2AE5000

unkown

page readonly

2229000

heap private

page read and write

3A0000

unkown

page read and write

41E000

heap default

page read and write

29F2000

unkown

page readonly

60000

unkown

page readonly

2280000

unkown

page readonly

2F10000

unkown

page readonly

277000

heap default

page read and write

2200000

heap private

page read and write

2A86000

unkown

page readonly

2A15000

unkown

page readonly

2C0000

heap default

page read and write

28E2000

unkown

page readonly

2945000

unkown

page readonly

E0000

unkown

page read and write

2A42000

unkown

page readonly

15C000

unkown

page read and write

5BE000

unkown

page read and write

27E2000

unkown

page readonly

2B09000

unkown

page readonly

EB000

unkown

page read and write

370000

unkown

page read and write

28F6000

unkown

page readonly

290000

unkown

page read and write

660000

unkown

page readonly

1B90000

unkown

page readonly

2742000

unkown

page readonly

60000

unkown

page readonly

210000

unkown

page write copy

2A49000

unkown

page readonly

2952000

unkown

page readonly

1DA7000

unkown

page readonly

2A80000

unkown

page readonly

2D20000

heap private

page read and write

2DE000

heap default

page read and write

27E2000

unkown

page readonly

2732000

unkown

page readonly

27E4000

unkown

page readonly

28A6000

unkown

page readonly

214000

heap private

page read and write

2D25000

heap private

page read and write

2D10000

unkown

page readonly

D0000

unkown

page read and write

18B000

unkown

page read and write

170000

heap default

page read and write

2340000

heap private

page read and write

27C5000

unkown

page readonly

2B90000

unkown

page readonly

380000

unkown

page write copy

1B30000

unkown

page readonly

164000

heap private

page read and write

2400000

unkown

page readonly

2B50000

unkown

page readonly

2130000

heap private

page read and write

29A2000

unkown

page readonly

4E0000

unkown

page readonly

2642000

unkown

page readonly

2AA0000

unkown

page readonly

210000

heap private

page read and write

2A69000

unkown

page readonly

283D000

unkown

page readonly

29A9000

unkown

page readonly

1D17000

unkown

page readonly

28B9000

unkown

page readonly

2FE000

heap default

page read and write

2B70000

unkown

page readonly

2C7000

heap default

page read and write

60000

unkown

page readonly

1D77000

unkown

page readonly

28B5000

unkown

page readonly

27A2000

unkown

page readonly

2992000

unkown

page readonly

2A6000

unkown

page read and write

2964000

unkown

page readonly

2734000

unkown

page readonly

620000

unkown

page readonly

28D2000

unkown

page readonly

29D2000

unkown

page readonly

292D000

unkown

page readonly

2CF0000

unkown

page read and write

2802000

unkown

page readonly

2795000

unkown

page readonly

F0000

unkown

page readonly

2929000

unkown

page readonly

2882000

unkown

page readonly

2842000

unkown

page readonly

2752000

unkown

page readonly

2349000

heap private

page read and write

2205000

heap private

page read and write

2B70000

unkown

page readonly

28E5000

unkown

page readonly

2754000

unkown

page readonly

1DE7000

unkown

page readonly

2889000

unkown

page readonly

2804000

unkown

page readonly

60000

unkown

page readonly

2922000

unkown

page readonly

28F5000

unkown

page readonly

2A45000

unkown

page readonly

2806000

unkown

page readonly

2782000

unkown

page readonly

470000

unkown

page readonly

2E0000

heap default

page read and write

20000

unkown

page readonly

160000

unkown

page read and write

2380000

heap private

page read and write

2AC2000

unkown

page readonly

2CD0000

unkown

page readonly

2A75000

unkown

page readonly

2A89000

unkown

page readonly

2875000

unkown

page readonly

2CEB000

heap private

page read and write

28A2000

unkown

page readonly

2862000

unkown

page readonly

2B12000

unkown

page readonly

2926000

unkown

page readonly

2885000

unkown

page readonly

2AA9000

unkown

page readonly

2982000

unkown

page readonly

1C0000

heap private

page read and write

2A92000

unkown

page readonly

29D5000

unkown

page readonly

2AC0000

unkown

page readonly

1C4000

heap private

page read and write

2A22000

unkown

page readonly

260000

unkown

page read and write

20B000

unkown

page read and write

2812000

unkown

page readonly

28A5000

unkown

page readonly

270000

heap default

page read and write

18D000

unkown

page read and write

20000

unkown

page readonly

29E5000

unkown

page readonly

2DA0000

unkown

page readonly

2AD9000

unkown

page readonly

2949000

unkown

page readonly

20000

unkown

page readonly

3E0000

heap default

page read and write

2882000

unkown

page readonly

26F000

unkown

page read and write

4E0000

unkown

page readonly

2385000

heap private

page read and write

23E0000

unkown

page readonly

2E7000

heap default

page read and write

2915000

unkown

page readonly

27F5000

unkown

page readonly

2942000

unkown

page readonly

2AE0000

unkown

page readonly

160000

heap private

page read and write

2B6000

heap default

page read and write

2714000

unkown

page readonly

2859000

unkown

page readonly

A9F000

unkown

page read and write

2D5B000

heap private

page read and write

2AD000

heap default

page read and write

416000

unkown

page read and write

2995000

unkown

page readonly

2DA0000

unkown

page readonly

23C0000

unkown

page readonly

2D30000

unkown

page readonly

2822000

unkown

page readonly

196000

unkown

page read and write

29C2000

unkown

page readonly

2A32000

unkown

page readonly

2558000

unkown

page readonly

29F6000

unkown

page readonly

2CD0000

unkown

page readonly

2972000

unkown

page readonly

2C92000

unkown

page readonly

2906000

unkown

page readonly

2A7000

heap default

page read and write

2902000

unkown

page readonly

2824000

unkown

page readonly

2964000

unkown

page readonly

3E7000

heap default

page read and write

2BB0000

unkown

page readonly

29A5000

unkown

page readonly

177000

heap default

page read and write

27A8000

unkown

page readonly

2EF0000

unkown

page readonly

5F0000

unkown

page readonly

2420000

unkown

page readonly

E0000

unkown

page read and write

29B6000

unkown

page readonly

2865000

unkown

page readonly

1C00000

unkown

page readonly

28D6000

unkown

page readonly

160000

unkown

page read and write

2896000

unkown

page readonly

2712000

unkown

page readonly

2AC5000

unkown

page readonly

2A4D000

unkown

page readonly

28B2000

unkown

page readonly

2D20000

heap private

page read and write

3D6000

unkown

page read and write

2040000

unkown

page write copy

2225000

heap private

page read and write

29A4000

unkown

page readonly

2895000

unkown

page readonly

2762000

unkown

page readonly

2929000

unkown

page readonly

290D000

unkown

page readonly

1C00000

unkown

page readonly

540000

unkown

page readonly

2220000

heap private

page read and write

2CF0000

unkown

page readonly

2924000

unkown

page readonly

4A0000

unkown

page readonly

2B25000

unkown

page readonly

2E70000

heap private

page read and write

2982000

unkown

page readonly

660000

unkown

page readonly

2979000

unkown

page readonly

20000

unkown

page readonly

D0000

unkown

page read and write

2652000

unkown

page readonly

2A0000

heap default

page read and write

594000

heap private

page read and write

2AC9000

unkown

page readonly

21B0000

unkown

page readonly

2962000

unkown

page readonly

28B2000

unkown

page readonly

2345000

heap private

page read and write

2A16000

unkown

page readonly

1F70000

unkown

page readonly

1DE7000

unkown

page readonly

2984000

unkown

page readonly

3E0000

unkown

page read and write

28C5000

unkown

page readonly

2B90000

unkown

page readonly

28C000

unkown

page read and write

2C90000

unkown

page readonly

3000000

unkown

page read and write

27A6000

unkown

page readonly

640000

unkown

page readonly

29A5000

unkown

page readonly

2E95000

heap private

page read and write

28A2000

unkown

page readonly

2D25000

heap private

page read and write

2A85000

unkown

page readonly

2059000

heap private

page read and write

21A0000

unkown

page readonly

2AB5000

unkown

page readonly

270000

unkown

page read and write

2844000

unkown

page readonly

464000

heap private

page read and write

2A56000

unkown

page readonly

2A02000

unkown

page readonly

2628000

unkown

page readonly

2EAB000

heap private

page read and write

460000

heap private

page read and write

9CF000

unkown

page read and write

2872000

unkown

page readonly

21F0000

unkown

page read and write

2050000

heap private

page read and write

1FC0000

heap private

page read and write

2852000

unkown

page readonly

D0000

unkown

page read and write

2170000

heap private

page read and write

2E75000

heap private

page read and write

2836000

unkown

page readonly

2A05000

unkown

page readonly

2A8D000

unkown

page readonly

22A0000

unkown

page readonly

2CB5000

heap private

page read and write

2722000

unkown

page readonly

2942000

unkown

page readonly

2CB0000

unkown

page readonly

2A46000

unkown

page readonly

2A35000

unkown

page readonly

2D5B000

heap private

page read and write

27B2000

unkown

page readonly

2944000

unkown

page readonly

2B32000

unkown

page readonly

22C0000

unkown

page readonly

2ECB000

heap private

page read and write

2822000

unkown

page readonly

2209000

heap private

page read and write

2922000

unkown

page readonly

1FE0000

unkown

page readonly

2AA2000

unkown

page readonly

29E6000

unkown

page readonly

29C5000

unkown

page readonly

2120000

heap private

page read and write

2959000

unkown

page readonly

2989000

unkown

page readonly

590000

heap private

page read and write

2824000

unkown

page readonly

20D0000

unkown

page read and write

2622000

unkown

page readonly

3A6000

unkown

page read and write

27D6000

unkown

page readonly

2876000

unkown

page readonly

There are 331 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Files

Processes

URLs

Domains

IPs

Registry

Memdumps