Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Inquiry N TM24-10-09.xlam.xlsx

Microsoft Excel 2007+

initial sample

Details

Filetype:	Microsoft Excel 2007+
Entropy:	7.983644622316028
Filename:	Inquiry N TM24-10-09.xlam.xlsx
Filesize:	822403
MD5:	c4d3d1b1842e510619920b9492900250
SHA1:	25749eb1073ce81fd72314dda9efab61adb70b3f
SHA256:	f8fb6c4ac020b9b8116781833ad5f536979a2e21986601c55928a2bfcc3036ce
SHA512:	dd3c9e5590f43fa891142106169a90d2ec986f3db45a641d38c4af326ac7b600eb9442b4fca0b0fd3f096b547cce6162535bbc67d6fe534e1f7c3c44d4d72919
SSDEEP:	12288:5UDmtDq7MeSQA4rwbZswK/j+c61E/y7CEBbJlFE54zuvBBhvWHK0QbJXaw71DrGb:WDf4lYrwzKrV6S/yBruv/hHxbdD1Drub
Preview:	PK.........MHY..us............[Content_Types].xmlUT...H..gH..gH..g.T.n.0....?..."...4..C....I.\W..b....c.}Vr.E...........!g.k....bch.TND.AGc.....~...*........"......6.K..P....3....C.1a..y....y...%,P}.L.+..a..z.q>....5X.@...YG.."f..:..'..[`...H.Y....U0...q

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Document misses a certain OLE stream usually present in this Microsoft Office document type	System Summary
Sample is known by Antivirus	System Summary
Document has a 'vbamacros' value indicative of goodware	System Summary

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ng5th[1].exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ng5th[1].exe
Category:	dropped
Dump:	ng5th[1].exe.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.370392045920559
Encrypted:	false
Ssdeep:	24576:ffmMv6Ckr7Mny5QLhBlwMPSMoXh0s4fdx1eDDSE3to:f3v+7/5QLhBt63Ex1eDV9o
Size:	1128615
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: File Dropped By EQNEDT32EXE	Exploits
Machine Learning detection for dropped file	AV Detection
Office equation editor drops PE file	System Summary
Drops PE files	Persistence and Installation Behavior
Downloads files	Networking	Ingress Tool Transfer

C:\Users\user\AppData\Local\Temp\zwuonypqu.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\zwuonypqu.exe
Category:	dropped
Dump:	zwuonypqu.exe.2.dr
ID:	dr_3
Target ID:	2
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.370392045920559
Encrypted:	false
Ssdeep:	24576:ffmMv6Ckr7Mny5QLhBlwMPSMoXh0s4fdx1eDDSE3to:f3v+7/5QLhBt63Ex1eDV9o
Size:	1128615
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to detect sleep reduction / modifications	Malware Analysis System Evasion	Security Software Discovery
Machine Learning detection for dropped file	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Office equation editor drops PE file	System Summary
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits	Exploitation for Client Execution
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application	System Summary
Sigma detected: Suspicious Microsoft Office Child Process	System Summary
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)	System Summary
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging	Disable or Modify Tools
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Application Window Discovery
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Valid Accounts Access Token Manipulation
Contains functionality to launch a process as a different user	System Summary	Valid Accounts Access Token Manipulation
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Contains functionality to shutdown / reboot the system	System Summary	System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location	System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality for error logging	System Summary
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to check free disk space	System Summary	System Information Discovery
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Information Discovery System Time Discovery
Contains functionality to query system information	Malware Analysis System Evasion	System Information Discovery
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to register its own exception handler	Anti Debugging
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\Desktop\~$Inquiry N TM24-10-09.xlam.xlsx

data

dropped

Details

File:	C:\Users\user\Desktop\~$Inquiry N TM24-10-09.xlam.xlsx
Category:	dropped
Dump:	~$Inquiry N TM24-10-09.xlam.xlsx.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	data
Entropy:	1.4377382811115937
Encrypted:	false
Ssdeep:	3:vZ/FFDJw2fV:vBFFGS
Size:	165
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Document misses a certain OLE stream usually present in this Microsoft Office document type	System Summary
Creates files inside the user directory	System Summary	Masquerading
Sample is known by Antivirus	System Summary
Document has a 'vbamacros' value indicative of goodware	System Summary

C:\Users\user\AppData\Local\Temp\derogates

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\derogates
Category:	dropped
Dump:	derogates.5.dr
ID:	dr_4
Target ID:	5
Process:	C:\Users\user\AppData\Local\Temp\zwuonypqu.exe
Type:	data
Entropy:	6.68452409794398
Encrypted:	false
Ssdeep:	6144:HuWvIGPUhfPhHgUcd/UMHZKDSvUWckSHGfg:HdzPUhfPhABd/UsK6OkEcg
Size:	240128
Whitelisted:	false
Reputation:	low

C:\Users\user\Desktop\~$Inquiry N TM24-10-09.xlam.xls

data

dropped

Details

File:	C:\Users\user\Desktop\~$Inquiry N TM24-10-09.xlam.xls
Category:	dropped
Dump:	~$Inquiry N TM24-10-09.xlam.xls.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	data
Entropy:	1.4377382811115937
Encrypted:	false
Ssdeep:	3:vZ/FFDJw2fV:vBFFGS
Size:	165
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	3356
Target ID:	0
Parent PID:	564
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Size:	28253536
MD5:	D53B85E21886D2AF9815C377537BCAC3
Time:	03:39:36
Date:	10/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13f680000
Modulesize:	28282880
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	3564
Target ID:	2
Parent PID:	564
Name:	EQNEDT32.EXE
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Size:	543304
MD5:	A87236E214F6D42A65F5DEDAC816AEC8
Time:	03:40:25
Date:	10/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	581632
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: EQNEDT32.EXE connecting to internet	Exploits
Sigma detected: File Dropped By EQNEDT32EXE	Exploits
Document exploit detected (process start blacklist hit)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Equation Editor Network Connection	System Summary
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application	System Summary
Sigma detected: Suspicious Microsoft Office Child Process	System Summary
Office Equation Editor has been started	Exploits
Sigma detected: Modification of IE Registry Settings	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\zwuonypqu.exe

Details

Is windows:	false
Is dropped:	true
PID:	3708
Target ID:	5
Parent PID:	3564
Name:	zwuonypqu.exe
Path:	C:\Users\user\AppData\Local\Temp\zwuonypqu.exe
Commandline:	C:\Users\user\AppData\Local\Temp\zwuonypqu.exe
Size:	1128615
MD5:	E393C90747E935149ECABF5AF936A07A
Time:	03:40:28
Date:	10/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	741376
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Office equation editor drops PE file	System Summary
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits	Exploitation for Client Execution
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application	System Summary
Sigma detected: Suspicious Microsoft Office Child Process	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

C:\Users\user\AppData\Local\Temp\zwuonypqu.exe

Details

Is windows:	true
Is dropped:	false
PID:	3736
Target ID:	6
Parent PID:	3708
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	C:\Users\user\AppData\Local\Temp\zwuonypqu.exe
Size:	45248
MD5:	19855C0DC5BEC9FDF925307C57F9F5FC
Time:	03:40:32
Date:	10/10/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x1f0000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://eficienciaeningenieria.com.mx/vnkl/ng5th.exe

104.21.53.112

Details

Name:	http://eficienciaeningenieria.com.mx/vnkl/ng5th.exe
IP:	104.21.53.112
TargetID:	2
From Memory:	false
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: EQNEDT32.EXE connecting to internet	Exploits
Suricata IDS alerts for network traffic	Networking
Office equation editor establishes network connection	Exploits	Exploitation for Client Execution
Sigma detected: Equation Editor Network Connection	System Summary
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
URLs found in memory or binary data	Networking

http://eficienciaeningenieria.com.mx/vnkl/ng5th.exej

unknown

https://account.dyn.com/

unknown

http://eficienciaeningenieria.com.mx/vnkl/ng5th.exejjC:

unknown

Domains

Name

Malicious

eficienciaeningenieria.com.mx

104.21.53.112

Details

Name:	eficienciaeningenieria.com.mx
IP:	104.21.53.112
TargetID:	2
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: EQNEDT32.EXE connecting to internet	Exploits
Suricata IDS alerts for network traffic	Networking
Office equation editor establishes network connection	Exploits	Exploitation for Client Execution
Sigma detected: Equation Editor Network Connection	System Summary
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

104.21.53.112

eficienciaeningenieria.com.mx

United States

Details

IP:	104.21.53.112
TargetID:	2
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	eficienciaeningenieria.com.mx

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: EQNEDT32.EXE connecting to internet	Exploits
Suricata IDS alerts for network traffic	Networking
Office equation editor establishes network connection	Exploits	Exploitation for Client Execution
Sigma detected: Equation Editor Network Connection	System Summary
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

m+/

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Outlook\Journaling\Microsoft Excel

Enabled

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel

MTTT

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle

ReviewToken

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

.0/

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\Trusted Documents

LastPurgeTime

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

EXCELFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

ProductFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage

VBAFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage

EquationEditorFilesIntl_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage

EquationEditorFilesIntl_1033

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

SavedLegacySettings

There are 4 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

310000

direct allocation

page read and write

402000

system

page execute and read and write

67C0000

heap

page read and write

3531000

heap

page read and write

34B0000

heap

page read and write

98A000

heap

page read and write

646E000

stack

page read and write

3530000

heap

page execute and read and write

A80000

heap

page read and write

964000

heap

page read and write

9BA000

heap

page read and write

397000

heap

page read and write

A87000

heap

page read and write

401000

unkown

page execute read

34FB000

heap

page read and write

18D000

trusted library allocation

page execute and read and write

3DE0000

direct allocation

page read and write

3DF1000

direct allocation

page read and write

5F6E000

stack

page read and write

3E60000

direct allocation

page read and write

34FB000

heap

page read and write

34FB000

heap

page read and write

321F000

stack

page read and write

3535000

heap

page read and write

82E000

stack

page read and write

3E60000

direct allocation

page read and write

2B5E000

stack

page read and write

4520000

heap

page execute and read and write

620F000

stack

page read and write

900000

heap

page read and write

34FB000

heap

page read and write

752000

heap

page read and write

2566000

heap

page read and write

3660000

heap

page read and write

2F2000

heap

page read and write

339E000

heap

page read and write

3BA0000

direct allocation

page read and write

353E000

heap

page read and write

34FB000

heap

page read and write

10000

heap

page read and write

900000

heap

page read and write

948000

heap

page read and write

2B1E000

stack

page read and write

65E000

stack

page read and write

3438000

heap

page read and write

5EED000

stack

page read and write

603F000

heap

page read and write

3BA0000

direct allocation

page read and write

3DF4000

direct allocation

page read and write

466E000

stack

page read and write

24CF000

stack

page read and write

34FB000

heap

page read and write

34FB000

heap

page read and write

3DF4000

direct allocation

page read and write

3DF4000

direct allocation

page read and write

36A1000

heap

page read and write

3CF0000

direct allocation

page read and write

3D00000

direct allocation

page read and write

5F2C000

stack

page read and write

2BB8000

heap

page read and write

3CF0000

direct allocation

page read and write

34FB000

heap

page read and write

490000

unkown

page write copy

3E60000

direct allocation

page read and write

290000

heap

page read and write

6054000

heap

page read and write

192000

trusted library allocation

page read and write

36B1000

heap

page read and write

5FAF000

stack

page read and write

B0000

trusted library allocation

page read and write

3542000

heap

page read and write

34FB000

heap

page read and write

3DF1000

direct allocation

page read and write

3A6000

trusted library allocation

page read and write

2BE000

stack

page read and write

34FB000

heap

page read and write

959000

heap

page read and write

907000

heap

page read and write

3DF1000

direct allocation

page read and write

3E00000

direct allocation

page read and write

3370000

heap

page read and write

4BDF000

stack

page read and write

32A0000

heap

page read and write

3C7A000

direct allocation

page read and write

34FB000

heap

page read and write

244000

heap

page read and write

3DF7000

direct allocation

page read and write

676F000

stack

page read and write

34FB000

heap

page read and write

3C7A000

direct allocation

page read and write

34FB000

heap

page read and write

19A000

trusted library allocation

page execute and read and write

2BB4000

heap

page read and write

3DE0000

direct allocation

page read and write

7EF40000

trusted library allocation

page execute and read and write

89F000

stack

page read and write

3C7A000

direct allocation

page read and write

180000

trusted library allocation

page read and write

8B4000

stack

page read and write

8CE000

stack

page read and write

3427000

heap

page read and write

2B60000

heap

page read and write

200000

trusted library allocation

page read and write

7BB000

heap

page read and write

3DF1000

direct allocation

page read and write

3A0000

trusted library allocation

page read and write

656C000

stack

page read and write

3E60000

direct allocation

page read and write

400000

unkown

page readonly

3D00000

direct allocation

page read and write

3DE0000

direct allocation

page read and write

34FB000

heap

page read and write

34FB000

heap

page read and write

34FB000

heap

page read and write

3451000

trusted library allocation

page read and write

3DF7000

direct allocation

page read and write

36E6000

heap

page read and write

C4000

trusted library allocation

page read and write

1A2000

trusted library allocation

page read and write

34FB000

heap

page read and write

6C0000

heap

page read and write

3E0000

trusted library allocation

page execute and read and write

4AB000

unkown

page readonly

5FB0000

heap

page read and write

3536000

heap

page read and write

3DE0000

direct allocation

page read and write

6230000

heap

page read and write

3E60000

direct allocation

page read and write

34FB000

heap

page read and write

34FB000

heap

page read and write

3BA0000

direct allocation

page read and write

236F000

stack

page read and write

3C7A000

direct allocation

page read and write

34FB000

heap

page read and write

243D000

heap

page read and write

782000

heap

page read and write

400000

system

page execute and read and write

3419000

heap

page read and write

236E000

stack

page read and write | page guard

34FA000

heap

page read and write

CD000

trusted library allocation

page execute and read and write

3DF4000

direct allocation

page read and write

3E00000

direct allocation

page read and write

3535000

heap

page read and write

1AB000

trusted library allocation

page execute and read and write

3E60000

direct allocation

page read and write

370000

heap

page read and write

448000

trusted library allocation

page read and write

4AB000

unkown

page readonly

3DE000

stack

page read and write

34FB000

heap

page read and write

599E000

stack

page read and write

3E00000

direct allocation

page read and write

8F7000

heap

page read and write

36A1000

heap

page read and write

36E7000

heap

page read and write

34FB000

heap

page read and write

4940000

heap

page read and write

2D0000

heap

page read and write

1DF0000

direct allocation

page read and write

18A000

stack

page read and write

2506000

trusted library allocation

page read and write

34FB000

heap

page read and write

636F000

stack

page read and write

34FB000

heap

page read and write

680000

heap

page read and write

4A7000

unkown

page read and write

240000

heap

page read and write

6E4000

heap

page read and write

342F000

heap

page read and write

C0000

trusted library allocation

page read and write

3DF7000

direct allocation

page read and write

A6E000

stack

page read and write

3CF0000

direct allocation

page read and write

6010000

heap

page read and write

2BB0000

heap

page read and write

3DF7000

direct allocation

page read and write

34FB000

heap

page read and write

4AA4000

heap

page read and write

2D1E000

stack

page read and write

10A000

stack

page read and write

3DF1000

direct allocation

page read and write

602D000

heap

page read and write

401000

unkown

page execute read

914000

heap

page read and write

3CF0000

direct allocation

page read and write

34FB000

heap

page read and write

3CF0000

direct allocation

page read and write

4AC2000

heap

page read and write

289F000

stack

page read and write

6C7000

heap

page read and write

34FB000

heap

page read and write

70E000

heap

page read and write

704000

heap

page read and write

924000

heap

page read and write

3DE0000

direct allocation

page read and write

3DF7000

direct allocation

page read and write

4F0000

heap

page execute and read and write

34FB000

heap

page read and write

1A7000

trusted library allocation

page execute and read and write

34FB000

heap

page read and write

196000

trusted library allocation

page execute and read and write

34FB000

heap

page read and write

68D000

stack

page read and write

559E000

unkown

page read and write

710000

heap

page read and write

23CF000

stack

page read and write

3E00000

direct allocation

page read and write

34FB000

heap

page read and write

604F000

heap

page read and write

353B000

heap

page read and write

490000

unkown

page read and write

34FB000

heap

page read and write

340F000

heap

page read and write

AF0000

heap

page execute and read and write

C3000

trusted library allocation

page execute and read and write

34FB000

heap

page read and write

3DF1000

direct allocation

page read and write

96B000

heap

page read and write

390000

trusted library allocation

page read and write

276000

heap

page read and write

2BBB000

heap

page read and write

24E8000

trusted library allocation

page read and write

3DE0000

direct allocation

page read and write

1E0000

trusted library allocation

page read and write

3E00000

direct allocation

page read and write

2E0000

heap

page read and write

262000

heap

page read and write

34B0000

heap

page read and write

2503000

trusted library allocation

page read and write

299F000

stack

page read and write

34FB000

heap

page read and write

34FB000

heap

page read and write

34FB000

heap

page read and write

34FB000

heap

page read and write

3E00000

direct allocation

page read and write

3C7A000

direct allocation

page read and write

23DE000

stack

page read and write

390000

heap

page read and write

8F0000

heap

page read and write

3C7D000

direct allocation

page read and write

34FB000

heap

page read and write

3520000

heap

page read and write

400000

unkown

page readonly

34FB000

heap

page read and write

34FB000

heap

page read and write

3220000

heap

page read and write

8EE000

stack

page read and write

3D00000

direct allocation

page read and write

666F000

stack

page read and write

33CB000

heap

page read and write

3DF7000

direct allocation

page read and write

34FB000

heap

page read and write

3C7D000

direct allocation

page read and write

3BA0000

direct allocation

page read and write

34FB000

heap

page read and write

539E000

stack

page read and write

5200000

heap

page read and write

3C7A000

direct allocation

page read and write

482000

unkown

page readonly

2D4000

heap

page read and write

967000

heap

page read and write

89D000

stack

page read and write

34FB000

heap

page read and write

503C000

stack

page read and write

2410000

heap

page read and write

3C7D000

direct allocation

page read and write

3DF4000

direct allocation

page read and write

10000

heap

page read and write

34FB000

heap

page read and write

3BA0000

direct allocation

page read and write

34FB000

heap

page read and write

32E000

stack

page read and write

1D0000

trusted library allocation

page execute and read and write

3DF4000

direct allocation

page read and write

740000

heap

page read and write

370F000

heap

page read and write

5FD0000

heap

page read and write

34FB000

heap

page read and write

34FB000

heap

page read and write

100000

heap

page read and write

8B000

stack

page read and write

3C7D000

direct allocation

page read and write

3D00000

direct allocation

page read and write

370F000

heap

page read and write

10000

heap

page read and write

270000

heap

page read and write

8AF000

stack

page read and write

91F000

heap

page read and write

3C7D000

direct allocation

page read and write

2DF000

stack

page read and write

36A1000

heap

page read and write

190000

trusted library allocation

page read and write

3C7D000

direct allocation

page read and write

3CF0000

direct allocation

page read and write

9B2000

heap

page read and write

4AA0000

heap

page read and write

540000

heap

page read and write

388000

stack

page read and write

28E000

stack

page read and write

3AA0000

heap

page read and write

34FB000

heap

page read and write

3479000

trusted library allocation

page read and write

63E000

stack

page read and write

34FB000

heap

page read and write

34FB000

heap

page read and write

36D000

stack

page read and write

966000

heap

page read and write

243F000

heap

page read and write

1A5000

trusted library allocation

page execute and read and write

482000

unkown

page readonly

36A1000

heap

page read and write

3518000

heap

page read and write

89000

stack

page read and write

51EE000

stack

page read and write

5700000

heap

page read and write

2451000

trusted library allocation

page read and write

24EE000

trusted library allocation

page read and write

2D20000

heap

page read and write

2560000

heap

page read and write

92E000

heap

page read and write

3BA0000

direct allocation

page read and write

3D00000

direct allocation

page read and write

22E000

stack

page read and write

3D00000

direct allocation

page read and write

2420000

heap

page read and write

36A0000

heap

page read and write

There are 317 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Inquiry N TM24-10-09.xlam.xlsx

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportInquiry N TM24-10-09.xlam.xlsx

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
Inquiry N TM24-10-09.xlam.xlsx