Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

new order.exe

PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy:	4.938419313900058
Filename:	new order.exe
Filesize:	1838240
MD5:	0c5a964f9cbf2fec077302e6baa7316f
SHA1:	d0593ff771d4cf489903b807aa93f29f5a51f0b5
SHA256:	dd93e71cdd590d9c74d24a1b822948e7501b7a38df590d4d52ddf3e862a0cb2d
SHA512:	4947d5c0632be00af4ae33700eb85a82daea3f2e1a373b8e454a7103a6959e7f31b973c135ae498b3c70da1c12cdf3482bf43ad3abf92ce7af3f3a54d47a6817
SSDEEP:	12288:g6R0Jt0zWWrUufKjFokZGX+KxITevb8OaAN:gi0Jt9W6FovBx3DV
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...0..4............... ....@...... ....................................`................................

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary
One or more processes crash	System Summary
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
Binary contains paths to development resources	System Summary
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary
Uses Microsoft Silverlight	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_new order.exe_a0ae4b577917af373f82f0f155e6f5f1b3b83e3_63337e3c_36ee73ac-12c9-4d51-9463-803eac033cd6\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_new order.exe_a0ae4b577917af373f82f0f155e6f5f1b3b83e3_63337e3c_36ee73ac-12c9-4d51-9463-803eac033cd6\Report.wer
Category:	dropped
Dump:	Report.wer.4.dr
ID:	dr_3
Target ID:	4
Process:	C:\Windows\System32\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	1.0103519843704405
Encrypted:	false
Ssdeep:	192:umorR1Mi0LCD3aWB9f0zuiFMZ24lO8AJ:HorRYLCD3am98zuiFMY4lO8AJ
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
PE file does not import any functions	System Summary
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WER97D0.tmp.dmp

Mini DuMP crash report, 16 streams, Sun Jun 30 14:35:56 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER97D0.tmp.dmp
Category:	dropped
Dump:	WER97D0.tmp.dmp.4.dr
ID:	dr_0
Target ID:	4
Process:	C:\Windows\System32\WerFault.exe
Type:	Mini DuMP crash report, 16 streams, Sun Jun 30 14:35:56 2024, 0x1205a4 type
Entropy:	3.19977256781427
Encrypted:	false
Ssdeep:	3072:YjE7XLsHSgxgKvhC2R5t4RNcSv1A1CCq4up3+v0tdN9tdN9tdN9tduxV:YjjHU4z8gq4e3Qjx
Size:	374824
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9967.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER9967.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER9967.tmp.WERInternalMetadata.xml.4.dr
ID:	dr_1
Target ID:	4
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.700001010205921
Encrypted:	false
Ssdeep:	192:R6l7wVeJRLu6Y9ov5xRNgmfZjXpr089bjBDfmhm:R6lXJtu6YyvvRNgmftbjlfh
Size:	8620
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9B1D.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER9B1D.tmp.xml
Category:	dropped
Dump:	WER9B1D.tmp.xml.4.dr
ID:	dr_2
Target ID:	4
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.485231918869779
Encrypted:	false
Ssdeep:	48:cvIwWl8zsYNJg771I9ftSWpW8VYTYm8M4J0E6Fe0yq8v0EjkT5qQq0d:uIjfYnI7UV7VjJ5L0W5Q1Nq0d
Size:	4808
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.4.dr
ID:	dr_4
Target ID:	4
Process:	C:\Windows\System32\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.4659290662627456
Encrypted:	false
Ssdeep:	6144:LIXfpi67eLPU9skLmb0b49WSPKaJG8nAgejZMMhA2gX4WABl0uNldwBCswSb7:MXD949WlLZMM6YFHv+7
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\new order.exe

"C:\Users\user\Desktop\new order.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3696
Target ID:	0
Parent PID:	2580
Name:	new order.exe
Path:	C:\Users\user\Desktop\new order.exe
Commandline:	"C:\Users\user\Desktop\new order.exe"
Size:	1838240
MD5:	0C5A964F9CBF2FEC077302E6BAA7316F
Time:	10:35:54
Date:	30/06/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x1f69cfa0000
Modulesize:	32768
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Yara detected UAC Bypass using CMSTP	Exploits
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary contains paths to development resources	System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

Details

Is windows:	true
Is dropped:	false
PID:	4020
Target ID:	1
Parent PID:	3696
Name:	MSBuild.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Size:	262432
MD5:	8FDF47E0FF70C40ED3A17014AEEA4232
Time:	10:35:55
Date:	30/06/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xb30000
Modulesize:	262144
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3696 -s 1052

Details

Is windows:	true
Is dropped:	false
PID:	7192
Target ID:	4
Parent PID:	3696
Name:	WerFault.exe
Path:	C:\Windows\System32\WerFault.exe
Commandline:	C:\Windows\system32\WerFault.exe -u -p 3696 -s 1052
Size:	570736
MD5:	FD27D9F6D02763BDE32511B5DF7FF7A0
Time:	10:35:55
Date:	30/06/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff63ba60000
Modulesize:	581632
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://checkip.dyndns.org/

158.101.44.242

https://reallyfreegeoip.org

unknown

http://upx.sf.net

unknown

http://checkip.dyndns.org

unknown

http://checkip.dyndns.orgp

unknown

http://checkip.dyndns.com

unknown

https://reallyfreegeoip.org/xml/8.46.123.33

188.114.96.3

https://reallyfreegeoip.org/xml/8.46.123.33$

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://checkip.dyndns.org/q

unknown

http://reallyfreegeoip.org

unknown

https://reallyfreegeoip.org/xml/

unknown

There are 2 hidden URLs, click here to show them.

Domains

Name

Malicious

reallyfreegeoip.org

188.114.96.3

Details

Name:	reallyfreegeoip.org
IP:	188.114.96.3
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Tries to detect the country of the analysis system (by using the IP)	Location Tracking
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.com

158.101.44.242

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

bg.microsoft.map.fastly.net

199.232.214.172

fp2e7a.wpc.phicdn.net

192.229.221.95

IPs

Domain

Country

Malicious

188.114.96.3

reallyfreegeoip.org

European Union

Details

IP:	188.114.96.3
TargetID:	1
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	reallyfreegeoip.org

Signature Hits	Behavior Group	Mitre Attack
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

158.101.44.242

checkip.dyndns.com

United States

Details

IP:	158.101.44.242
TargetID:	1
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Country:	United States
Countrycode:	USA
ASN number:	31898
ASN name:	ORACLE-BMC-31898US
Private:	false
Domain:	checkip.dyndns.com

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary

Registry

Path

Value

Malicious

\REGISTRY\A\{0919df55-860a-04c8-49bc-e8e3d05f1caa}\Root\InventoryApplicationFile\new order.exe|d7407e4c24a219de

ProgramId

\REGISTRY\A\{0919df55-860a-04c8-49bc-e8e3d05f1caa}\Root\InventoryApplicationFile\new order.exe|d7407e4c24a219de

FileId

\REGISTRY\A\{0919df55-860a-04c8-49bc-e8e3d05f1caa}\Root\InventoryApplicationFile\new order.exe|d7407e4c24a219de

LowerCaseLongPath

\REGISTRY\A\{0919df55-860a-04c8-49bc-e8e3d05f1caa}\Root\InventoryApplicationFile\new order.exe|d7407e4c24a219de

LongPathHash

\REGISTRY\A\{0919df55-860a-04c8-49bc-e8e3d05f1caa}\Root\InventoryApplicationFile\new order.exe|d7407e4c24a219de

Name

\REGISTRY\A\{0919df55-860a-04c8-49bc-e8e3d05f1caa}\Root\InventoryApplicationFile\new order.exe|d7407e4c24a219de

OriginalFileName

\REGISTRY\A\{0919df55-860a-04c8-49bc-e8e3d05f1caa}\Root\InventoryApplicationFile\new order.exe|d7407e4c24a219de

Publisher

\REGISTRY\A\{0919df55-860a-04c8-49bc-e8e3d05f1caa}\Root\InventoryApplicationFile\new order.exe|d7407e4c24a219de

Version

\REGISTRY\A\{0919df55-860a-04c8-49bc-e8e3d05f1caa}\Root\InventoryApplicationFile\new order.exe|d7407e4c24a219de

BinFileVersion

\REGISTRY\A\{0919df55-860a-04c8-49bc-e8e3d05f1caa}\Root\InventoryApplicationFile\new order.exe|d7407e4c24a219de

BinaryType

\REGISTRY\A\{0919df55-860a-04c8-49bc-e8e3d05f1caa}\Root\InventoryApplicationFile\new order.exe|d7407e4c24a219de

ProductName

\REGISTRY\A\{0919df55-860a-04c8-49bc-e8e3d05f1caa}\Root\InventoryApplicationFile\new order.exe|d7407e4c24a219de

ProductVersion

\REGISTRY\A\{0919df55-860a-04c8-49bc-e8e3d05f1caa}\Root\InventoryApplicationFile\new order.exe|d7407e4c24a219de

LinkDate

\REGISTRY\A\{0919df55-860a-04c8-49bc-e8e3d05f1caa}\Root\InventoryApplicationFile\new order.exe|d7407e4c24a219de

BinProductVersion

\REGISTRY\A\{0919df55-860a-04c8-49bc-e8e3d05f1caa}\Root\InventoryApplicationFile\new order.exe|d7407e4c24a219de

AppxPackageFullName

\REGISTRY\A\{0919df55-860a-04c8-49bc-e8e3d05f1caa}\Root\InventoryApplicationFile\new order.exe|d7407e4c24a219de

AppxPackageRelativeId

\REGISTRY\A\{0919df55-860a-04c8-49bc-e8e3d05f1caa}\Root\InventoryApplicationFile\new order.exe|d7407e4c24a219de

Size

\REGISTRY\A\{0919df55-860a-04c8-49bc-e8e3d05f1caa}\Root\InventoryApplicationFile\new order.exe|d7407e4c24a219de

Language

\REGISTRY\A\{0919df55-860a-04c8-49bc-e8e3d05f1caa}\Root\InventoryApplicationFile\new order.exe|d7407e4c24a219de

Usn

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\msbuild_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\msbuild_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\msbuild_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\msbuild_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\msbuild_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\msbuild_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\msbuild_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\msbuild_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\msbuild_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\msbuild_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\msbuild_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\msbuild_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\msbuild_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\msbuild_RASMANCS

FileDirectory

There are 23 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

2EF1000

trusted library allocation

page read and write

30B4000

trusted library allocation

page read and write

1F69F237000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

1F6AF0BA000

trusted library allocation

page read and write

2FB8000

trusted library allocation

page read and write

1F69D150000

heap

page read and write

655D000

stack

page read and write

2FF6000

trusted library allocation

page read and write

1266000

trusted library allocation

page execute and read and write

14DE000

stack

page read and write

136C000

heap

page read and write

2FFA000

trusted library allocation

page read and write

7FFD9B920000

trusted library allocation

page read and write

1540000

heap

page read and write

303B000

trusted library allocation

page read and write

7FFD9B7AB000

trusted library allocation

page execute and read and write

51390FE000

stack

page read and write

51394FE000

stack

page read and write

1F6B6F20000

trusted library allocation

page read and write

14E0000

trusted library allocation

page execute and read and write

2FA0000

trusted library allocation

page read and write

107E000

stack

page read and write

671E000

stack

page read and write

68CA000

trusted library allocation

page read and write

7FFD9B930000

trusted library allocation

page read and write

535D000

trusted library allocation

page read and write

5A2E000

trusted library allocation

page read and write

1244000

trusted library allocation

page read and write

7FFD9B96D000

trusted library allocation

page read and write

1F69D1D3000

trusted library allocation

page read and write

1F69D27D000

heap

page read and write

68D0000

trusted library allocation

page execute and read and write

5138CF3000

stack

page read and write

12A8000

heap

page read and write

2DD0000

heap

page read and write

314F000

trusted library allocation

page read and write

51395FD000

stack

page read and write

68A0000

trusted library allocation

page read and write

1F69D030000

heap

page read and write

3F7E000

trusted library allocation

page read and write

56FD000

stack

page read and write

4FEE000

stack

page read and write

68CF000

trusted library allocation

page read and write

1F69D420000

heap

page read and write

7FFD9B7A4000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

5138EFE000

stack

page read and write

68F0000

trusted library allocation

page read and write

5370000

heap

page read and write

1F69D2E7000

heap

page read and write

1F69D130000

heap

page read and write

7FFD9B940000

trusted library allocation

page read and write

11DF000

stack

page read and write

1470000

trusted library allocation

page read and write

3172000

trusted library allocation

page read and write

7FFD9B960000

trusted library allocation

page read and write

10BE000

stack

page read and write

1F69D410000

heap

page read and write

7FFD9B790000

trusted library allocation

page read and write

7FFD9B970000

trusted library allocation

page execute and read and write

1F69D216000

heap

page read and write

1472000

trusted library allocation

page read and write

1F69CFA0000

unkown

page readonly

3F5A000

trusted library allocation

page read and write

7FFD9B780000

trusted library allocation

page read and write

1F69ED59000

heap

page read and write

1F69EEE0000

heap

page execute and read and write

2FA3000

trusted library allocation

page read and write

1F69EEF1000

trusted library allocation

page read and write

7FFD9B866000

trusted library allocation

page execute and read and write

7FFD9B836000

trusted library allocation

page read and write

1F69D27B000

heap

page read and write

2FE8000

trusted library allocation

page read and write

1520000

trusted library allocation

page read and write

304F000

trusted library allocation

page read and write

1500000

heap

page read and write

2EE0000

heap

page execute and read and write

3078000

trusted library allocation

page read and write

6DB0000

heap

page read and write

1F69EFCB000

trusted library allocation

page read and write

7FF454570000

trusted library allocation

page execute and read and write

51393FE000

stack

page read and write

3F81000

trusted library allocation

page read and write

1F69D485000

heap

page read and write

1F69D480000

heap

page read and write

7FFD9B83C000

trusted library allocation

page execute and read and write

1477000

trusted library allocation

page execute and read and write

30A6000

trusted library allocation

page read and write

3F74000

trusted library allocation

page read and write

1243000

trusted library allocation

page execute and read and write

5520000

trusted library allocation

page read and write

2FEA000

trusted library allocation

page read and write

1F69D1A0000

trusted library allocation

page read and write

7FFD9B840000

trusted library allocation

page execute and read and write

659E000

stack

page read and write

10C0000

heap

page read and write

1260000

trusted library allocation

page read and write

125D000

trusted library allocation

page execute and read and write

5356000

trusted library allocation

page read and write

651E000

stack

page read and write

1F69ED50000

heap

page read and write

3128000

trusted library allocation

page read and write

7FFD9B934000

trusted library allocation

page read and write

3F8A000

trusted library allocation

page read and write

3146000

trusted library allocation

page read and write

2DCE000

stack

page read and write

1F69D415000

heap

page read and write

641E000

stack

page read and write

313C000

trusted library allocation

page read and write

7FFD9B7AD000

trusted library allocation

page execute and read and write

317E000

trusted library allocation

page read and write

7FFD9B7A0000

trusted library allocation

page read and write

314A000

trusted library allocation

page read and write

1262000

trusted library allocation

page read and write

2FD3000

trusted library allocation

page read and write

56B0000

heap

page execute and read and write

1F69D310000

trusted library section

page read and write

2FFE000

trusted library allocation

page read and write

679E000

stack

page read and write

303F000

trusted library allocation

page read and write

2FF2000

trusted library allocation

page read and write

124D000

trusted library allocation

page execute and read and write

12DA000

heap

page read and write

1F6AEEF1000

trusted library allocation

page read and write

5473000

heap

page read and write

65DE000

stack

page read and write

306A000

trusted library allocation

page read and write

133E000

heap

page read and write

3EF1000

trusted library allocation

page read and write

10D0000

heap

page read and write

68AB000

trusted library allocation

page read and write

7FFD9B784000

trusted library allocation

page read and write

1F69D250000

heap

page read and write

30A1000

trusted library allocation

page read and write

6990000

heap

page read and write

5351000

trusted library allocation

page read and write

129A000

heap

page read and write

2F9B000

trusted library allocation

page read and write

62E0000

heap

page read and write

68A6000

trusted library allocation

page read and write

3133000

trusted library allocation

page read and write

5362000

trusted library allocation

page read and write

1336000

heap

page read and write

1230000

trusted library allocation

page read and write

533B000

trusted library allocation

page read and write

1490000

trusted library allocation

page read and write

7FFD9B939000

trusted library allocation

page read and write

7FFD9B950000

trusted library allocation

page read and write

675E000

stack

page read and write

7FFD9B78D000

trusted library allocation

page execute and read and write

3179000

trusted library allocation

page read and write

1F69D1D0000

trusted library allocation

page read and write

14F0000

trusted library allocation

page read and write

6900000

trusted library allocation

page read and write

305D000

trusted library allocation

page read and write

51392FE000

stack

page read and write

312C000

trusted library allocation

page read and write

5138DFE000

stack

page read and write

1F69D210000

heap

page read and write

1F69D21C000

heap

page read and write

BFA000

stack

page read and write

2EDF000

stack

page read and write

7FFD9B792000

trusted library allocation

page read and write

7FFD9B783000

trusted library allocation

page execute and read and write

5470000

heap

page read and write

7FFD9B980000

trusted library allocation

page read and write

51391FC000

stack

page read and write

69B0000

trusted library allocation

page execute and read and write

1F69ED60000

heap

page read and write

7FFD9B7DC000

trusted library allocation

page execute and read and write

7FFD9B830000

trusted library allocation

page read and write

1510000

trusted library allocation

page read and write

1F6AEEF7000

trusted library allocation

page read and write

6366000

heap

page read and write

1250000

trusted library allocation

page read and write

1F69D1C0000

trusted library allocation

page read and write

7FFD9B782000

trusted library allocation

page read and write

146F000

stack

page read and write

66DE000

stack

page read and write

2FA8000

trusted library allocation

page read and write

3184000

trusted library allocation

page read and write

7FFD9B79D000

trusted library allocation

page execute and read and write

57FE000

stack

page read and write

1270000

heap

page read and write

7FFD9B8A0000

trusted library allocation

page execute and read and write

3043000

trusted library allocation

page read and write

1F69D110000

heap

page read and write

533E000

trusted library allocation

page read and write

5138FFE000

stack

page read and write

68C3000

trusted library allocation

page read and write

147B000

trusted library allocation

page execute and read and write

3047000

trusted library allocation

page read and write

5A10000

trusted library allocation

page execute and read and write

534E000

trusted library allocation

page read and write

689F000

stack

page read and write

2FBB000

trusted library allocation

page read and write

F60000

heap

page read and write

EF7000

stack

page read and write

68E0000

trusted library allocation

page execute and read and write

68C0000

trusted library allocation

page read and write

304B000

trusted library allocation

page read and write

3F19000

trusted library allocation

page read and write

1475000

trusted library allocation

page execute and read and write

5336000

trusted library allocation

page read and write

1F69D253000

heap

page read and write

534A000

trusted library allocation

page read and write

1278000

heap

page read and write

1240000

trusted library allocation

page read and write

68B0000

trusted library allocation

page execute and read and write

6960000

trusted library allocation

page read and write

1F6AF28F000

trusted library allocation

page read and write

3037000

trusted library allocation

page read and write

68A8000

trusted library allocation

page read and write

1F69EE60000

heap

page execute and read and write

10D5000

heap

page read and write

633D000

heap

page read and write

1F69D286000

heap

page read and write

1F69EF20000

trusted library allocation

page read and write

126A000

trusted library allocation

page execute and read and write

5A00000

trusted library allocation

page read and write

1F69CFA2000

unkown

page readonly

1F69D23B000

heap

page read and write

5330000

trusted library allocation

page read and write

5A20000

trusted library allocation

page read and write

11F0000

heap

page read and write

There are 216 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
new order.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportnew order.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
new order.exe