Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

payment 435975469.xlsb

Microsoft Excel 2007+

initial sample

Details

Filetype:	Microsoft Excel 2007+
Entropy:	7.910082269729894
Filename:	payment 435975469.xlsb
Filesize:	91467
MD5:	751e07abc0bc08abf349a49fd8c81703
SHA1:	ad977311af2765089b9bffb5bb03cb26c6ab874c
SHA256:	595c56c71c91c470c05c6243e46835d1b25b15c247fcd2a025ef0369e6a6b798
SHA512:	d1034eb70912240df56516fb475934dbfe1f3e0e3e66399aca8537a3f38aedd09b85774a1926094c57cf1bf021ea53c039fd8854900c67ec6e8290e1dfb8ba8d
SSDEEP:	1536:UWgPFFxgFzx5YVqHS2YzayhpSW4vHR05Q4r5UZKUb9dsyn/fKnWFMnfy3n7Vgdx:V7FzIsj8aipSW4vHREQ4iZKUb9myn6nH
Preview:	PK..........!...l.....W.......[Content_Types].xml ...(.........................................................................................................................................................................................................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Found Excel 4.0 Macro with suspicious formulas	System Summary	Scripting
Found protected and hidden Excel 4.0 Macro sheet	System Summary	Masquerading
Found obfuscated Excel 4.0 Macro	System Summary
Found a hidden Excel 4.0 Macro sheet	System Summary	Masquerading
Sample is known by Antivirus	System Summary
Document is a ZIP file with path names indicative of goodware	System Summary

C:\ProgramData\EYCmMYHJOyR.rtf

HTML document, ASCII text, with very long lines, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\EYCmMYHJOyR.rtf
Category:	dropped
Dump:	EYCmMYHJOyR.rtf.0.dr
ID:	dr_6
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Entropy:	5.0608578290611925
Encrypted:	false
Ssdeep:	96:8B+NjARKVHzys6CdZ2HicZoKDnBkMhRqDM3L7tZU8p4Z:8BEjAaTy9GZ2CcZHDnBhADMXC
Size:	4615
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Yara detected Dridex Downloader	E-Banking Fraud
Contains functionality to create processes via WMI	System Summary	Windows Management Instrumentation
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary
Sigma detected: Suspicious WMI Execution	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\Desktop\~$payment 435975469.xlsb

data

dropped

Details

File:	C:\Users\user\Desktop\~$payment 435975469.xlsb
Category:	dropped
Dump:	~$payment 435975469.xlsb.0.dr
ID:	dr_5
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	data
Entropy:	1.4377382811115937
Encrypted:	false
Ssdeep:	3:vZ/FFDJw2fV:vBFFGS
Size:	165
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Found Excel 4.0 Macro with suspicious formulas	System Summary	Scripting
Found obfuscated Excel 4.0 Macro	System Summary	Scripting
Found protected and hidden Excel 4.0 Macro sheet	System Summary	Scripting
Found a hidden Excel 4.0 Macro sheet	System Summary
Creates files inside the user directory	System Summary	Masquerading
Sample is known by Antivirus	System Summary
Document is a ZIP file with path names indicative of goodware	System Summary

C:\ProgramData\hgcwdJhz.txt

ASCII text, with no line terminators

dropped

Details

File:	C:\ProgramData\hgcwdJhz.txt
Category:	dropped
Dump:	hgcwdJhz.txt.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	ASCII text, with no line terminators
Entropy:	4.3648913092077555
Encrypted:	false
Ssdeep:	3:YEKMChMqR2OLGTaH/iMVOcALAlLgZAMdi/RgyKIMELC2HY:YEKM3M2kGTm+2g7i//KIxn4
Size:	131
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG[1].txt

ASCII text, with no line terminators

downloaded

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG[1].txt
IE cache URL:	http://139.59.64.195:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
Category:	downloaded
Dump:	Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG[1].txt.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	ASCII text, with no line terminators
Entropy:	4.3648913092077555
Encrypted:	false
Ssdeep:	3:YEKMChMqR2OLGTaH/iMVOcALAlLgZAMdi/RgyKIMELC2HY:YEKM3M2kGTm+2g7i//KIxn4
Size:	131
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\70DEA7D3.png

PNG image data, 286 x 48, 8-bit/color RGB, non-interlaced

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\70DEA7D3.png
Category:	dropped
Dump:	70DEA7D3.png.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	PNG image data, 286 x 48, 8-bit/color RGB, non-interlaced
Entropy:	7.860501688375939
Encrypted:	false
Ssdeep:	48:eB4tDhUKfyMhSkT7wudfivzzawE7y2aXihs+HjVVRsYr1n7onlfDq:Q4tDhUKfyMhBT7wefivnjEWPyhJHjvR5
Size:	2200
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Downloads files	Networking	Ingress Tool Transfer

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D5C797B8.png

PNG image data, 237 x 336, 8-bit/color RGBA, non-interlaced

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D5C797B8.png
Category:	dropped
Dump:	D5C797B8.png.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	PNG image data, 237 x 336, 8-bit/color RGBA, non-interlaced
Entropy:	7.970149181563435
Encrypted:	false
Ssdeep:	1536:2PFFxgFzx5YVqHS2YzayhpSW4vHR05Q4r5UZKUbD:RFzIsj8aipSW4vHREQ4iZKUbD
Size:	60538
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Local\Temp\57FF.tmp

Microsoft Excel 2007+

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\57FF.tmp
Category:	dropped
Dump:	57FF.tmp.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	Microsoft Excel 2007+
Entropy:	7.9093007405805285
Encrypted:	false
Ssdeep:	1536:lYEilnbn7bPFFxgFzx5YVqHS2YzayhpSW4vHR05Q4r5UZKUbYWOdO:lYDbyFzIsj8aipSW4vHREQ4iZKUbYWOQ
Size:	91252
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	2640
Target ID:	0
Parent PID:	596
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Size:	28253536
MD5:	D53B85E21886D2AF9815C377537BCAC3
Time:	17:49:22
Date:	24/11/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13f990000
Modulesize:	28282880
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary
Sigma detected: Suspicious WMI Execution	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\wbem\WMIC.exe

wmic process call create "mshta C:\ProgramData\EYCmMYHJOyR.rtf"

Details

Is windows:	true
Is dropped:	false
PID:	2840
Target ID:	2
Parent PID:	2640
Name:	WMIC.exe
Class:	system-tools
Path:	C:\Windows\System32\wbem\WMIC.exe
Commandline:	wmic process call create "mshta C:\ProgramData\EYCmMYHJOyR.rtf"
Size:	566272
MD5:	FD902835DEAEF4091799287736F3A028
Time:	17:49:45
Date:	24/11/2021
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xff1f0000
Modulesize:	577536
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Document exploit detected (process start blacklist hit)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Microsoft Office Product Spawning Windows Shell	System Summary
Sigma detected: Suspicious WMI Execution	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\mshta.exe

mshta C:\ProgramData\EYCmMYHJOyR.rtf

Details

Is windows:	true
Is dropped:	false
PID:	3060
Target ID:	5
Parent PID:	1304
Name:	mshta.exe
Class:	system-tools
Path:	C:\Windows\System32\mshta.exe
Commandline:	mshta C:\ProgramData\EYCmMYHJOyR.rtf
Size:	13824
MD5:	95828D670CFD3B16EE188168E083C3C5
Time:	17:49:46
Date:	24/11/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13f2d0000
Modulesize:	32768
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check

unknown

http://www.windows.com/pctv.

unknown

http://investor.msn.com

unknown

http://www.msnbc.com/news/ticker.txt

unknown

http://www.%s.comPA

unknown

http://www.icra.org/vocabulary/.

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.

unknown

http://windowsmedia.com/redir/services.asp?WMPFriendly=true

unknown

http://www.hotmail.com/oe

unknown

http://servername/isapibackend.dll

unknown

http://investor.msn.com/

unknown

http://139.59.64.195:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG

139.59.64.195

There are 2 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

139.59.64.195

unknown

Singapore

Details

IP:	139.59.64.195
TargetID:	0
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Country:	Singapore
Countrycode:	SGP
ASN number:	14061
ASN name:	DIGITALOCEAN-ASNUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

jr.

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel

MTTT

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle

ReviewToken

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\DocumentRecovery\2F509

2F509

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

VBAFiles

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

6z.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage

ProductNonBootFilesIntl_1033

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle

OriginalAttachmentPath

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle

TemporaryAttachmentName

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109A10090400100000000F01FEC\Usage

OutlookMAPI2Intl_1033

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents

LastPurgeTime

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

EXCELFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

ProductFiles

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

SavedLegacySettings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage

ProductNonBootFilesIntl_1033

There are 7 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

23B0000

unkown

page read and write

50D000

heap private

page read and write

40000

unkown image

page readonly

507F000

stack

page read and write

37B000

heap default

page read and write

2334000

unkown

page read and write

2B02000

unkown

page read and write

2B06000

unkown

page read and write

7FFFFFC0000

unkown image

page readonly

4875000

heap private

page read and write

23B8000

unkown

page read and write

7FFFFFC2000

unkown image

page readonly

2380000

unkown

page read and write

170000

heap private

page read and write

303E000

stack

page read and write

2310000

heap private

page read and write

4915000

unkown

page read and write

34B0000

heap private

page read and write

10000

unkown image

page read and write

7FFFFFD0000

unkown image

page readonly

7FFFFFC0000

unkown image

page readonly

470000

unkown image

page readonly

E0000

heap default

page read and write

3360000

unkown image

page readonly

2F2D000

stack

page read and write

3B5000

unkown

page read and write

7FFFFFC0000

unkown image

page readonly

C00000

unkown image

page readonly

2D70000

heap private

page read and write

2379000

unkown

page read and write

174000

heap private

page read and write

23AC000

unkown

page read and write

380000

unkown

page read and write

2B0B000

unkown

page read and write

2B07000

unkown

page read and write

2348000

unkown

page read and write

2810000

heap private

page read and write

4907000

unkown

page read and write

2B03000

unkown

page read and write

2D8000

unkown

page read and write

10000

unkown image

page read and write

2FF000

unkown

page read and write

7EFE0000

unkown image

page readonly

2358000

unkown

page read and write

239C000

unkown

page read and write

2398000

unkown

page read and write

D0000

unkown

page read and write

2364000

unkown

page read and write

232C000

unkown

page read and write

2FF000

unkown

page read and write

20BF000

stack

page read and write

7FFFFFB0000

unkown image

page readonly

10000

unkown image

page read and write

210000

unkown image

page read and write

7FFFFFD0000

unkown image

page readonly

20000

unkown image

page read and write

324E000

stack

page read and write

370000

unkown

page read and write

39C000

unkown

page read and write

7FFFFFB2000

unkown image

page readonly

584000

heap private

page read and write

E7000

heap default

page read and write

314000

unkown

page read and write

7FFFFFB2000

unkown image

page readonly

4921000

unkown

page read and write

2A3B000

heap private

page read and write

37C000

unkown

page read and write

6492000

unkown image

page readonly

2369000

unkown

page read and write

7FFFFFB0000

unkown image

page readonly

2FF000

unkown

page read and write

398000

unkown

page read and write

25CE000

stack

page read and write

2A5E000

stack

page read and write

2B04000

unkown

page read and write

7EFE0000

unkown image

page readonly

2328000

unkown

page read and write

49F0000

heap private

page read and write

7FFFFFB2000

unkown image

page readonly

3B7000

unkown

page read and write

3060000

unkown

page read and write

1E0000

unkown

page read and write

7FFFFFD0000

unkown image

page readonly

1C9000

heap default

page read and write

22F6000

heap private

page read and write

40000

unkown image

page readonly

2290000

heap private

page read and write

4917000

unkown

page read and write

2344000

unkown

page read and write

7FFFFFC0000

unkown image

page readonly

1ED0000

heap private

page read and write

500000

heap private

page read and write

4913000

unkown

page read and write

2C0000

unkown

page read and write

150000

unkown image

page readonly

74F000

stack

page read and write

DA0000

unkown image

page readonly

7FFFFFC2000

unkown image

page readonly

324000

unkown

page read and write

25D0000

heap private

page read and write

2AE000

heap default

page read and write

28F0000

heap private

page read and write

7FFFFFC0000

unkown image

page readonly

25D000

unkown

page read and write

21A0000

unkown image

page readonly

21D0000

unkown

page read and write

2A00000

heap private

page read and write

2B09000

unkown

page read and write

3CD0000

heap private

page read and write

504000

heap private

page read and write

5F0000

unkown image

page readonly

1B90000

unkown image

page readonly

4B50000

unkown

page read and write

1A4000

heap default

page read and write

2314000

heap private

page read and write

2B00000

unkown

page read and write

21B0000

unkown image

page read and write

235C000

unkown

page read and write

2B08000

unkown

page read and write

362000

unkown

page read and write

327000

unkown

page read and write

492E000

unkown

page read and write

40000

unkown image

page readonly

2340000

unkown

page read and write

60A2000

unkown image

page read and write

7FFFFFD0000

unkown image

page readonly

7FFFFFB2000

unkown image

page readonly

14A000

unkown

page read and write

2CB000

unkown

page read and write

2B05000

unkown

page read and write

260B000

heap private

page read and write

277000

heap default

page read and write

180000

unkown

page read and write

2350000

unkown

page read and write

3040000

unkown

page read and write

2390000

unkown

page read and write

372000

unkown

page read and write

337000

heap default

page read and write

4AD0000

heap private

page read and write

36D000

heap default

page read and write

30000

unkown image

page readonly

22FF000

heap private

page read and write

580000

heap private

page read and write

23C0000

unkown

page read and write

238C000

unkown

page read and write

310000

unkown

page read and write

50A000

heap private

page read and write

106000

unkown

page read and write

7FFFFFC2000

unkown image

page readonly

2320000

unkown

page read and write

4903000

unkown

page read and write

346000

unkown

page read and write

493F000

unkown

page read and write

2260000

unkown image

page readonly

2318000

unkown

page read and write

3B2000

unkown

page read and write

22B5000

heap private

page read and write

3CD5000

heap private

page read and write

376000

heap default

page read and write

270000

heap default

page read and write

322F000

stack

page read and write

26A0000

heap private

page read and write

23D0000

unkown

page read and write

2360000

unkown

page read and write

305F000

stack

page read and write

2CA000

unkown

page read and write

2FA000

unkown

page read and write

34B5000

heap private

page read and write

2BAE000

stack

page read and write

2B0C000

unkown

page read and write

181000

heap default

page read and write

600000

unkown image

page readonly

7FFFFFD0000

unkown image

page readonly

7FFFFFB0000

unkown image

page readonly

7FFFFFC2000

unkown image

page readonly

22B0000

heap private

page read and write

490E000

unkown

page read and write

C10000

unkown image

page readonly

312000

unkown

page read and write

2410000

unkown image

page readonly

7EFE0000

unkown image

page readonly

2FF000

unkown

page read and write

7FFFFFC0000

unkown image

page readonly

2C8000

unkown

page read and write

3BF0000

heap private

page read and write

4910000

unkown

page read and write

24F0000

unkown

page read and write

2F00000

unkown image

page readonly

3740000

unkown image

page readonly

48F0000

unkown

page read and write

30000

unkown image

page readonly

60E000

stack

page read and write

23C4000

unkown

page read and write

231C000

unkown

page read and write

25D5000

heap private

page read and write

2294000

heap private

page read and write

379000

unkown

page read and write

23B4000

unkown

page read and write

2D8000

unkown

page read and write

2FF000

unkown

page read and write

3B2000

unkown

page read and write

29EE000

stack

page read and write

160000

unkown image

page read and write

47F0000

heap private

page read and write

23D4000

unkown

page read and write

53F000

stack

page read and write

7FFFFFB0000

unkown image

page readonly

7FFFFFC2000

unkown image

page readonly

22EB000

heap private

page read and write

2170000

heap private

page read and write

7FFFFFB2000

unkown image

page readonly

7FFFFFC2000

unkown image

page readonly

231B000

heap private

page read and write

233C000

unkown

page read and write

491A000

unkown

page read and write

3547000

unkown image

page readonly

2250000

unkown image

page readonly

4905000

unkown

page read and write

2770000

heap private

page read and write

11E000

heap default

page read and write

7FFFFFB2000

unkown image

page readonly

2FA000

unkown

page read and write

2B0A000

unkown

page read and write

359000

unkown

page read and write

2A05000

heap private

page read and write

2FA000

unkown

page read and write

306000

unkown

page read and write

4870000

heap private

page read and write

2B01000

unkown

page read and write

2FF000

unkown

page read and write

2D3F000

stack

page read and write

3096000

unkown

page read and write

2354000

unkown

page read and write

7FFFFFD0000

unkown image

page readonly

4700000

heap private

page read and write

48F7000

unkown

page read and write

2D8000

unkown

page read and write

2338000

unkown

page read and write

3A6000

unkown

page read and write

3CD9000

heap private

page read and write

4927000

unkown

page read and write

330000

heap default

page read and write

7FFFFFB0000

unkown image

page readonly

36B000

unkown

page read and write

2330000

unkown

page read and write

2C9000

unkown

page read and write

2D8000

unkown

page read and write

2A80000

heap private

page read and write

7FFFFFB0000

unkown image

page readonly

30000

unkown image

page readonly

1F80000

heap private

page read and write

39C000

unkown

page read and write

2BB000

unkown

page read and write

A80000

unkown image

page readonly

2388000

unkown

page read and write

There are 245 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report

Files

Processes

URLs

IPs

Registry

Memdumps