Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	648
Target ID:	0
Parent PID:	584
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Size:	27641504
MD5:	5FB0A0F93382ECD19F5F499A5CAA59F0
Time:	09:14:35
Date:	07/04/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13faa0000
Modulesize:	27758592
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Allocates a big amount of memory (probably used for heap spraying)	Software Vulnerabilities	Extra Window Memory Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\regsvr32.exe

regsvr32 -s ..\oeiwkd

Details

Is windows:	true
Is dropped:	false
PID:	2508
Target ID:	3
Parent PID:	648
Name:	regsvr32.exe
Class:	system-tools
Path:	C:\Windows\System32\regsvr32.exe
Commandline:	regsvr32 -s ..\oeiwkd
Size:	19456
MD5:	59BCE9F07985F8A4204F4D6554CFF708
Time:	09:14:43
Date:	07/04/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xff580000
Modulesize:	32768
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Document exploit detected (process start blacklist hit)	Software Vulnerabilities	Exploitation for Client Execution
Spawns processes	System Summary	Process Injection

C:\Windows\System32\regsvr32.exe

regsvr32 -s

Details

Is windows:	true
Is dropped:	false
PID:	2496
Target ID:	4
Parent PID:	648
Name:	regsvr32.exe
Class:	system-tools
Path:	C:\Windows\System32\regsvr32.exe
Commandline:	regsvr32 -s
Size:	19456
MD5:	59BCE9F07985F8A4204F4D6554CFF708
Time:	09:14:43
Date:	07/04/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xff580000
Modulesize:	32768
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Document exploit detected (process start blacklist hit)	Software Vulnerabilities	Exploitation for Client Execution
Spawns processes	System Summary	Process Injection

C:\Windows\System32\regsvr32.exe

regsvr32 -s

Details

Is windows:	true
Is dropped:	false
PID:	2552
Target ID:	5
Parent PID:	648
Name:	regsvr32.exe
Class:	system-tools
Path:	C:\Windows\System32\regsvr32.exe
Commandline:	regsvr32 -s
Size:	19456
MD5:	59BCE9F07985F8A4204F4D6554CFF708
Time:	09:14:43
Date:	07/04/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xff580000
Modulesize:	32768
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Document exploit detected (process start blacklist hit)	Software Vulnerabilities	Exploitation for Client Execution
Spawns processes	System Summary	Process Injection

C:\Windows\System32\regsvr32.exe

regsvr32 -s

Details

Is windows:	true
Is dropped:	false
PID:	2604
Target ID:	6
Parent PID:	648
Name:	regsvr32.exe
Class:	system-tools
Path:	C:\Windows\System32\regsvr32.exe
Commandline:	regsvr32 -s
Size:	19456
MD5:	59BCE9F07985F8A4204F4D6554CFF708
Time:	09:14:43
Date:	07/04/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xff580000
Modulesize:	32768
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Document exploit detected (process start blacklist hit)	Software Vulnerabilities	Exploitation for Client Execution
Spawns processes	System Summary	Process Injection

C:\Windows\System32\regsvr32.exe

regsvr32 -s

Details

Is windows:	true
Is dropped:	false
PID:	2544
Target ID:	7
Parent PID:	648
Name:	regsvr32.exe
Class:	system-tools
Path:	C:\Windows\System32\regsvr32.exe
Commandline:	regsvr32 -s
Size:	19456
MD5:	59BCE9F07985F8A4204F4D6554CFF708
Time:	09:14:44
Date:	07/04/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xff580000
Modulesize:	32768
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Document exploit detected (process start blacklist hit)	Software Vulnerabilities	Exploitation for Client Execution
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://kautilyaclasses.com/ds/index.html

192.185.56.250

Details

Name:	http://kautilyaclasses.com/ds/index.html
IP:	192.185.56.250
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection

http://bodylanguage.santulan.co.in/ds/index.html

111.118.215.222

Details

Name:	http://bodylanguage.santulan.co.in/ds/index.html
IP:	111.118.215.222
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)	Networking

http://kullumanalitours.com/ds/index.html

103.211.216.55

Details

Name:	http://kullumanalitours.com/ds/index.html
IP:	103.211.216.55
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection

http://corwin-tommie06f.ru.com/index.html

8.211.4.209

Details

Name:	http://corwin-tommie06f.ru.com/index.html
IP:	8.211.4.209
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Source:	network

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution

http://katelynn9506a.ru.com/index.html

8.211.4.209

Details

Name:	http://katelynn9506a.ru.com/index.html
IP:	8.211.4.209
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Source:	network

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution

http://servername/isapibackend.dll

unknown

Details

Name:	http://servername/isapibackend.dll
TargetID:	3
From Memory:	true
Current Path:	C:\Windows\System32\regsvr32.exe
Source:	regsvr32.exe, 00000003.00000002.2091998985.0000000001CF0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2092597864.0000000001C90000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2093476995.0000000001C10000.00000002.00000001.sdmp, regsvr32.exe, 00000006.00000002.2094439546.0000000001CF0000.00000002.00000001.sdmp, regsvr32.exe, 00000007.00000002.2094938735.0000000001D30000.00000002.00000001.sdmp
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

bodylanguage.santulan.co.in

111.118.215.222

Details

Name:	bodylanguage.santulan.co.in
IP:	111.118.215.222
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

kautilyaclasses.com

192.185.56.250

Details

Name:	kautilyaclasses.com
IP:	192.185.56.250
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

corwin-tommie06f.ru.com

8.211.4.209

Details

Name:	corwin-tommie06f.ru.com
IP:	8.211.4.209
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

katelynn9506a.ru.com

8.211.4.209

Details

Name:	katelynn9506a.ru.com
IP:	8.211.4.209
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

kullumanalitours.com

103.211.216.55

Details

Name:	kullumanalitours.com
IP:	103.211.216.55
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

IPs

Domain

Country

Malicious

111.118.215.222

bodylanguage.santulan.co.in

India

Details

IP:	111.118.215.222
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	India
Countrycode:	IND
ASN number:	394695
ASN name:	PUBLIC-DOMAIN-REGISTRYUS
Private:	false
Domain:	bodylanguage.santulan.co.in

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)	Networking

103.211.216.55

kullumanalitours.com

Seychelles

Details

IP:	103.211.216.55
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	Seychelles
Countrycode:	SYC
ASN number:	394695
ASN name:	PUBLIC-DOMAIN-REGISTRYUS
Private:	false
Domain:	kullumanalitours.com

192.185.56.250

kautilyaclasses.com

United States

Details

IP:	192.185.56.250
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	United States
Countrycode:	USA
ASN number:	46606
ASN name:	UNIFIEDLAYER-AS-1US
Private:	false
Domain:	kautilyaclasses.com

8.211.4.209

corwin-tommie06f.ru.com

Singapore

Details

IP:	8.211.4.209
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	Singapore
Countrycode:	SGP
ASN number:	45102
ASN name:	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
Private:	false
Domain:	corwin-tommie06f.ru.com

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution

Registry

Path

Value

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

d 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

MTTT

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ReviewToken

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EC800

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

VBAFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DefaultSheetR2L

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

UseSystemSeparators

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ThousandsSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DecimalSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ECB2C

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ECC92

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ECD7C

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} {000214E6-0000-0000-C000-000000000046} 0xFFFF

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

7*4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F693E

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F79B2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

LastPurgeTime

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EXCELFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SavedLegacySettings

There are 95 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

70000

unkown

page read and write

70000

unkown

page readonly

4F0000

unkown

page readonly

20000

unkown

page readonly

A4000

heap private

page read and write

506000

unkown

page read and write

28C000

unkown

page read and write

570000

unkown

page readonly

470000

heap default

page read and write

4C3000

heap default

page read and write

2CA000

heap default

page read and write

4CA000

heap default

page read and write

370000

unkown

page read and write

24A000

heap default

page read and write

477000

heap default

page read and write

2085000

heap private

page read and write

190000

heap private

page read and write

A0000

heap private

page read and write

F0000

unkown

page readonly

1CF0000

unkown

page readonly

247000

heap default

page read and write

5D0000

unkown

page readonly

80000

unkown

page read and write

1A0000

heap private

page read and write

1C90000

unkown

page readonly

510000

unkown

page read and write

790000

unkown

page readonly

243000

heap default

page read and write

4A6000

unkown

page read and write

1EE000

heap default

page read and write

4C0000

heap private

page read and write

BC000

unkown

page read and write

1B7000

heap default

page read and write

20000

unkown

page readonly

1D4000

heap private

page read and write

6F0000

unkown

page readonly

270000

heap default

page read and write

1D0000

heap private

page read and write

80000

unkown

page read and write

20000

unkown

page readonly

2C3000

heap default

page read and write

2100000

unkown

page readonly

2F0000

unkown

page read and write

20000

unkown

page readonly

3F0000

unkown

page read and write

4D0000

unkown

page read and write

326000

unkown

page read and write

446000

unkown

page read and write

20000

unkown

page readonly

20BB000

heap private

page read and write

136000

unkown

page read and write

610000

unkown

page readonly

410000

unkown

page read and write

90000

heap private

page read and write

130000

unkown

page readonly

320000

unkown

page read and write

27E000

heap default

page read and write

356000

unkown

page read and write

470000

unkown

page read and write

94000

heap private

page read and write

1F7000

heap default

page read and write

3A6000

unkown

page read and write

750000

unkown

page readonly

750000

heap private

page read and write

2080000

heap private

page read and write

29A000

heap default

page read and write

1E0000

heap private

page read and write

293000

heap default

page read and write

160000

unkown

page read and write

1D30000

unkown

page readonly

570000

unkown

page readonly

2AE000

heap default

page read and write

203000

heap default

page read and write

22E000

heap default

page read and write

277000

heap default

page read and write

400000

heap private

page read and write

426000

unkown

page read and write

6F0000

unkown

page readonly

546000

unkown

page read and write

170000

unkown

page read and write

1B0000

heap default

page read and write

E0000

unkown

page read and write

F0000

unkown

page read and write

2C6000

unkown

page read and write

70000

unkown

page read and write

424000

heap private

page read and write

15D000

unkown

page read and write

170000

unkown

page read and write

1C10000

unkown

page readonly

1A4000

heap private

page read and write

1CF0000

unkown

page readonly

290000

unkown

page read and write

160000

unkown

page read and write

2B0000

unkown

page readonly

1E4000

heap private

page read and write

240000

heap default

page read and write

754000

heap private

page read and write

4C4000

heap private

page read and write

1F0000

heap default

page read and write

70000

unkown

page readonly

12D000

unkown

page read and write

20A000

heap default

page read and write

194000

heap private

page read and write

100000

unkown

page read and write

4AE000

heap default

page read and write

404000

heap private

page read and write

420000

heap private

page read and write

670000

unkown

page readonly

21E0000

unkown

page write copy

14D000

unkown

page read and write

There are 100 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Files

Processes

URLs

Domains

IPs

Registry

Memdumps