Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	2004
Target ID:	0
Parent PID:	584
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Size:	27641504
MD5:	5FB0A0F93382ECD19F5F499A5CAA59F0
Time:	18:46:40
Date:	07/04/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13f6f0000
Modulesize:	27758592
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\rundll32.exe

rundll32 ..\ndgfht.frg,PluginInit

Details

Is windows:	true
Is dropped:	false
PID:	2536
Target ID:	3
Parent PID:	2004
Name:	rundll32.exe
Class:	rundll32
Path:	C:\Windows\System32\rundll32.exe
Commandline:	rundll32 ..\ndgfht.frg,PluginInit
Size:	45568
MD5:	DD81D91FF3B0763C392422865C9AC12E
Time:	18:46:45
Date:	07/04/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xff8a0000
Modulesize:	61440
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Document exploit detected (process start blacklist hit)	Software Vulnerabilities	Exploitation for Client Execution
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Keylogger Generic	Key, Mouse, Clipboard, Microphone and Screen Capturing
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\SysWOW64\rundll32.exe

rundll32 ..\ndgfht.frg,PluginInit

Details

Is windows:	true
Is dropped:	false
PID:	1108
Target ID:	4
Parent PID:	2536
Name:	rundll32.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\rundll32.exe
Commandline:	rundll32 ..\ndgfht.frg,PluginInit
Size:	44544
MD5:	51138BEEA3E2C21EC44D0932C71762A8
Time:	18:46:45
Date:	07/04/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xe40000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Document exploit detected (process start blacklist hit)	Software Vulnerabilities	Exploitation for Client Execution
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Keylogger Generic	Key, Mouse, Clipboard, Microphone and Screen Capturing
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe

Details

Is windows:	true
Is dropped:	false
PID:	3032
Target ID:	8
Parent PID:	1108
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	C:\Windows\System32\cmd.exe
Size:	302592
MD5:	AD7B9C14083B52BC532FBA5948342B98
Time:	18:47:32
Date:	07/04/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0

unknown

http://www.a-cert.at0E

unknown

http://www.certplus.com/CRL/class3.crl0

unknown

http://www.e-me.lv/repository0

unknown

http://www.acabogacia.org/doc0

unknown

http://crl.chambersign.org/chambersroot.crl0

unknown

http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0

unknown

http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0

unknown

http://www.certifikat.dk/repository0

unknown

http://www.chambersign.org1

unknown

http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0

unknown

http://www.diginotar.nl/cps/pkioverheid0

unknown

http://www.pkioverheid.nl/policies/root-policy0

unknown

http://repository.swisssign.com/0

unknown

http://crl.ssc.lt/root-c/cacrl.crl0

unknown

https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0

unknown

http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl

unknown

http://ca.disig.sk/ca/crl/ca_disig.crl0

unknown

http://www.certplus.com/CRL/class3P.crl0

unknown

http://repository.infonotary.com/cps/qcps.html0$

unknown

http://www.post.trust.ie/reposit/cps.html0

unknown

http://www.certplus.com/CRL/class2.crl0

unknown

http://www.disig.sk/ca/crl/ca_disig.crl0

unknown

http://ocsp.infonotary.com/responder.cgi0V

unknown

http://www.sk.ee/cps/0

unknown

http://www.certicamara.com0

unknown

http://www.globaltrust.info0=

unknown

https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E

unknown

http://www.ssc.lt/cps03

unknown

http://www.windows.com/pctv.

unknown

http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=

unknown

http://ocsp.pki.gva.es0

unknown

http://crl.oces.certifikat.dk/oces.crl0

unknown

http://crl.ssc.lt/root-b/cacrl.crl0

unknown

http://www.certicamara.com/dpc/0Z

unknown

http://crl.pki.wellsfargo.com/wsprca.crl0

unknown

http://www.dnie.es/dpc0

unknown

http://www.rootca.or.kr/rca/cps.html0

unknown

http://www.trustcenter.de/guidelines0

unknown

http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0

unknown

http://windowsmedia.com/redir/services.asp?WMPFriendly=true

unknown

http://www.globaltrust.info0

unknown

http://certificates.starfieldtech.com/repository/1604

unknown

http://www.certplus.com/CRL/class3TS.crl0

unknown

http://www.entrust.net/CRL/Client1.crl0

unknown

http://www.entrust.net/CRL/net1.crl0

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.

unknown

https://www.catcert.net/verarrel

unknown

http://www.disig.sk/ca0f

unknown

http://www.e-szigno.hu/RootCA.crl

unknown

http://www.signatur.rtr.at/current.crl0

unknown

http://www.sk.ee/juur/crl/0

unknown

http://crl.chambersign.org/chambersignroot.crl0

unknown

http://crl.xrampsecurity.com/XGCA.crl0

unknown

http://www.quovadis.bm0

unknown

http://crl.ssc.lt/root-a/cacrl.crl0

unknown

http://www.trustdst.com/certificates/policy/ACES-index.html0

unknown

http://www.firmaprofesional.com0

unknown

https://www.netlock.net/docs

unknown

http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl

unknown

https://52.12.4.186/h

unknown

http://crl.entrust.net/2048ca.crl0

unknown

http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0

unknown

http://cps.chambersign.org/cps/publicnotaryroot.html0

unknown

http://www.e-trust.be/CPS/QNcerts

unknown

http://www.certicamara.com/certicamaraca.crl0

unknown

http://www.msnbc.com/news/ticker.txt

unknown

http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0

unknown

http://fedir.comsign.co.il/crl/ComSignCA.crl0

unknown

http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0

unknown

https://52.12.4.186/news/update6

unknown

http://ocsp.entrust.net03

unknown

http://cps.chambersign.org/cps/chambersroot.html0

unknown

http://www.acabogacia.org0

unknown

https://ca.sia.it/seccli/repository/CPS0

unknown

http://crl.securetrust.com/SGCA.crl0

unknown

http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0

unknown

http://crl.securetrust.com/STCA.crl0

unknown

http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0

unknown

http://www.icra.org/vocabulary/.

unknown

http://www.certicamara.com/certicamaraca.crl0;

unknown

http://www.e-szigno.hu/RootCA.crt0

unknown

http://www.quovadisglobal.com/cps0

unknown

http://investor.msn.com/

unknown

https://52.12.4.186/news/updateA

unknown

http://www.valicert.com/1

unknown

https://52.12.4.186/news/update

unknown

http://www.e-szigno.hu/SZSZ/0

unknown

http://www.%s.comPA

unknown

http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0

unknown

https://52.12.4.186/news/updateF

unknown

https://ocsp.quovadisoffshore.com0

unknown

http://ocsp.entrust.net0D

unknown

http://cps.chambersign.org/cps/chambersignroot.html0

unknown

http://ca.sia.it/secsrv/repository/CRL.der0J

unknown

http://investor.msn.com

unknown

http://crl.entrust.net/server1.crl0

unknown

http://www.ancert.com/cps0

unknown

http://ca.sia.it/seccli/repository/CRL.der0J

unknown

http://www.registradores.org/scr/normativa/cp_f2.htm0

unknown

There are 90 hidden URLs, click here to show them.

Domains

Name

Malicious

whiskyexpanse.com

104.21.3.47

Details

Name:	whiskyexpanse.com
IP:	104.21.3.47
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

52.12.4.186

unknown

United States

Details

IP:	52.12.4.186
TargetID:	4
Current Path:	C:\Windows\SysWOW64\rundll32.exe
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)	Networking
System process connects to network (likely due to code injection or exploit)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Connects to IPs without corresponding DNS lookups	Networking
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

104.21.3.47

whiskyexpanse.com

United States

Details

IP:	104.21.3.47
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	whiskyexpanse.com

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

hs8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

MTTT

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ReviewToken

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EDB52

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

FontCachePath

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

VBAFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DefaultSheetR2L

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

UseSystemSeparators

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ThousandsSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DecimalSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EE1C7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EE2D0

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EE36C

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EE428

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EE4B4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} {000214E6-0000-0000-C000-000000000046} 0xFFFF

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

@%SystemRoot%\system32\qagentrt.dll,-10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

@%SystemRoot%\System32\fveui.dll,-843

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

@%SystemRoot%\System32\fveui.dll,-844

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

@%SystemRoot%\System32\wuaueng.dll,-400

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

LastPurgeTime

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

FBE12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

FBF4A

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EXCELFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SavedLegacySettings

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Blob

C:\Windows\SysWOW64\rundll32.exe

SavedLegacySettings

There are 109 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

2440000

unkown

page read and write

335000

unkown

page read and write

104000

heap private

page read and write

1C30000

unkown

page readonly

374000

heap default

page read and write

BE7000

unkown

page readonly

6E85A000

unkown image

page read and write

20000

unkown

page readonly

920000

heap private

page read and write

7F0000

heap private

page read and write

1BC000

unkown

page read and write

1C5000

unkown

page read and write

23EE000

unkown

page read and write

2EC000

unkown

page read and write

1A8000

unkown

page read and write

7B0000

heap private

page read and write

E30000

heap private

page read and write

1B9000

unkown

page read and write

2440000

unkown

page read and write

32D000

heap default

page read and write

6E869000

unkown image

page readonly

258F000

unkown

page read and write

740000

unkown

page execute and read and write

700000

heap private

page read and write

6E856000

unkown image

page execute and read and write

1B2000

unkown

page read and write

2EB000

heap default

page read and write

34E000

heap default

page read and write

2DA000

unkown

page read and write

9F7000

heap private

page read and write

2440000

unkown

page read and write

29FE000

unkown

page read and write

930000

unkown

page readonly

2537000

unkown

page read and write

6E791000

unkown image

page execute read

8B0000

heap private

page read and write

3B0000

unkown

page readonly

6E770000

unkown image

page readonly

2630000

unkown

page read and write

6E869000

unkown image

page readonly

6E84A000

unkown image

page write copy

251A000

unkown

page read and write

1B2000

unkown

page read and write

26C0000

unkown

page readonly

1BF000

unkown

page read and write

90C000

unkown

page read and write

1E17000

unkown

page readonly

120000

unkown

page readonly

6D0000

unkown

page read and write

B17000

unkown

page readonly

1C1000

unkown

page read and write

2430000

unkown

page read and write

6E770000

unkown image

page readonly

1AF000

unkown

page read and write

2440000

unkown

page read and write

2440000

unkown

page read and write

DD000

unkown

page read and write

1460000

heap private

page read and write

6E84A000

unkown image

page write copy

812000

heap private

page read and write

B0000

heap default

page read and write

253F000

unkown

page read and write

21B000

unkown

page read and write

230000

unkown

page execute and read and write

530000

unkown

page readonly

2430000

unkown

page read and write

2250000

unkown

page read and write

1AC000

unkown

page read and write

5D0000

unkown

page readonly

2430000

unkown

page read and write

254B000

unkown

page read and write

8C0000

unkown

page readonly

260B000

unkown

page read and write

6E849000

unkown image

page read and write

2380000

heap private

page read and write

2416000

heap private

page read and write

130000

unkown

page readonly

1B0000

unkown

page read and write

226E000

unkown

page read and write

6E771000

unkown image

page execute read

17D000

heap default

page read and write

2530000

unkown

page read and write

160000

unkown

page execute and read and write

277000

heap default

page read and write

110000

unkown

page read and write

2B2E000

stack

page read and write

2440000

unkown

page read and write

2B90000

heap private

page read and write

6E855000

unkown image

page read and write

450000

unkown

page readonly

22E000

stack

page read and write

120000

unkown

page read and write

7F4000

heap private

page read and write

27D000

heap default

page read and write

2510000

unkown

page read and write

21F0000

heap private

page read and write

38D000

heap default

page read and write

2EB000

unkown

page read and write

480000

unkown

page readonly

228D000

unkown

page read and write

2293000

unkown

page read and write

A3F000

unkown

page read and write

6E78C000

unkown image

page read and write

E0000

unkown

page read and write

130000

unkown

page readonly

29EE000

unkown

page read and write

140000

heap default

page read and write

690000

unkown

page readonly

140000

unkown

page readonly

2350000

unkown

page read and write

280000

heap private

page read and write

1AF000

unkown

page read and write

A00000

unkown

page readonly

2430000

unkown

page read and write

23F8000

heap private

page read and write

23AE000

stack

page read and write

2531000

unkown

page read and write

2400000

heap private

page read and write

B20000

unkown

page readonly

2DEE000

stack

page read and write

2430000

unkown

page read and write

446000

unkown

page read and write

2530000

unkown

page read and write

100000

unkown

page readonly

2440000

unkown

page read and write

927000

heap private

page read and write

1A6000

unkown

page read and write

2440000

unkown

page read and write

2530000

unkown

page read and write

20000

unkown

page readonly

60000

unkown

page readonly

2C0E000

unkown

page read and write

7F0000

heap private

page read and write

249F000

stack

page read and write

32F000

unkown

page read and write

226D000

unkown

page read and write

6E855000

unkown image

page read and write

2AAE000

unkown

page read and write

17B000

unkown

page read and write

1B3000

unkown

page read and write

2F00000

heap private

page read and write

1C1000

unkown

page read and write

240000

unkown

page readonly

335000

unkown

page read and write

33C0000

unkown

page readonly

100000

unkown

page read and write

7EFDF000

unkown

page read and write

6E78E000

unkown image

page readonly

8CE000

unkown

page read and write

D0000

unkown

page read and write

1B2000

unkown

page read and write

100000

heap private

page read and write

1AE000

unkown

page read and write

310000

heap default

page read and write

6E770000

unkown image

page readonly

410000

unkown

page read and write

2AED000

stack

page read and write

2F10000

unkown

page readonly

240000

heap default

page read and write

247000

heap default

page read and write

280000

heap default

page read and write

2DA000

unkown

page read and write

3300000

unkown

page write copy

872000

heap private

page read and write

6E815000

unkown image

page readonly

6F0000

unkown

page readonly

32D000

unkown

page read and write

850000

heap private

page read and write

2520000

unkown

page read and write

6E815000

unkown image

page readonly

264000

heap default

page read and write

1B5000

unkown

page read and write

357000

heap default

page read and write

32F000

unkown

page read and write

2D8000

unkown

page read and write

2501000

heap private

page read and write

25FC000

unkown

page read and write

6E78E000

unkown image

page readonly

1A2000

heap default

page read and write

2250000

unkown

page read and write

36C0000

unkown

page read and write

510000

unkown

page readonly

6E785000

unkown image

page readonly

387000

heap default

page read and write

2C39000

unkown

page read and write

2450000

unkown

page read and write

D10000

unkown

page readonly

2B0000

unkown

page read and write

26BD000

stack

page read and write

2581000

unkown

page read and write

350000

heap default

page read and write

2620000

heap private

page read and write

317000

heap default

page read and write

2440000

unkown

page read and write

180000

unkown

page execute and read and write

2430000

unkown

page read and write

854000

heap private

page read and write

1C8000

unkown

page read and write

147000

heap default

page read and write

90000

unkown

page readonly

47A000

unkown

page read and write

6E856000

unkown image

page execute and read and write

2C70000

heap private

page read and write

257A000

unkown

page read and write

227D000

unkown

page read and write

6E791000

unkown image

page execute read

B1E000

unkown

page read and write

23F0000

heap private

page read and write

331000

unkown

page read and write

1B2000

stack

page read and write

1D0000

heap private

page read and write

2540000

unkown

page read and write

2540000

unkown

page read and write

190000

unkown

page execute and read and write

150000

unkown

page execute and read and write

7EFDF000

unkown

page read and write

6E770000

unkown image

page readonly

339000

unkown

page read and write

36C1000

unkown

page read and write

36C1000

unkown

page read and write

2C29000

unkown

page read and write

1BB000

stack

page read and write

186000

heap default

page read and write

9F0000

heap private

page read and write

251D000

unkown

page read and write

6E85A000

unkown image

page read and write

1AC000

unkown

page read and write

250A000

unkown

page read and write

6E771000

unkown image

page execute read

1B1000

unkown

page read and write

24F0000

heap private

page read and write

CA0000

unkown

page readonly

25A4000

unkown

page read and write

6E78C000

unkown image

page read and write

2D2C000

unkown

page read and write

2BE000

heap default

page read and write

19F000

unkown

page read and write

1A5000

unkown

page read and write

2F0E000

unkown

page read and write

6E785000

unkown image

page readonly

1AC000

unkown

page read and write

78D000

stack

page read and write

1C9000

unkown

page read and write

2E6000

unkown

page read and write

250D000

unkown

page read and write

29EE000

unkown

page read and write

1C6000

unkown

page read and write

E40000

unkown

page readonly

1AA000

unkown

page read and write

F0000

unkown

page readonly

1AD000

unkown

page read and write

2520000

unkown

page read and write

90000

unkown

page read and write

6D0000

unkown

page read and write

6E849000

unkown image

page read and write

2F1E000

unkown

page read and write

284000

heap private

page read and write

20000

unkown

page readonly

340000

unkown

page readonly

There are 249 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Files

Processes

URLs

Domains

IPs

Registry

Memdumps