Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

New order.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.8724658376236265
Filename:	New order.exe
Filesize:	1055232
MD5:	d69be8da083a01d8e8dbbcaae09508bb
SHA1:	2a93d64a9247fc29a2329fc50a885c6496db3d60
SHA256:	56db5a7b1e7589d53a3aff22480d05c02f87fc504b4f0e229ef38f3417ec5471
SHA512:	1aace401206344e31c6f9c1463a89ae786bc7a151b91bd546b8ddad5c70a1859f945ccc23f1448bd2592375678c6b8978ff41b496eb3134e3c7372e485db5f01
SSDEEP:	24576:IqDEvCTbMWu7rQYlBQcBiT6rprG8aZwGedJ:ITvC/MTQYxsWR7aZL
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Binary is likely a compiled AutoIt script file	System Summary
Found API chain indicative of sandbox detection	Malware Analysis System Evasion	Access Token Manipulation Virtualization/Sandbox Evasion
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Switches to a custom stack to bypass stack traces	Malware Analysis System Evasion	Access Token Manipulation
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)	System Summary
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Valid Accounts
Contains functionality to launch a process as a different user	System Summary	Native API
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation Access Token Manipulation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Access Token Manipulation Clipboard Data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging	Access Token Manipulation
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Access Token Manipulation Encrypted Channel
Found large amount of non-executed APIs	Malware Analysis System Evasion	Access Token Manipulation
Found potential string decryption / allocating functions	System Summary
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information	Access Token Manipulation System Shutdown/Reboot
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
Contains functionality for error logging	System Summary	Access Token Manipulation
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to check free disk space	System Summary	System Information Discovery
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion	Access Token Manipulation
Contains functionality to download additional files from the internet	Networking
Contains functionality to enum processes or threads	System Summary	Access Token Manipulation
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary	Access Token Manipulation
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection	Access Token Manipulation
Contains functionality to query windows version	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Discovery
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\autE8CA.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\autE8CA.tmp
Category:	dropped
Dump:	autE8CA.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\New order.exe
Type:	data
Entropy:	7.928837197531822
Encrypted:	false
Ssdeep:	1536:4DimrSxVEmo+gmgEo+MjFE4mHDARaibH2sNaDuwF+l597b/03vENtx30avrMUA5d:Ir6tBrIFE47bRNlwFub/UvYXlZT1U
Size:	95128
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\autE9A5.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\autE9A5.tmp
Category:	dropped
Dump:	autE9A5.tmp.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\New order.exe
Type:	data
Entropy:	7.624159192641296
Encrypted:	false
Ssdeep:	192:CZIUd0q813En0F2U7dVmz0jdGYlrO2y7phObWXwic+1RjP8AsT0WAI:Yd0x1Un0gU7u4jd7rvIWMw2/jP8AsTsI
Size:	9746
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\ghauts

FGDC-STD-001-1998

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\ghauts
Category:	dropped
Dump:	ghauts.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\New order.exe
Type:	FGDC-STD-001-1998
Entropy:	3.576585734584764
Encrypted:	false
Ssdeep:	384:gAQK3ObXwQ4/6BdBsM6IYj84F5RduHE3cLu2FqOwtsVdfGbLph1juTJOtHtiP:PQKeP3sMMIEuVK2FMtsfGbLph1jXtAP
Size:	28674
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\unjust

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\unjust
Category:	dropped
Dump:	unjust.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\New order.exe
Type:	data
Entropy:	6.91313081716523
Encrypted:	false
Ssdeep:	1536:0cxP+7cCYPWSwvGpkTFU7139+KZTSfXeSRpZFw3EPIE5AHuOhmpuCCj1Z1XCI42H:04P+7LlwMpXw+AHuOhZpC+4Sb
Size:	133632
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\New order.exe

"C:\Users\user\Desktop\New order.exe"

Details

Is windows:	false
Is dropped:	false
PID:	532
Target ID:	0
Parent PID:	1244
Name:	New order.exe
Path:	C:\Users\user\Desktop\New order.exe
Commandline:	"C:\Users\user\Desktop\New order.exe"
Size:	1055232
MD5:	D69BE8DA083A01D8E8DBBCAAE09508BB
Time:	15:42:10
Date:	25/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xda0000
Modulesize:	1077248
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Binary is likely a compiled AutoIt script file	System Summary
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\New order.exe"

Details

Is windows:	true
Is dropped:	false
PID:	1756
Target ID:	2
Parent PID:	532
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\New order.exe"
Size:	45248
MD5:	19855C0DC5BEC9FDF925307C57F9F5FC
Time:	15:42:11
Date:	25/07/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x9f0000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://crl.pkioverheid.nl/DomOvLatestCRL.crl0

unknown

http://checkip.dyndns.org/

193.122.6.168

http://crl.entrust.net/server1.crl0

unknown

http://ocsp.entrust.net03

unknown

http://checkip.dyndns.org/q

unknown

http://reallyfreegeoip.org

unknown

https://reallyfreegeoip.org

unknown

http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0

unknown

http://www.diginotar.nl/cps/pkioverheid0

unknown

http://checkip.dyndns.org

unknown

http://checkip.dyndns.com

unknown

https://reallyfreegeoip.org/xml/8.46.123.33

188.114.97.3

http://ocsp.entrust.net0D

unknown

https://reallyfreegeoip.org/xml/8.46.123.334

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://secure.comodo.com/CPS0

unknown

http://crl.entrust.net/2048ca.crl0

unknown

https://reallyfreegeoip.org/xml/

unknown

There are 8 hidden URLs, click here to show them.

Domains

Name

Malicious

reallyfreegeoip.org

188.114.97.3

Details

Name:	reallyfreegeoip.org
IP:	188.114.97.3
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Tries to detect the country of the analysis system (by using the IP)	Location Tracking
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs	System Summary
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

checkip.dyndns.com

193.122.6.168

IPs

Domain

Country

Malicious

188.114.97.3

reallyfreegeoip.org

European Union

Details

IP:	188.114.97.3
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	reallyfreegeoip.org

Signature Hits	Behavior Group	Mitre Attack
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

193.122.6.168

checkip.dyndns.com

United States

188.114.96.3

unknown

European Union

158.101.44.242

unknown

United States

132.226.247.73

unknown

United States

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C

Blob

There are 9 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

600000

direct allocation

page read and write

251C000

trusted library allocation

page read and write

2371000

trusted library allocation

page read and write

402000

system

page execute and read and write

8EE000

heap

page read and write

719E000

stack

page read and write

2990000

direct allocation

page read and write

2A6A000

direct allocation

page read and write

17D000

trusted library allocation

page execute and read and write

2B20000

direct allocation

page read and write

2C21000

direct allocation

page read and write

2444000

trusted library allocation

page read and write

574E000

unkown

page read and write

670E000

stack

page read and write

248D000

trusted library allocation

page read and write

60D0000

heap

page read and write

23F5000

trusted library allocation

page read and write

25E000

stack

page read and write

1E2000

trusted library allocation

page read and write

8F0000

heap

page read and write

3371000

trusted library allocation

page read and write

2C27000

direct allocation

page read and write

630000

heap

page read and write

706E000

stack

page read and write

2990000

direct allocation

page read and write

4AD4000

heap

page read and write

640000

heap

page read and write

BB000

stack

page read and write

2412000

trusted library allocation

page read and write

2C10000

direct allocation

page read and write

4EE0000

heap

page read and write

DA0000

unkown

page readonly

5F1F000

stack

page read and write

249D000

trusted library allocation

page read and write

2170000

heap

page read and write

2B20000

direct allocation

page read and write

2C24000

direct allocation

page read and write

E6C000

unkown

page write copy

54F000

stack

page read and write

79B000

heap

page read and write

2B30000

direct allocation

page read and write

900000

heap

page read and write

3399000

trusted library allocation

page read and write

36000

heap

page read and write

44EE000

stack

page read and write

2415000

trusted library allocation

page read and write

1E5000

trusted library allocation

page execute and read and write

5BFE000

stack

page read and write

23F8000

trusted library allocation

page read and write

5A1E000

stack

page read and write

2578000

trusted library allocation

page read and write

2B20000

direct allocation

page read and write

5850000

heap

page read and write

2C24000

direct allocation

page read and write

5865000

heap

page read and write

530000

trusted library allocation

page execute and read and write

6F1E000

stack

page read and write

50F0000

heap

page read and write

2C90000

direct allocation

page read and write

2B30000

direct allocation

page read and write

24A1000

trusted library allocation

page read and write

62F0000

heap

page read and write

2C21000

direct allocation

page read and write

5F7E000

stack

page read and write

2B20000

direct allocation

page read and write

903000

heap

page read and write

E74000

unkown

page readonly

7F4000

heap

page read and write

24B6000

trusted library allocation

page read and write

24C5000

trusted library allocation

page read and write

7EE000

heap

page read and write

370000

trusted library allocation

page read and write

256C000

trusted library allocation

page read and write

2C90000

direct allocation

page read and write

2C10000

direct allocation

page read and write

2C30000

direct allocation

page read and write

8D1000

heap

page read and write

534E000

stack

page read and write

4EE8000

heap

page read and write

236E000

stack

page read and write | page guard

E74000

unkown

page readonly

DA0000

unkown

page readonly

2C90000

direct allocation

page read and write

2A6A000

direct allocation

page read and write

2990000

direct allocation

page read and write

2C27000

direct allocation

page read and write

8DF000

heap

page read and write

D40000

heap

page read and write

8D1000

heap

page read and write

4F3D000

heap

page read and write

2499000

trusted library allocation

page read and write

643E000

stack

page read and write

1D0000

trusted library allocation

page read and write

50CF000

stack

page read and write

903000

heap

page read and write

CA000

stack

page read and write

174000

trusted library allocation

page read and write

666E000

stack

page read and write

210E000

stack

page read and write

25C2000

heap

page read and write

2990000

direct allocation

page read and write

2A6D000

direct allocation

page read and write

BE0000

heap

page read and write

752000

heap

page read and write

2A6D000

direct allocation

page read and write

556E000

stack

page read and write

10000

heap

page read and write

2406000

trusted library allocation

page read and write

2C27000

direct allocation

page read and write

E3C000

unkown

page readonly

18D000

trusted library allocation

page execute and read and write

55C000

stack

page read and write

30000

heap

page read and write

2C10000

direct allocation

page read and write

5898000

heap

page read and write

24E0000

trusted library allocation

page read and write

2C10000

direct allocation

page read and write

24A5000

trusted library allocation

page read and write

7F4000

heap

page read and write

2B20000

direct allocation

page read and write

496F000

stack

page read and write

2990000

direct allocation

page read and write

2C90000

direct allocation

page read and write

2C24000

direct allocation

page read and write

53F000

stack

page read and write

7ED000

heap

page read and write

2C21000

direct allocation

page read and write

244C000

trusted library allocation

page read and write

903000

heap

page read and write

1EB000

trusted library allocation

page execute and read and write

903000

heap

page read and write

2B30000

direct allocation

page read and write

2A6D000

direct allocation

page read and write

68DF000

stack

page read and write

2561000

trusted library allocation

page read and write

652000

heap

page read and write

7F4000

heap

page read and write

517E000

stack

page read and write

2458000

trusted library allocation

page read and write

7AC000

heap

page read and write

2C30000

direct allocation

page read and write

486E000

stack

page read and write

2450000

trusted library allocation

page read and write

75F000

heap

page read and write

52EE000

stack

page read and write

8C1000

heap

page read and write

2500000

trusted library allocation

page read and write

380000

trusted library allocation

page read and write

7AC000

heap

page read and write

50CE000

stack

page read and write | page guard

8D1000

heap

page read and write

2C30000

direct allocation

page read and write

24BE000

trusted library allocation

page read and write

DA1000

unkown

page execute read

2C24000

direct allocation

page read and write

2A6A000

direct allocation

page read and write

903000

heap

page read and write

2440000

heap

page read and write

7BB000

heap

page read and write

2B30000

direct allocation

page read and write

25A0000

heap

page read and write

2C30000

direct allocation

page read and write

24FC000

trusted library allocation

page read and write

767000

heap

page read and write

6C8E000

stack

page read and write | page guard

2990000

direct allocation

page read and write

656E000

stack

page read and write

4E40000

heap

page read and write

9A8000

heap

page read and write

52D000

stack

page read and write

6C0000

trusted library allocation

page execute and read and write

2491000

trusted library allocation

page read and write

1D2000

trusted library allocation

page read and write

2AE0000

heap

page read and write

160000

direct allocation

page execute and read and write

2A6D000

direct allocation

page read and write

2C21000

direct allocation

page read and write

2495000

trusted library allocation

page read and write

6BE000

stack

page read and write

5F0000

heap

page execute and read and write

250E000

trusted library allocation

page read and write

2A6A000

direct allocation

page read and write

6B1F000

stack

page read and write

2585000

trusted library allocation

page read and write

784000

heap

page read and write

2567000

trusted library allocation

page read and write

2C27000

direct allocation

page read and write

2C27000

direct allocation

page read and write

4AD0000

heap

page read and write

4AF2000

heap

page read and write

2454000

trusted library allocation

page read and write

10000

heap

page read and write

2B20000

direct allocation

page read and write

2442000

trusted library allocation

page read and write

7F4000

heap

page read and write

8D1000

heap

page read and write

E6C000

unkown

page read and write

49BE000

stack

page read and write

9EE000

stack

page read and write

170000

trusted library allocation

page read and write

24A9000

trusted library allocation

page read and write

5F1E000

stack

page read and write | page guard

25A4000

heap

page read and write

807000

heap

page read and write

6C8F000

stack

page read and write

5FCE000

stack

page read and write

2C90000

direct allocation

page read and write

BDD000

stack

page read and write

8D2000

heap

page read and write

2B30000

direct allocation

page read and write

236F000

stack

page read and write

55BE000

stack

page read and write

2A6D000

direct allocation

page read and write

2B30000

direct allocation

page read and write

DA1000

unkown

page execute read

190000

heap

page execute and read and write

5D1E000

stack

page read and write

7C0000

heap

page read and write

43AE000

stack

page read and write

E3C000

unkown

page readonly

E62000

unkown

page readonly

57F000

stack

page read and write

3A0000

heap

page execute and read and write

160000

trusted library allocation

page read and write

242E000

trusted library allocation

page read and write

1E7000

trusted library allocation

page execute and read and write

8F4000

heap

page read and write

260000

trusted library allocation

page execute and read and write

4F06000

heap

page read and write

2A6A000

direct allocation

page read and write

2C21000

direct allocation

page read and write

9A0000

heap

page read and write

56F000

stack

page read and write

7F4000

heap

page read and write

7F5000

heap

page read and write

368000

stack

page read and write

E70000

unkown

page write copy

2C10000

direct allocation

page read and write

540000

trusted library allocation

page read and write

560000

heap

page read and write

6DEE000

stack

page read and write

2C21000

direct allocation

page read and write

7EF000

heap

page read and write

5DAE000

stack

page read and write

7C2000

heap

page read and write

5B1E000

stack

page read and write

717000

heap

page read and write

1DA000

trusted library allocation

page execute and read and write

2C24000

direct allocation

page read and write

7F4000

heap

page read and write

2409000

trusted library allocation

page read and write

E62000

unkown

page readonly

24D3000

trusted library allocation

page read and write

4ABE000

stack

page read and write

2A6D000

direct allocation

page read and write

5BAE000

stack

page read and write

23FD000

trusted library allocation

page read and write

2C30000

direct allocation

page read and write

710000

heap

page read and write

51BD000

stack

page read and write

584D000

stack

page read and write

2C30000

direct allocation

page read and write

173000

trusted library allocation

page execute and read and write

2C24000

direct allocation

page read and write

760000

heap

page read and write

2588000

trusted library allocation

page read and write

7AA000

heap

page read and write

2C90000

direct allocation

page read and write

400000

system

page execute and read and write

546D000

stack

page read and write

257F000

trusted library allocation

page read and write

7AC000

heap

page read and write

59AE000

stack

page read and write

1D6000

trusted library allocation

page execute and read and write

215E000

stack

page read and write

8C2000

heap

page read and write

2C27000

direct allocation

page read and write

2400000

trusted library allocation

page read and write

5E0E000

stack

page read and write

2A6A000

direct allocation

page read and write

BE7000

heap

page read and write

2464000

trusted library allocation

page read and write

180000

trusted library allocation

page read and write

734000

heap

page read and write

7EB000

heap

page read and write

61EE000

stack

page read and write

43EE000

stack

page read and write

903000

heap

page read and write

2C10000

direct allocation

page read and write

4F20000

heap

page read and write

7F4000

heap

page read and write

There are 281 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
New order.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportNew order.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
New order.exe