Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

MKDRPSJS9E999494993.xlsx

CDFV2 Encrypted

initial sample

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\svchost[1].exe

PE32 executable (GUI) Intel 80386, for MS Windows

downloaded

C:\Users\user\Desktop\~$MKDRPSJS9E999494993.xlsx

data

dropped

C:\Users\Public\vbc.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\8c74Ut[1].htm

ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\189FF3B9.jpeg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 550x310, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2D220241.png

PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4DC46D3C.png

PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\59943EF7.jpeg

JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5D141431.jpeg

JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\609FBB1D.png

PNG image data, 94 x 142, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\782D07EB.png

PNG image data, 94 x 142, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7B545667.jpeg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 550x310, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A2B0D764.jpeg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 935x300, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ACBFC72F.png

PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B2D98C7E.png

PNG image data, 399 x 605, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BA225833.jpeg

JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BFDDCC98.png

PNG image data, 399 x 605, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C190C815.jpeg

JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C3BC9C8C.jpeg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 248x140, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C84C1666.png

PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D16408F0.png

PNG image data, 613 x 80, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D27F0E7A.png

PNG image data, 613 x 80, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E1F8712.jpeg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 248x140, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E3F1BB40.emf

Windows Enhanced Metafile (EMF) image data version 0x10000

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FF9034E.jpeg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 935x300, frames 3

dropped

There are 16 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	2536
Target ID:	2
Parent PID:	584
Name:	EQNEDT32.EXE
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Size:	543304
MD5:	A87236E214F6D42A65F5DEDAC816AEC8
Time:	12:05:13
Date:	31/03/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	581632
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Droppers Exploiting CVE-2017-11882	System Summary
Sigma detected: EQNEDT32.EXE connecting to internet	System Summary
Sigma detected: File Dropped By EQNEDT32EXE	System Summary
Sigma detected: Executables Started in Suspicious Folder	System Summary
Sigma detected: Execution in Non-Executable Folder	System Summary
Sigma detected: Suspicious Program Location Process Starts	System Summary
Office Equation Editor has been started	Exploits
Spawns processes	System Summary	Process Injection

C:\Users\Public\vbc.exe

'C:\Users\Public\vbc.exe'

Details

Is windows:	false
Is dropped:	true
PID:	2692
Target ID:	4
Parent PID:	2536
Name:	vbc.exe
Path:	C:\Users\Public\vbc.exe
Commandline:	'C:\Users\Public\vbc.exe'
Size:	73728
MD5:	6CC6D1DD6CDD848693426A270563C921
Time:	12:05:16
Date:	31/03/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Droppers Exploiting CVE-2017-11882	System Summary
Yara detected GuLoader	Data Obfuscation
Drops PE files to the user root directory	Boot Survival	Masquerading
Office equation editor drops PE file	System Summary
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits	Exploitation for Client Execution
Sigma detected: Executables Started in Suspicious Folder	System Summary
Sigma detected: Execution in Non-Executable Folder	System Summary
Sigma detected: Suspicious Program Location Process Starts	System Summary
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
Yara detected VB6 Downloader Generic	Data Obfuscation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Drops PE files to the user directory	Persistence and Installation Behavior	Masquerading
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Spawns processes	System Summary	Process Injection

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	920
Target ID:	0
Parent PID:	584
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Size:	27641504
MD5:	5FB0A0F93382ECD19F5F499A5CAA59F0
Time:	12:04:51
Date:	31/03/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13f330000
Modulesize:	27758592
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Allocates a big amount of memory (probably used for heap spraying)	Software Vulnerabilities	Extra Window Memory Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://stdyworkfinetraistfh.dns.army/findoc/svchost.exe

103.141.138.118

Details

Name:	http://stdyworkfinetraistfh.dns.army/findoc/svchost.exe
IP:	103.141.138.118
TargetID:	2
From Memory:	false
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
Sigma detected: EQNEDT32.EXE connecting to internet	System Summary
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)	Networking

http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check

unknown

Details

Name:	http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
TargetID:	4
From Memory:	true
Current Path:	C:\Users\Public\vbc.exe
Source:	vbc.exe, 00000004.00000002.2383679135.0000000003167000.00000002.00000001.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Urls found in memory or binary data	Networking

http://www.icra.org/vocabulary/.

unknown

Details

Name:	http://www.icra.org/vocabulary/.
TargetID:	4
From Memory:	true
Current Path:	C:\Users\Public\vbc.exe
Source:	vbc.exe, 00000004.00000002.2383679135.0000000003167000.00000002.00000001.sdmp

Signature Hits	Behavior Group	Mitre Attack
Urls found in memory or binary data	Networking

http://windowsmedia.com/redir/services.asp?WMPFriendly=true

unknown

Details

Name:	http://windowsmedia.com/redir/services.asp?WMPFriendly=true
TargetID:	4
From Memory:	true
Current Path:	C:\Users\Public\vbc.exe
Source:	vbc.exe, 00000004.00000002.2383679135.0000000003167000.00000002.00000001.sdmp

Signature Hits	Behavior Group	Mitre Attack
Urls found in memory or binary data	Networking

Domains

Name

Malicious

stdyworkfinetraistfh.dns.army

103.141.138.118

Details

Name:	stdyworkfinetraistfh.dns.army
IP:	103.141.138.118
TargetID:	2
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: EQNEDT32.EXE connecting to internet	System Summary
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

is.gd

104.25.234.53

Details

Name:	is.gd
IP:	104.25.234.53
TargetID:	2
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Connects to a URL shortener service	Networking	Spearphishing Link
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

103.141.138.118

stdyworkfinetraistfh.dns.army

Viet Nam

Details

IP:	103.141.138.118
TargetID:	2
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Country:	Viet Nam
Countrycode:	VNM
ASN number:	135905
ASN name:	VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
Private:	false
Domain:	stdyworkfinetraistfh.dns.army

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: EQNEDT32.EXE connecting to internet	System Summary
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)	Networking

172.67.83.132

unknown

United States

Details

IP:	172.67.83.132
TargetID:	2
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

jw7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

MTTT

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ReviewToken

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F0770

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

FontCachePath

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

VBAFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DefaultSheetR2L

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

UseSystemSeparators

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ThousandsSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DecimalSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

a$8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F564B

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F6420

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 21

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

LastPurgeTime

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductNonBootFilesIntl_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EXCELFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F564B

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductNonBootFilesIntl_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductNonBootFilesIntl_1033

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

EquationEditorFilesIntl_1033

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

SavedLegacySettings

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Blob

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Blob

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Blob

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Blob

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Blob

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Blob

There are 60 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

2D22000

unkown

page readonly

2BF4000

unkown

page readonly

2EE2000

unkown

page readonly

2CDD000

unkown

page readonly

1F70000

heap private

page read and write

386000

heap default

page read and write

2E0000

heap private

page read and write

2380000

unkown

page readonly

4A9000

heap private

page read and write

790000

unkown

page readonly

2CA6000

unkown

page readonly

400000

unkown image

page readonly

2BB4000

unkown

page readonly

2C95000

unkown

page readonly

860000

heap private

page read and write

290000

unkown

page read and write

2C35000

unkown

page readonly

1B0000

unkown

page readonly

2BB2000

unkown

page readonly

2BF2000

unkown

page readonly

2F20000

unkown

page readonly

2B0000

unkown

page readonly

400000

unkown image

page readonly

2D59000

unkown

page readonly

A00000

unkown

page readonly

2650000

unkown

page readonly

2AF2000

unkown

page readonly

2CB2000

unkown

page readonly

2BD2000

unkown

page readonly

7EFDF000

unkown

page read and write

2CD6000

unkown

page readonly

1E00000

unkown

page readonly

2CF9000

unkown

page readonly

23B000

heap private

page read and write

2CF2000

unkown

page readonly

280000

unkown

page readonly

2670000

unkown

page readonly

238000

heap private

page read and write

411000

unkown image

page readonly

597000

heap default

page read and write

2D52000

unkown

page readonly

690000

unkown

page readonly

3D0000

unkown

page execute and read and write

3167000

unkown

page readonly

2D29000

unkown

page readonly

420000

unkown

page read and write

411000

unkown image

page readonly

400000

unkown image

page readonly

1ED000

unkown

page read and write

2F60000

unkown

page readonly

220000

heap private

page read and write

2C22000

unkown

page readonly

410000

unkown image

page read and write

2C46000

unkown

page readonly

4EF000

unkown

page read and write

2C65000

unkown

page readonly

226000

unkown

page read and write

4C7000

heap private

page read and write

340000

heap default

page read and write

29F8000

unkown

page readonly

1F0000

unkown

page read and write

29F2000

unkown

page readonly

2CD9000

unkown

page readonly

401000

unkown image

page execute read

2C82000

unkown

page readonly

5B4000

heap default

page read and write

320000

heap default

page read and write

88000

unkown

page read and write

2C52000

unkown

page readonly

590000

heap default

page read and write

2D15000

unkown

page readonly

347000

heap default

page read and write

37D000

heap default

page read and write

38B000

heap default

page read and write

2BD4000

unkown

page readonly

2D75000

unkown

page readonly

3A0000

unkown

page read and write

230000

heap private

page read and write

401000

unkown image

page execute read

18C000

unkown

page read and write

4A0000

heap private

page read and write

114000

heap private

page read and write

2F40000

unkown

page readonly

1F80000

unkown

page read and write

2CC5000

unkown

page readonly

110000

heap private

page read and write

B0F000

unkown

page read and write

2E4000

heap private

page read and write

20000

unkown

page read and write

302000

heap private

page read and write

810000

unkown

page readonly

234000

heap private

page read and write

2F80000

unkown

page readonly

270000

unkown

page execute read

2D0000

unkown

page readonly

60000

unkown

page readonly

2C76000

unkown

page readonly

2D45000

unkown

page readonly

63E000

unkown

page read and write

2A0000

unkown

page write copy

There are 90 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Files

Processes

URLs

Domains

IPs

Registry

Memdumps