Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Permission-1984690372-06252021.xlsm

Microsoft Excel 2007+

initial sample

Details

Filetype:	Microsoft Excel 2007+
Entropy:	7.666395274852154
Filename:	Permission-1984690372-06252021.xlsm
Filesize:	153750
MD5:	f9272d851155983c3326ae7bcd99e489
SHA1:	caaa6700907da09efc9d7831ec9a0dc636bdbe74
SHA256:	80a312be7e3162e80ef38492e7c2160af88e1482fb80ea3370761a0c0654478d
SHA512:	3e8d912568a35cc56af075b26f939b08bc5bd3ec0163e4a63c8cb563dcb85c74e7ad6ff9a5e5f457cda57af9edcec724dabda3ac32d89e9409b5c669096d037f
SSDEEP:	3072:mmKZQmKZ3KNhPQnVbJ2O1gZMys2g4D5JhoD4ZOYJ:d4P4346PgZw9gQaVJ
Preview:	PK..........!.........o.......[Content_Types].xml ...(.........................................................................................................................................................................................................

Signature Hits	Behavior Group	Mitre Attack
Found Excel 4.0 Macro with suspicious formulas	System Summary	Scripting
Document is a ZIP file with path names indicative of goodware	System Summary

C:\Users\user\Desktop\~$Permission-1984690372-06252021.xlsm

data

dropped

Details

File:	C:\Users\user\Desktop\~$Permission-1984690372-06252021.xlsm
Category:	dropped
Dump:	~$Permission-1984690372-06252021.xlsm.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	data
Entropy:	1.4377382811115937
Encrypted:	false
Ssdeep:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
Size:	330
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found Excel 4.0 Macro with suspicious formulas	System Summary	Scripting
Creates files inside the user directory	System Summary	Masquerading
Document is a ZIP file with path names indicative of goodware	System Summary

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\94954BDE.jpg

[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS6 (Windows), datetime=2021:02:11 21:11:18], baseline, precision 8, 1860x1000, frames 3

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\94954BDE.jpg
Category:	dropped
Dump:	94954BDE.jpg.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS6 (Windows), datetime=2021:02:11 21:11:18], baseline, precision 8, 1860x1000, frames 3
Entropy:	7.677272725029824
Encrypted:	false
Ssdeep:	3072:CmKZQmKZ3KNhPQnVbJ2O1gZMys2g4D5JhoD4ZOy:54P4346PgZw9gQat
Size:	139381
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Downloads files	Networking	Ingress Tool Transfer

C:\Users\user\AppData\Local\Temp\EBCE0000

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\EBCE0000
Category:	dropped
Dump:	EBCE0000.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	data
Entropy:	7.664539669110037
Encrypted:	false
Ssdeep:	3072:cnxmKZQmKZ3KNhPQnVbJ2O1gZMys2g4D5JhoD4ZO4U3:cng4P4346PgZw9gQak
Size:	153117
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Sat Jun 26 00:28:37 2021, atime=Sat Jun 26 00:28:37 2021, length=8192, window=hide

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
Category:	dropped
Dump:	Desktop.LNK.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Sat Jun 26 00:28:37 2021, atime=Sat Jun 26 00:28:37 2021, length=8192, window=hide
Entropy:	4.471010949234031
Encrypted:	false
Ssdeep:	12:85QCELgXg/XAlCPCHaXgzB8IB/mxRlvX+WnicvbVbDtZ3YilMMEpxRljKVTdJP9O:85hy/XTwz6I0DxYeFDv3q8rNru/
Size:	867
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Permission-1984690372-06252021.LNK

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Sat Jun 26 00:28:37 2021, atime=Sat Jun 26 00:28:37 2021, length=153117, window=hide

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Permission-1984690372-06252021.LNK
Category:	dropped
Dump:	Permission-1984690372-06252021.LNK.0.dr
ID:	dr_6
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Sat Jun 26 00:28:37 2021, atime=Sat Jun 26 00:28:37 2021, length=153117, window=hide
Entropy:	4.5303789406700306
Encrypted:	false
Ssdeep:	48:8Rk/XT3IkK2wDJ962w88Qh2Rk/XT3IkK2wDJ962w88Q/:8Rk/XLIkgR8Qh2Rk/XLIkgR8Q/
Size:	2238
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
Category:	dropped
Dump:	index.dat.0.dr
ID:	dr_5
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	ASCII text, with CRLF line terminators
Entropy:	4.777412663289588
Encrypted:	false
Ssdeep:	3:oyBVomxW+Lxz5XQ8UltLxz5XQ8UlmxW+Lxz5XQ8Ulv:djHz5AZ/Fz5AZaz5AZ1
Size:	145
Whitelisted:	false
Reputation:	low

C:\Users\user\Desktop\7CCE0000

data

dropped

Details

File:	C:\Users\user\Desktop\7CCE0000
Category:	dropped
Dump:	7CCE0000.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	data
Entropy:	7.664539669110037
Encrypted:	false
Ssdeep:	3072:cnxmKZQmKZ3KNhPQnVbJ2O1gZMys2g4D5JhoD4ZO4U3:cng4P4346PgZw9gQak
Size:	153117
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	2624
Target ID:	0
Parent PID:	584
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Size:	27641504
MD5:	5FB0A0F93382ECD19F5F499A5CAA59F0
Time:	18:28:35
Date:	25/06/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13fc20000
Modulesize:	27758592
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\regsvr32.exe

regsvr32 ..\Kro.fis

Details

Is windows:	true
Is dropped:	false
PID:	2180
Target ID:	3
Parent PID:	2624
Name:	regsvr32.exe
Class:	system-tools
Path:	C:\Windows\System32\regsvr32.exe
Commandline:	regsvr32 ..\Kro.fis
Size:	19456
MD5:	59BCE9F07985F8A4204F4D6554CFF708
Time:	18:28:42
Date:	25/06/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xff040000
Modulesize:	32768
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Document exploit detected (process start blacklist hit)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\regsvr32.exe

regsvr32 ..\Kro.fis1

Details

Is windows:	true
Is dropped:	false
PID:	2176
Target ID:	4
Parent PID:	2624
Name:	regsvr32.exe
Class:	system-tools
Path:	C:\Windows\System32\regsvr32.exe
Commandline:	regsvr32 ..\Kro.fis1
Size:	19456
MD5:	59BCE9F07985F8A4204F4D6554CFF708
Time:	18:28:42
Date:	25/06/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xff040000
Modulesize:	32768
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Document exploit detected (process start blacklist hit)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\regsvr32.exe

regsvr32 ..\Kro.fis2

Details

Is windows:	true
Is dropped:	false
PID:	2364
Target ID:	5
Parent PID:	2624
Name:	regsvr32.exe
Class:	system-tools
Path:	C:\Windows\System32\regsvr32.exe
Commandline:	regsvr32 ..\Kro.fis2
Size:	19456
MD5:	59BCE9F07985F8A4204F4D6554CFF708
Time:	18:28:42
Date:	25/06/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xff040000
Modulesize:	32768
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Document exploit detected (process start blacklist hit)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check

unknown

http://www.windows.com/pctv.

unknown

http://investor.msn.com

unknown

http://www.msnbc.com/news/ticker.txt

unknown

http://www.icra.org/vocabulary/.

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.

unknown

http://investor.msn.com/

unknown

http://190.14.37.3/44372.7698814815.dat

190.14.37.3

http://www.%s.comPA

unknown

http://windowsmedia.com/redir/services.asp?WMPFriendly=true

unknown

http://www.hotmail.com/oe

unknown

http://servername/isapibackend.dll

unknown

http://185.183.99.120/44372.7698814815.dat

185.183.99.120

There are 3 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

190.14.37.3

unknown

Panama

Details

IP:	190.14.37.3
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	Panama
Countrycode:	PAN
ASN number:	52469
ASN name:	OffshoreRacksSAPA
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

185.183.99.120

unknown

Netherlands

Details

IP:	185.183.99.120
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	Netherlands
Countrycode:	NLD
ASN number:	60117
ASN name:	HSAE
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

185.240.103.219

unknown

Russian Federation

Details

IP:	185.240.103.219
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	Russian Federation
Countrycode:	RUS
ASN number:	57724
ASN name:	DDOS-GUARDRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Connects to IPs without corresponding DNS lookups	Networking

Registry

Path

Value

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

,/9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

MTTT

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ReviewToken

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EC69A

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

VBAFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DefaultSheetR2L

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

UseSystemSeparators

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ThousandsSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DecimalSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ECA80

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ECB7A

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ECC44

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ECCA2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} {000214E6-0000-0000-C000-000000000046} 0xFFFF

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

.99

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

LastPurgeTime

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F9222

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F9482

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EXCELFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SavedLegacySettings

There are 95 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

20F0000

heap private

page read and write

46F2000

unkown

page readonly

F0000

unkown

page read and write

3E0000

unkown

page read and write

4645000

unkown

page readonly

210000

unkown

page read and write

47C2000

unkown

page readonly

46C5000

unkown

page readonly

20BB000

heap private

page read and write

4534000

unkown

page readonly

465D000

unkown

page readonly

1CB0000

unkown

page readonly

4472000

unkown

page readonly

2C5000

unkown

page read and write

1C4000

unkown

page read and write

45F2000

unkown

page readonly

1D6000

unkown

page read and write

4990000

unkown

page readonly

195000

unkown

page read and write

4522000

unkown

page readonly

2A0000

unkown

page read and write

3BA0000

unkown

page readonly

48A0000

unkown

page readonly

4045000

heap private

page read and write

2C5000

unkown

page read and write

45C5000

unkown

page readonly

1BA000

unkown

page read and write

22D000

unkown

page read and write

3F59000

heap private

page read and write

47E5000

unkown

page readonly

20F5000

heap private

page read and write

1CC0000

unkown

page readonly

216000

unkown

page read and write

73F000

unkown

page read and write

3F0000

unkown

page write copy

47B5000

unkown

page readonly

210000

unkown

page readonly

4378000

unkown

page readonly

3E0000

unkown

page read and write

2005000

heap private

page read and write

45F6000

unkown

page readonly

45D2000

unkown

page readonly

47E2000

unkown

page readonly

300000

unkown

page read and write

2ED000

unkown

page read and write

1D0000

unkown

page read and write

210000

unkown

page read and write

2BE000

unkown

page read and write

19C000

unkown

page read and write

240000

heap default

page read and write

2AE000

unkown

page read and write

4602000

unkown

page readonly

4656000

unkown

page readonly

110000

heap default

page read and write

247000

heap default

page read and write

3E8F000

unkown

page read and write

110000

unkown

page execute and read and write

44D2000

unkown

page readonly

4642000

unkown

page readonly

1BE000

unkown

page read and write

3F50000

unkown

page readonly

20000

unkown

page readonly

1D50000

unkown

page readonly

1FD000

unkown

page read and write

4372000

unkown

page readonly

3F55000

heap private

page read and write

820000

unkown

page readonly

4746000

unkown

page readonly

210000

unkown

page read and write

4769000

unkown

page readonly

31B000

unkown

page read and write

1ED000

unkown

page read and write

4572000

unkown

page readonly

4792000

unkown

page readonly

1F4000

unkown

page read and write

47C9000

unkown

page readonly

1D2000

unkown

page read and write

4672000

unkown

page readonly

4785000

unkown

page readonly

4C4000

heap private

page read and write

1A7000

unkown

page read and write

1ED000

unkown

page read and write

117000

heap default

page read and write

2D3000

unkown

page read and write

60000

unkown

page readonly

4664000

unkown

page readonly

720000

unkown

page readonly

216000

unkown

page read and write

203B000

heap private

page read and write

120000

unkown

page readonly

130000

unkown

page readonly

2570000

unkown

page readonly

46B6000

unkown

page readonly

4565000

unkown

page readonly

46D2000

unkown

page readonly

4DDE000

unkown

page read and write

2080000

unkown

page readonly

710000

unkown

page readonly

45A2000

unkown

page readonly

F9000

unkown

page read and write

80000

unkown

page read and write

4562000

unkown

page readonly

1D0000

unkown

page read and write

340000

unkown

page read and write

48E0000

unkown

page readonly

46E6000

unkown

page readonly

1DC000

unkown

page read and write

216000

unkown

page read and write

163000

heap default

page read and write

3B0000

unkown

page read and write

2220000

unkown

page read and write

4462000

unkown

page readonly

4552000

unkown

page readonly

16A000

heap default

page read and write

44B4000

unkown

page readonly

45E5000

unkown

page readonly

2160000

unkown

page write copy

150000

heap default

page read and write

4622000

unkown

page readonly

210000

unkown

page read and write

3A80000

unkown

page readonly

4716000

unkown

page readonly

31D000

heap default

page read and write

2250000

unkown

page write copy

566000

unkown

page read and write

400000

heap private

page read and write

4C6000

unkown

page read and write

416000

unkown

page read and write

46D9000

unkown

page readonly

E0000

unkown

page read and write

45B2000

unkown

page readonly

44B2000

unkown

page readonly

3A0000

unkown

page readonly

192000

unkown

page read and write

195000

unkown

page read and write

45A6000

unkown

page readonly

480000

heap private

page read and write

326000

heap default

page read and write

204000

unkown

page read and write

1C2000

unkown

page read and write

630000

unkown

page readonly

1E7000

unkown

page read and write

306000

unkown

page read and write

48C0000

unkown

page readonly

2080000

heap private

page read and write

2D7000

unkown

page read and write

100000

unkown

page read and write

4C0000

heap private

page read and write

3FF0000

unkown

page readonly

544000

heap private

page read and write

404000

heap private

page read and write

3F70000

unkown

page readonly

2E0000

heap default

page read and write

4952000

unkown

page readonly

4799000

unkown

page readonly

46C2000

unkown

page readonly

4722000

unkown

page readonly

524000

heap private

page read and write

474D000

unkown

page readonly

44F4000

unkown

page readonly

4749000

unkown

page readonly

43F2000

unkown

page readonly

39B0000

unkown

page readonly

4645000

unkown

page readonly

590000

unkown

page readonly

157000

heap default

page read and write

4546000

unkown

page readonly

2100000

unkown

page readonly

5A0000

unkown

page readonly

4AE7000

unkown

page readonly

300000

unkown

page read and write

17E000

unkown

page read and write

540000

heap private

page read and write

2E7000

heap default

page read and write

4662000

unkown

page readonly

3ED9000

heap private

page read and write

29A000

heap default

page read and write

42F2000

unkown

page readonly

4820000

unkown

page readonly

46A2000

unkown

page readonly

2170000

unkown

page readonly

4532000

unkown

page readonly

4762000

unkown

page readonly

17A000

unkown

page read and write

46A5000

unkown

page readonly

4900000

unkown

page readonly

293000

heap default

page read and write

3D0000

heap private

page read and write

49F0000

unkown

page readonly

2C0000

unkown

page read and write

494000

heap private

page read and write

130000

unkown

page write copy

1D6000

unkown

page read and write

45C6000

unkown

page readonly

40E0000

unkown

page readonly

2280000

unkown

page read and write

140000

unkown

page write copy

4705000

unkown

page readonly

40C0000

unkown

page readonly

4659000

unkown

page readonly

14E000

heap default

page read and write

4652000

unkown

page readonly

4692000

unkown

page readonly

216000

unkown

page read and write

4615000

unkown

page readonly

1A3000

unkown

page read and write

7B0000

unkown

page readonly

22B000

unkown

page read and write

1D0000

unkown

page read and write

31D000

unkown

page read and write

4574000

unkown

page readonly

4629000

unkown

page readonly

2C2000

unkown

page read and write

250000

unkown

page readonly

4679000

unkown

page readonly

1D6000

unkown

page read and write

4624000

unkown

page readonly

45D6000

unkown

page readonly

70000

unkown

page read and write

20000

unkown

page readonly

4BD7000

unkown

page readonly

490000

unkown

page read and write

42F8000

unkown

page readonly

20000

unkown

page readonly

1FC0000

unkown

page write copy

324000

unkown

page read and write

2F6000

unkown

page read and write

70000

unkown

page readonly

1D0000

unkown

page read and write

4468000

unkown

page readonly

4632000

unkown

page readonly

4862000

unkown

page readonly

520000

heap private

page read and write

202000

unkown

page read and write

18E000

heap default

page read and write

306000

unkown

page read and write

32B000

heap default

page read and write

49D0000

unkown

page readonly

3F50000

heap private

page read and write

4049000

heap private

page read and write

4659000

unkown

page readonly

1FE000

unkown

page read and write

2EE000

unkown

page read and write

2000000

heap private

page read and write

45F9000

unkown

page readonly

2D6000

unkown

page read and write

3D4000

heap private

page read and write

45DD000

unkown

page readonly

4576000

unkown

page readonly

4595000

unkown

page readonly

4675000

unkown

page readonly

3FD0000

unkown

page readonly

67F000

unkown

page read and write

1A3000

heap default

page read and write

1AA000

heap default

page read and write

70000

unkown

page read and write

3ED0000

heap private

page read and write

4626000

unkown

page readonly

2F4000

unkown

page read and write

1EB000

unkown

page read and write

4735000

unkown

page readonly

46F5000

unkown

page readonly

120000

unkown

page execute and read and write

212B000

heap private

page read and write

2CC000

unkown

page read and write

4860000

unkown

page readonly

1C9000

unkown

page read and write

3ED5000

heap private

page read and write

4040000

heap private

page read and write

2F2000

unkown

page read and write

14F000

unkown

page read and write

376000

unkown

page read and write

2AA000

unkown

page read and write

490000

heap private

page read and write

1D5000

unkown

page read and write

119000

unkown

page read and write

4A0000

unkown

page read and write

1BD000

unkown

page read and write

2085000

heap private

page read and write

23AE000

unkown

page read and write

1D0000

unkown

page read and write

300000

unkown

page read and write

46A9000

unkown

page readonly

4622000

unkown

page readonly

530000

unkown

page read and write

4D6000

unkown

page read and write

4A67000

unkown

page readonly

234000

unkown

page read and write

2470000

unkown

page read and write

306000

unkown

page read and write

1D6000

unkown

page read and write

306000

unkown

page read and write

1D5000

unkown

page read and write

44D4000

unkown

page readonly

45D9000

unkown

page readonly

300000

unkown

page read and write

4615000

unkown

page readonly

4880000

unkown

page readonly

45B5000

unkown

page readonly

4695000

unkown

page readonly

484000

heap private

page read and write

49B0000

unkown

page readonly

4554000

unkown

page readonly

1E3000

unkown

page read and write

4535000

unkown

page readonly

4552000

unkown

page readonly

4582000

unkown

page readonly

46D5000

unkown

page readonly

27E000

heap default

page read and write

2380000

unkown

page readonly

44F2000

unkown

page readonly

4644000

unkown

page readonly

1BE000

unkown

page read and write

290000

unkown

page execute and read and write

4840000

unkown

page readonly

2450000

unkown

page readonly

There are 306 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Files

Processes

URLs

IPs

Registry

Memdumps