Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED.xlsx.scr.exe

PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy:	7.978790410425317
Filename:	PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED.xlsx.scr.exe
Filesize:	624640
MD5:	fe67d87f3efefadb38a76aca77820504
SHA1:	08c9f9f3c9be5b3fb9fbe6dfc3b6875323c3a4ad
SHA256:	b740d4c07f1bfd42085caf8c5df442634f5415bcaffe2050c52a0f3379a5f03f
SHA512:	b19a43da549d0234b1aedc718eef6781d9f5fe7d06eb41fdb0a19b9d35c7627f660b9c956e2411fe94fe5d97ab7c273ef83ecc168c1ae1d28d683433e14414da
SSDEEP:	12288:xOaEg1tQwjJ3pOpHY2/KCnmJMh9NbMAs0Dmf5a93CjUlNqph:xpPtQwj7OhmJMh7b1siSKsU3y
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...xT.f.........."...0..\|............... .....@..... ....................................@...@......@............... .....

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Modifies the context of a thread in another process (thread injection)	HIPS / PFW / Operating System Protection Evasion
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a high image base, often used for DLLs	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED.xlsx.scr.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED.xlsx.scr.exe.log
Category:	dropped
Dump:	PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED.xlsx.scr.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED.xlsx.scr.exe
Type:	CSV text
Entropy:	5.380493107040482
Encrypted:	false
Ssdeep:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNl+84xp3/VclT:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAA
Size:	1510
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
PE file does not import any functions	System Summary
Sample file is different than original file name gathered from version info	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a high image base, often used for DLLs	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED.xlsx.scr.exe

"C:\Users\user\Desktop\PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED.xlsx.scr.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6152
Target ID:	0
Parent PID:	1028
Name:	PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED.xlsx.scr.exe
Path:	C:\Users\user\Desktop\PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED.xlsx.scr.exe
Commandline:	"C:\Users\user\Desktop\PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED.xlsx.scr.exe"
Size:	624640
MD5:	FE67D87F3EFEFADB38A76ACA77820504
Time:	04:25:51
Date:	02/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x320000
Modulesize:	638976
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Uses an obfuscated file name to hide its real file extension (double extension)	Hooking and other Techniques for Hiding and Protection	Masquerading Obfuscated Files or Information
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Users\user\Desktop\PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED.xlsx.scr.exe

"C:\Users\user\Desktop\PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED.xlsx.scr.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6164
Target ID:	3
Parent PID:	6152
Name:	PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED.xlsx.scr.exe
Path:	C:\Users\user\Desktop\PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED.xlsx.scr.exe
Commandline:	"C:\Users\user\Desktop\PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED.xlsx.scr.exe"
Size:	624640
MD5:	FE67D87F3EFEFADB38A76ACA77820504
Time:	04:25:54
Date:	02/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x5b0000
Modulesize:	638976
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Uses an obfuscated file name to hide its real file extension (double extension)	Hooking and other Techniques for Hiding and Protection	Masquerading Obfuscated Files or Information
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a high image base, often used for DLLs	System Summary

URLs

Name

Malicious

https://reallyfreegeoip.org

unknown

http://checkip.dyndns.org

unknown

http://checkip.dyndns.orgp

unknown

https://reallyfreegeoip.org/xml/8.46.123.33p

unknown

http://checkip.dyndns.org/

193.122.6.168

http://checkip.dyndns.com

unknown

https://reallyfreegeoip.org/xml/8.46.123.33

188.114.96.3

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://checkip.dyndns.org/q

unknown

http://reallyfreegeoip.org

unknown

https://reallyfreegeoip.org/xml/

unknown

There are 1 hidden URLs, click here to show them.

Domains

Name

Malicious

reallyfreegeoip.org

188.114.96.3

Details

Name:	reallyfreegeoip.org
IP:	188.114.96.3
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Tries to detect the country of the analysis system (by using the IP)	Location Tracking
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.com

193.122.6.168

IPs

Domain

Country

Malicious

188.114.96.3

reallyfreegeoip.org

European Union

Details

IP:	188.114.96.3
TargetID:	3
Current Path:	C:\Users\user\Desktop\PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED.xlsx.scr.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	reallyfreegeoip.org

Signature Hits	Behavior Group	Mitre Attack
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

193.122.6.168

checkip.dyndns.com

United States

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED_RASMANCS

FileDirectory

There are 4 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

13625000

trusted library allocation

page read and write

140002000

remote allocation

page execute and read and write

34E1000

trusted library allocation

page read and write

13431000

trusted library allocation

page read and write

3732000

trusted library allocation

page read and write

2E9A000

heap

page read and write

3816000

trusted library allocation

page read and write

37E7000

trusted library allocation

page read and write

7FF848E3C000

trusted library allocation

page execute and read and write

1C0B0000

heap

page read and write

363E000

trusted library allocation

page read and write

1C255000

heap

page read and write

1C1E0000

trusted library allocation

page read and write

1ED10000

heap

page read and write

2E90000

heap

page read and write

2E80000

trusted library section

page read and write

7FF849004000

trusted library allocation

page read and write

7FF848E10000

trusted library allocation

page read and write

A40000

heap

page read and write

7FF848EBC000

trusted library allocation

page execute and read and write

3698000

trusted library allocation

page read and write

15CE000

stack

page read and write

7FF848E04000

trusted library allocation

page read and write

7FF848FD3000

trusted library allocation

page read and write

3010000

heap

page execute and read and write

1BF1A000

heap

page read and write

36AF000

trusted library allocation

page read and write

EA1000

heap

page read and write

7FF848E9C000

trusted library allocation

page execute and read and write

3618000

trusted library allocation

page read and write

1C1A0000

trusted library section

page read and write

1C340000

heap

page execute and read and write

7FF848F90000

trusted library allocation

page execute and read and write

2D7E000

heap

page read and write

D60000

heap

page execute and read and write

13421000

trusted library allocation

page read and write

1353B000

trusted library allocation

page read and write

7FF848FB0000

trusted library allocation

page execute and read and write

322000

unkown

page readonly

7FF848FE6000

trusted library allocation

page read and write

13428000

trusted library allocation

page read and write

E89000

heap

page read and write

1E34F000

stack

page read and write

3646000

trusted library allocation

page read and write

E00000

heap

page read and write

13578000

trusted library allocation

page read and write

CD0000

trusted library allocation

page read and write

1F45E000

stack

page read and write

F29000

heap

page read and write

36EA000

trusted library allocation

page read and write

E80000

heap

page read and write

7FF403020000

trusted library allocation

page execute and read and write

1C1D3000

heap

page read and write

140000000

remote allocation

page execute and read and write

7FF848E90000

trusted library allocation

page read and write

B77000

heap

page read and write

3630000

trusted library allocation

page read and write

7FF848E5C000

trusted library allocation

page execute and read and write

7FF848E04000

trusted library allocation

page read and write

A70000

heap

page read and write

3680000

trusted library allocation

page read and write

10B0000

heap

page read and write

DA5000

heap

page read and write

CB0000

trusted library allocation

page read and write

13553000

trusted library allocation

page read and write

A50000

heap

page read and write

3829000

trusted library allocation

page read and write

1E74E000

stack

page read and write

1B450000

trusted library allocation

page read and write

7FF849000000

trusted library allocation

page read and write

3642000

trusted library allocation

page read and write

7FF848E00000

trusted library allocation

page read and write

369C000

trusted library allocation

page read and write

7FF848DE0000

trusted library allocation

page read and write

AD1000

heap

page read and write

7FF848EC0000

trusted library allocation

page execute and read and write

11CE000

stack

page read and write

1E45D000

stack

page read and write

7FF848F00000

trusted library allocation

page execute and read and write

1C142000

heap

page read and write

1EC5F000

stack

page read and write

36C3000

trusted library allocation

page read and write

F80000

trusted library allocation

page read and write

D30000

heap

page read and write

7FF848FF9000

trusted library allocation

page read and write

1135000

heap

page read and write

153E000

stack

page read and write

3707000

trusted library allocation

page read and write

7FF848E0B000

trusted library allocation

page execute and read and write

B7C000

heap

page read and write

370B000

trusted library allocation

page read and write

7FF848FB0000

trusted library allocation

page read and write

1D680000

heap

page read and write

A9C000

heap

page read and write

7FF848E2B000

trusted library allocation

page execute and read and write

1C093000

heap

page read and write

3421000

trusted library allocation

page read and write

7FF848FE3000

trusted library allocation

page read and write

7FF848FA0000

trusted library allocation

page read and write

A96000

heap

page read and write

37CF000

trusted library allocation

page read and write

7FF848EB0000

trusted library allocation

page read and write

DC5000

heap

page read and write

1BEE0000

heap

page read and write

6D0000

heap

page read and write

37E2000

trusted library allocation

page read and write

1F05F000

stack

page read and write

1BB9B000

stack

page read and write

193E000

stack

page read and write

1D8D0000

trusted library section

page read and write

1C070000

trusted library section

page read and write

AFE000

heap

page read and write

1BD6D000

stack

page read and write

9EE000

stack

page read and write

7FF848EC6000

trusted library allocation

page execute and read and write

13584000

trusted library allocation

page read and write

1C090000

heap

page read and write

7FF848E00000

trusted library allocation

page read and write

3822000

trusted library allocation

page read and write

7FF848EB6000

trusted library allocation

page read and write

DA0000

heap

page read and write

7FF848FD0000

trusted library allocation

page execute and read and write

7FF848DE2000

trusted library allocation

page read and write

7FF848E03000

trusted library allocation

page execute and read and write

AFC000

heap

page read and write

341F000

stack

page read and write

1130000

heap

page read and write

134E1000

trusted library allocation

page read and write

7FF848FC0000

trusted library allocation

page read and write

7FF848F80000

trusted library allocation

page read and write

371E000

trusted library allocation

page read and write

1050000

heap

page read and write

1C0FF000

heap

page read and write

3694000

trusted library allocation

page read and write

34DE000

stack

page read and write

7FF848DF0000

trusted library allocation

page read and write

7FF848FF0000

trusted library allocation

page read and write

ABC000

heap

page read and write

E60000

trusted library allocation

page read and write

7FF848EE6000

trusted library allocation

page execute and read and write

EBD000

heap

page read and write

DF2000

stack

page read and write

1C250000

heap

page read and write

7FF848E20000

trusted library allocation

page read and write

36D6000

trusted library allocation

page read and write

1D76B000

heap

page read and write

3690000

trusted library allocation

page read and write

7FF848FA0000

trusted library allocation

page read and write

7FF848E13000

trusted library allocation

page read and write

F83000

trusted library allocation

page read and write

7FF848E0D000

trusted library allocation

page execute and read and write

1C74E000

stack

page read and write

102E000

stack

page read and write

7FF848EA0000

trusted library allocation

page execute and read and write

7FF848E2D000

trusted library allocation

page execute and read and write

1D75F000

heap

page read and write

7D0000

heap

page read and write

E40000

trusted library allocation

page read and write

1C1C0000

heap

page read and write

7FF848FE0000

trusted library allocation

page read and write

1C0FC000

heap

page read and write

7FF848DE4000

trusted library allocation

page read and write

C60000

heap

page read and write

109F000

stack

page read and write

1DC82000

trusted library allocation

page read and write

DC0000

heap

page read and write

B05000

heap

page read and write

1356E000

trusted library allocation

page read and write

7FF848DE3000

trusted library allocation

page execute and read and write

37C9000

trusted library allocation

page read and write

381C000

trusted library allocation

page read and write

7B0000

heap

page read and write

7FF848E24000

trusted library allocation

page read and write

1055000

heap

page read and write

EBF000

heap

page read and write

1BEF0000

heap

page read and write

7FF848FD7000

trusted library allocation

page read and write

320000

unkown

page readonly

7FF848FD0000

trusted library allocation

page read and write

1E85E000

stack

page read and write

7FF848DED000

trusted library allocation

page execute and read and write

1C1D0000

heap

page read and write

1D940000

heap

page read and write

A90000

heap

page read and write

7FF848DF3000

trusted library allocation

page read and write

7FF848E0D000

trusted library allocation

page execute and read and write

7FF848FFD000

trusted library allocation

page read and write

35F8000

trusted library allocation

page read and write

3688000

trusted library allocation

page read and write

1C0A0000

heap

page read and write

D70000

trusted library section

page readonly

37EB000

trusted library allocation

page read and write

3862000

trusted library allocation

page read and write

7FF848DFD000

trusted library allocation

page execute and read and write

7FF848E02000

trusted library allocation

page read and write

368C000

trusted library allocation

page read and write

37D8000

trusted library allocation

page read and write

37C4000

trusted library allocation

page read and write

363A000

trusted library allocation

page read and write

3684000

trusted library allocation

page read and write

1C270000

heap

page read and write

E70000

heap

page execute and read and write

1C67D000

stack

page read and write

B72000

heap

page read and write

AD4000

heap

page read and write

FE0000

heap

page read and write

1EB4E000

stack

page read and write

7FF848FC0000

trusted library allocation

page execute and read and write

EE9000

heap

page read and write

7FF848E96000

trusted library allocation

page read and write

D80000

heap

page read and write

7FF848FE0000

trusted library allocation

page execute and read and write

7FF848F20000

trusted library allocation

page execute and read and write

34BB000

trusted library allocation

page read and write

7FF848E1D000

trusted library allocation

page execute and read and write

EA7000

heap

page read and write

There are 206 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED.xlsx.scr.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportPETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED.xlsx.scr.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED.xlsx.scr.exe