Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

NOVA ORDEM.exe

PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Entropy:	5.875374057480727
Filename:	NOVA ORDEM.exe
Filesize:	1553007
MD5:	136fe5a45a9e08721c4ee8ae540e7c43
SHA1:	be023d1cdb3625ea61f9c6733aafdbc30776462d
SHA256:	d58ae9bd3aa477d78a4b208ee5fcc32fb798a0f20ce30aef7a2b98c419b643be
SHA512:	673af0f9a91f03f990a622aa146e1245d4fe9730f6704e4e6e29ac6bfc9426b15e780292b909f4d6cfcbef845b847b2fceeda5c64db874ede44b30710f839473
SSDEEP:	24576:EwHQn+qL3www7jkU22gQHix+AtqHodbwWNkVS9SONQ813m:ETd3D2jH229C+OZy88
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."...0.................. ....@...... ....................................`................................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection	Process Injection
.NET source code references suspicious native API functions	HIPS / PFW / Operating System Protection Evasion	Native API
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Checks if the current process is being debugged	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
One or more processes crash	System Summary
PE file does not import any functions	System Summary	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Process Injection Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	Process Injection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary
Uses Microsoft Silverlight	System Summary	Process Injection

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_NOVA ORDEM.exe_183265296818dedab7d0b93d41b13e51f02317e6_4b8a3282_5d79ce14-7b1c-47f3-9856-1b13ca046127\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_NOVA ORDEM.exe_183265296818dedab7d0b93d41b13e51f02317e6_4b8a3282_5d79ce14-7b1c-47f3-9856-1b13ca046127\Report.wer
Category:	dropped
Dump:	Report.wer.8.dr
ID:	dr_3
Target ID:	8
Process:	C:\Windows\System32\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	1.0839442403098154
Encrypted:	false
Ssdeep:	192:bIU1WdzQ3l50UnUlaWBe3ZFlnG0/zuiFaZ24lO8Qj9j:31WdzQ3YUnUlamwG2zuiFaY4lO8Qd
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
PE file does not import any functions	System Summary
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6844.tmp.dmp

Mini DuMP crash report, 16 streams, Tue Jul 2 06:22:44 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER6844.tmp.dmp
Category:	dropped
Dump:	WER6844.tmp.dmp.8.dr
ID:	dr_0
Target ID:	8
Process:	C:\Windows\System32\WerFault.exe
Type:	Mini DuMP crash report, 16 streams, Tue Jul 2 06:22:44 2024, 0x1205a4 type
Entropy:	3.3896616501457184
Encrypted:	false
Ssdeep:	3072:0YjkqCtKDTsmLd8x4srf2ftBUcSEmf1CCq/RLlFV9Mv3+va/o+I:0YjkYDt+TrZHqVMv3Q
Size:	468519
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER69FA.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER69FA.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER69FA.tmp.WERInternalMetadata.xml.8.dr
ID:	dr_1
Target ID:	8
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.7166687332028645
Encrypted:	false
Ssdeep:	192:R6l7wVeJ8VbLB6Y9PVWggmf46Japr+89bNHUfPJvm:R6lXJGXB6YVVWggmf4i4N0fPs
Size:	9054
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6A2A.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER6A2A.tmp.xml
Category:	dropped
Dump:	WER6A2A.tmp.xml.8.dr
ID:	dr_2
Target ID:	8
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.533684164745694
Encrypted:	false
Ssdeep:	48:cvIwWl8zscNJg771I9qNWpW8VYSYm8M4J8YTNAFpyq85QReB+2rqcT8DT281d:uIjfcnI7587VeJj+vIrqko2yd
Size:	4768
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.8.dr
ID:	dr_4
Target ID:	8
Process:	C:\Windows\System32\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.4659467420099
Encrypted:	false
Ssdeep:	6144:SIXfpi67eLPU9skLmb0b4CWSPKaJG8nAgejZMMhA2gX4WABl0uNwdwBCswSbe:XXD94CWlLZMM6YFHq+e
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\NOVA ORDEM.exe

"C:\Users\user\Desktop\NOVA ORDEM.exe"

Details

Is windows:	false
Is dropped:	false
PID:	1344
Target ID:	0
Parent PID:	2580
Name:	NOVA ORDEM.exe
Path:	C:\Users\user\Desktop\NOVA ORDEM.exe
Commandline:	"C:\Users\user\Desktop\NOVA ORDEM.exe"
Size:	1553007
MD5:	136FE5A45A9E08721C4EE8AE540E7C43
Time:	02:22:41
Date:	02/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x2571c890000
Modulesize:	57344
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected UAC Bypass using CMSTP	Exploits
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7256
Target ID:	3
Parent PID:	1344
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	"C:\Windows\System32\cmd.exe"
Size:	289792
MD5:	8A2122E8162DBEF04694B9C3E0B6CDEE
Time:	02:22:43
Date:	02/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true

Signature Hits	Behavior Group	Mitre Attack
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7264
Target ID:	4
Parent PID:	1344
Name:	wmplayer.exe
Path:	C:\Program Files (x86)\Windows Media Player\wmplayer.exe
Commandline:	"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
Size:	166912
MD5:	A7790328035BBFCF041A6D815F9C28DF
Time:	02:22:43
Date:	02/07/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x160000
Modulesize:	184320
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected FormBook	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7272
Target ID:	5
Parent PID:	1344
Name:	wmplayer.exe
Path:	C:\Program Files (x86)\Windows Media Player\wmplayer.exe
Commandline:	"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
Size:	166912
MD5:	A7790328035BBFCF041A6D815F9C28DF
Time:	02:22:43
Date:	02/07/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected FormBook	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	3272
Target ID:	1
Parent PID:	1344
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	02:22:41
Date:	02/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1344 -s 1128

Details

Is windows:	true
Is dropped:	false
PID:	7336
Target ID:	8
Parent PID:	1344
Name:	WerFault.exe
Path:	C:\Windows\System32\WerFault.exe
Commandline:	C:\Windows\system32\WerFault.exe -u -p 1344 -s 1128
Size:	570736
MD5:	FD27D9F6D02763BDE32511B5DF7FF7A0
Time:	02:22:44
Date:	02/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://www.apache.org/licenses/LICENSE-2.0

unknown

http://www.fontbureau.com

unknown

http://www.fontbureau.com/designersG

unknown

http://www.fontbureau.com/designers/?

unknown

http://www.founder.com.cn/cn/bThe

unknown

http://www.fontbureau.com/designers?

unknown

http://www.tiro.com

unknown

http://upx.sf.net

unknown

http://www.fontbureau.com/designers

unknown

http://www.goodfont.co.kr

unknown

http://www.carterandcone.coml

unknown

http://www.sajatypeworks.com

unknown

http://www.typography.netD

unknown

http://www.fontbureau.com/designers/cabarga.htmlN

unknown

http://www.founder.com.cn/cn/cThe

unknown

http://www.galapagosdesign.com/staff/dennis.htm

unknown

http://www.founder.com.cn/cn

unknown

http://www.fontbureau.com/designers/frere-user.html

unknown

http://www.jiyu-kobo.co.jp/

unknown

http://www.galapagosdesign.com/DPlease

unknown

http://www.fontbureau.com/designers8

unknown

http://www.fonts.com

unknown

http://www.sandoll.co.kr

unknown

http://www.urwpp.deDPlease

unknown

http://www.zhongyicts.com.cn

unknown

http://www.sakkal.com

unknown

There are 16 hidden URLs, click here to show them.

Registry

Path

Value

Malicious

\REGISTRY\A\{1f78bea8-1360-ce35-619f-8ebb3f1ddf09}\Root\InventoryApplicationFile\nova ordem.exe|12b3dd7daf805cf5

ProgramId

\REGISTRY\A\{1f78bea8-1360-ce35-619f-8ebb3f1ddf09}\Root\InventoryApplicationFile\nova ordem.exe|12b3dd7daf805cf5

FileId

\REGISTRY\A\{1f78bea8-1360-ce35-619f-8ebb3f1ddf09}\Root\InventoryApplicationFile\nova ordem.exe|12b3dd7daf805cf5

LowerCaseLongPath

\REGISTRY\A\{1f78bea8-1360-ce35-619f-8ebb3f1ddf09}\Root\InventoryApplicationFile\nova ordem.exe|12b3dd7daf805cf5

LongPathHash

\REGISTRY\A\{1f78bea8-1360-ce35-619f-8ebb3f1ddf09}\Root\InventoryApplicationFile\nova ordem.exe|12b3dd7daf805cf5

Name

\REGISTRY\A\{1f78bea8-1360-ce35-619f-8ebb3f1ddf09}\Root\InventoryApplicationFile\nova ordem.exe|12b3dd7daf805cf5

OriginalFileName

\REGISTRY\A\{1f78bea8-1360-ce35-619f-8ebb3f1ddf09}\Root\InventoryApplicationFile\nova ordem.exe|12b3dd7daf805cf5

Publisher

\REGISTRY\A\{1f78bea8-1360-ce35-619f-8ebb3f1ddf09}\Root\InventoryApplicationFile\nova ordem.exe|12b3dd7daf805cf5

Version

\REGISTRY\A\{1f78bea8-1360-ce35-619f-8ebb3f1ddf09}\Root\InventoryApplicationFile\nova ordem.exe|12b3dd7daf805cf5

BinFileVersion

\REGISTRY\A\{1f78bea8-1360-ce35-619f-8ebb3f1ddf09}\Root\InventoryApplicationFile\nova ordem.exe|12b3dd7daf805cf5

BinaryType

\REGISTRY\A\{1f78bea8-1360-ce35-619f-8ebb3f1ddf09}\Root\InventoryApplicationFile\nova ordem.exe|12b3dd7daf805cf5

ProductName

\REGISTRY\A\{1f78bea8-1360-ce35-619f-8ebb3f1ddf09}\Root\InventoryApplicationFile\nova ordem.exe|12b3dd7daf805cf5

ProductVersion

\REGISTRY\A\{1f78bea8-1360-ce35-619f-8ebb3f1ddf09}\Root\InventoryApplicationFile\nova ordem.exe|12b3dd7daf805cf5

LinkDate

\REGISTRY\A\{1f78bea8-1360-ce35-619f-8ebb3f1ddf09}\Root\InventoryApplicationFile\nova ordem.exe|12b3dd7daf805cf5

BinProductVersion

\REGISTRY\A\{1f78bea8-1360-ce35-619f-8ebb3f1ddf09}\Root\InventoryApplicationFile\nova ordem.exe|12b3dd7daf805cf5

AppxPackageFullName

\REGISTRY\A\{1f78bea8-1360-ce35-619f-8ebb3f1ddf09}\Root\InventoryApplicationFile\nova ordem.exe|12b3dd7daf805cf5

AppxPackageRelativeId

\REGISTRY\A\{1f78bea8-1360-ce35-619f-8ebb3f1ddf09}\Root\InventoryApplicationFile\nova ordem.exe|12b3dd7daf805cf5

Size

\REGISTRY\A\{1f78bea8-1360-ce35-619f-8ebb3f1ddf09}\Root\InventoryApplicationFile\nova ordem.exe|12b3dd7daf805cf5

Language

\REGISTRY\A\{1f78bea8-1360-ce35-619f-8ebb3f1ddf09}\Root\InventoryApplicationFile\nova ordem.exe|12b3dd7daf805cf5

Usn

There are 9 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

3B00000

direct allocation

page read and write

400000

remote allocation

page execute and read and write

2571E87D000

trusted library allocation

page read and write

2571E540000

trusted library allocation

page read and write

7FFD9B770000

trusted library allocation

page read and write

7FFD9B78D000

trusted library allocation

page execute and read and write

372F000

heap

page read and write

2571CAE9000

heap

page read and write

7FFD9B880000

trusted library allocation

page execute and read and write

25736DB0000

heap

page read and write

2571CA00000

heap

page read and write

7FFD9B930000

trusted library allocation

page read and write

7FFD9B846000

trusted library allocation

page execute and read and write

2571C890000

unkown

page readonly

38D9000

direct allocation

page execute and read and write

25736DDB000

heap

page read and write

3290000

heap

page read and write

25738AA0000

heap

page execute and read and write

2571CB46000

heap

page read and write

7FFD9B7BC000

trusted library allocation

page execute and read and write

7FFD9B940000

trusted library allocation

page read and write

2572E68C000

trusted library allocation

page read and write

7FFD9B917000

trusted library allocation

page read and write

2571CAC0000

heap

page read and write

A5D7AF3000

stack

page read and write

7FFD9B810000

trusted library allocation

page read and write

2571CCC0000

heap

page read and write

323E000

stack

page read and write

2571CD10000

heap

page read and write

2571E525000

trusted library allocation

page read and write

2571CB00000

heap

page read and write

257385D8000

heap

page read and write

2572E8EA000

trusted library allocation

page read and write

7FFD9B764000

trusted library allocation

page read and write

2571C892000

unkown

page readonly

328F000

heap

page read and write

3264000

heap

page read and write

2571CD15000

heap

page read and write

3B40000

direct allocation

page read and write

3290000

heap

page read and write

378F000

stack

page read and write

3C50000

heap

page read and write

7FFD9B76D000

trusted library allocation

page execute and read and write

7FFD9B920000

trusted library allocation

page read and write

2571CB34000

heap

page read and write

3200000

direct allocation

page read and write

3284000

heap

page read and write

2F7C000

stack

page read and write

7FFD9B952000

trusted library allocation

page read and write

328A000

heap

page read and write

2571CB2C000

heap

page read and write

3280000

heap

page read and write

A5D7EFE000

stack

page read and write

7FF4038B0000

trusted library allocation

page execute and read and write

25736DC9000

heap

page read and write

2571CA90000

trusted library allocation

page read and write

25736530000

trusted library allocation

page read and write

25737EB0000

trusted library allocation

page read and write

3287000

heap

page read and write

2571CBF0000

trusted library section

page readonly

7FFD9B820000

trusted library allocation

page execute and read and write

3575000

heap

page read and write

3A81000

direct allocation

page execute and read and write

2572E511000

trusted library allocation

page read and write

2571CB2F000

heap

page read and write

2571CAB0000

trusted library allocation

page read and write

A5D85FD000

stack

page read and write

2571CB78000

heap

page read and write

3451000

heap

page read and write

3733000

heap

page read and write

37B0000

direct allocation

page execute and read and write

7FFD9B900000

trusted library allocation

page read and write

2571CB81000

heap

page read and write

2571E5E2000

trusted library allocation

page read and write

7FFD9B784000

trusted library allocation

page read and write

A5D83FE000

stack

page read and write

2571CAC6000

heap

page read and write

38DD000

direct allocation

page execute and read and write

2571CEE0000

heap

page read and write

A5D7CFE000

stack

page read and write

25737ED2000

trusted library allocation

page read and write

2573852B000

trusted library section

page read and write

2571C920000

heap

page read and write

2572E501000

trusted library allocation

page read and write

7FFD9B78B000

trusted library allocation

page execute and read and write

7FFD9B760000

trusted library allocation

page read and write

2571CC10000

heap

page execute and read and write

7FFD9B762000

trusted library allocation

page read and write

2571CBC3000

trusted library allocation

page read and write

394E000

direct allocation

page execute and read and write

3B40000

direct allocation

page read and write

3260000

heap

page read and write

2571E501000

trusted library allocation

page read and write

257385A0000

heap

page read and write

7FFD9B960000

trusted library allocation

page execute and read and write

7FFD9B763000

trusted library allocation

page execute and read and write

7FFD9B906000

trusted library allocation

page read and write

2572E50D000

trusted library allocation

page read and write

368E000

stack

page read and write

7FFD9B910000

trusted library allocation

page read and write

3450000

heap

page read and write

7FFD9B77D000

trusted library allocation

page execute and read and write

3452000

heap

page read and write

3451000

heap

page read and write

7FFD9B970000

trusted library allocation

page read and write

3AF2000

direct allocation

page execute and read and write

A5D7BFE000

stack

page read and write

3264000

heap

page read and write

3606000

heap

page read and write

3B40000

direct allocation

page read and write

2571CCE0000

heap

page read and write

7FFD9B772000

trusted library allocation

page read and write

2FE0000

heap

page read and write

3B40000

direct allocation

page read and write

A5D7DFF000

stack

page read and write

2571CCC5000

heap

page read and write

7FFD9B950000

trusted library allocation

page read and write

7FFD9B816000

trusted library allocation

page read and write

7FFD9B778000

trusted library allocation

page read and write

2F3D000

stack

page read and write

400000

remote allocation

page execute and read and write

2571CBC0000

trusted library allocation

page read and write

257382B0000

heap

page read and write

2571CCA0000

heap

page read and write

7FFD9B91C000

trusted library allocation

page read and write

A5D82FF000

stack

page read and write

2571CEE5000

heap

page read and write

7FFD9B81C000

trusted library allocation

page execute and read and write

257383B0000

trusted library section

page read and write

2571CB03000

heap

page read and write

25736DA0000

heap

page read and write

2FF0000

heap

page read and write

A5D7FFB000

stack

page read and write

2571CACC000

heap

page read and write

A5D81FC000

stack

page read and write

2571CA20000

heap

page read and write

3A7D000

direct allocation

page execute and read and write

37A4000

heap

page read and write

A5D84FE000

stack

page read and write

364E000

stack

page read and write

7FFD9B780000

trusted library allocation

page read and write

2571CA40000

heap

page read and write

3B40000

direct allocation

page read and write

25736DC0000

heap

page read and write

3B40000

direct allocation

page read and write

2572E507000

trusted library allocation

page read and write

25736CD0000

trusted library section

page read and write

A5D80FC000

stack

page read and write

There are 138 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
NOVA ORDEM.exe

Files

Processes

URLs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportNOVA ORDEM.exe

Files

Processes

URLs

Registry

Memdumps

IOC Report
NOVA ORDEM.exe