Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

New_Order_Inquiry.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.655468093430536
Filename:	New_Order_Inquiry.exe
Filesize:	1267200
MD5:	0b789b4497c15da5ea8b2d82c4c6e2e0
SHA1:	e8f736e18f9147ee08e71f63bd78a2cf132ce794
SHA256:	69074195ee6ec19a43f304b8c92a0dcdeeabeb0bcbf8d007ae0dcf6781e487c2
SHA512:	a24e171a1e526100337e826ff886fbbf03f3d6269d2ba5beb4444f8e7b9fef2ab3bc5085ead3a303069f3a74db463d0e4693f7fca0a39120bbc2c100656e3c3d
SSDEEP:	24576:ztb20pkaCqT5TBWgNQ7aaWqN4SDcGF0Yg6A:wVg5tQ7aaAt5
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection	Exploitation for Privilege Escalation Access Token Manipulation
Multi AV Scanner detection for submitted file	AV Detection	Disable or Modify Tools
Binary is likely a compiled AutoIt script file	System Summary
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Switches to a custom stack to bypass stack traces	Malware Analysis System Evasion	Access Token Manipulation
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging	Disable or Modify Tools
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Valid Accounts Disable or Modify Tools
Contains functionality to launch a process as a different user	System Summary
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation Access Token Manipulation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Access Token Manipulation
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	Disable or Modify Tools
Contains functionality to read the PEB	Anti Debugging	Access Token Manipulation
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Disable or Modify Tools
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Detected potential crypto function	System Summary	Access Token Manipulation System Time Discovery Encrypted Channel
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found evaded block containing many API calls	Malware Analysis System Evasion	Access Token Manipulation Disable or Modify Tools
Found evasive API chain (date check)	Malware Analysis System Evasion	Native API Access Token Manipulation
Found large amount of non-executed APIs	Malware Analysis System Evasion	Access Token Manipulation System Time Discovery
Found potential string decryption / allocating functions	System Summary
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information	Access Token Manipulation Disable or Modify Tools System Shutdown/Reboot
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Disable or Modify Tools
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary	Disable or Modify Tools
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
.NET source code contains calls to encryption/decryption functions	System Summary	Deobfuscate/Decode Files or Information Archive Collected Data
Contains functionality for error logging	System Summary	Access Token Manipulation Disable or Modify Tools
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to check free disk space	System Summary
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion	Access Token Manipulation
Contains functionality to download additional files from the internet	Networking
Contains functionality to enum processes or threads	System Summary	Access Token Manipulation
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Contains functionality to instantiate COM classes	System Summary	Access Token Manipulation
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation
Contains functionality to query system information	Malware Analysis System Evasion	System Information Discovery
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Disable or Modify Tools
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Program exit points	Malware Analysis System Evasion	Disable or Modify Tools
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation Disable or Modify Tools
Tries to load missing DLLs	System Summary	DLL Side-Loading Disable or Modify Tools
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary	Disable or Modify Tools

C:\Users\user\AppData\Local\Temp\Sheitan

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Sheitan
Category:	dropped
Dump:	Sheitan.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\New_Order_Inquiry.exe
Type:	data
Entropy:	6.746006404854314
Encrypted:	false
Ssdeep:	6144:Ei6RmJe0s3o8ztk6snVjfCMaASevXED/AGHCAShtDW2tDr55yontYfKJRs3kI3XH:L6RYe0sY8WZKuXEXYs33xE/O
Size:	245248
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\aut2F3.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut2F3.tmp
Category:	dropped
Dump:	aut2F3.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\New_Order_Inquiry.exe
Type:	data
Entropy:	7.832366517166845
Encrypted:	false
Ssdeep:	3072:aBGnrHRhFfEfITFdfOcY8Q/pyMeRGiZRNz3mhxok0P8K4D7oEt2nryWfKT:+GKI/Ols9G4/aC8K4HodyWfKT
Size:	154714
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\New_Order_Inquiry.exe

"C:\Users\user\Desktop\New_Order_Inquiry.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7656
Target ID:	0
Parent PID:	4084
Name:	New_Order_Inquiry.exe
Path:	C:\Users\user\Desktop\New_Order_Inquiry.exe
Commandline:	"C:\Users\user\Desktop\New_Order_Inquiry.exe"
Size:	1267200
MD5:	0B789B4497C15DA5EA8B2D82C4C6E2E0
Time:	04:23:49
Date:	20/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xc60000
Modulesize:	1294336
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Binary is likely a compiled AutoIt script file	System Summary
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\New_Order_Inquiry.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7736
Target ID:	2
Parent PID:	7656
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\New_Order_Inquiry.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	04:23:50
Date:	20/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x40000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://mail.zqamcx.com

unknown

http://zqamcx.com

unknown

https://account.dyn.com/

unknown

http://r11.o.lencr.org0#

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://r11.i.lencr.org/0#

unknown

http://x1.c.lencr.org/0

unknown

http://x1.i.lencr.org/0

unknown

http://ip-api.com/line/?fields=hosting

208.95.112.1

http://ip-api.com

unknown

Domains

Name

Malicious

mail.zqamcx.com

unknown

Details

Name:	mail.zqamcx.com
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

zqamcx.com

78.110.166.82

Details

Name:	zqamcx.com
IP:	78.110.166.82
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

ip-api.com

208.95.112.1

Details

Name:	ip-api.com
IP:	208.95.112.1
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Check if machine is in data center or colocation facility	Malware Analysis System Evasion	Security Software Discovery
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

208.95.112.1

ip-api.com

United States

78.110.166.82

zqamcx.com

United Kingdom

Details

IP:	78.110.166.82
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	42831
ASN name:	UKSERVERS-ASUKDedicatedServersHostingandCo-Location
Private:	false
Domain:	zqamcx.com

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

23C5000

trusted library allocation

page read and write

412000

system

page execute and read and write

2415000

trusted library allocation

page read and write

23F2000

trusted library allocation

page read and write

3810000

direct allocation

page read and write

5680000

heap

page read and write

5719000

heap

page read and write

5B17000

trusted library allocation

page read and write

5BBD000

stack

page read and write

C61000

unkown

page execute read

3F09000

direct allocation

page read and write

80E000

stack

page read and write

3D63000

direct allocation

page read and write

1574000

heap

page read and write

642000

trusted library allocation

page read and write

1753000

heap

page read and write

17A6000

heap

page read and write

4852000

trusted library allocation

page read and write

1340000

heap

page read and write

C60000

unkown

page readonly

D57000

unkown

page readonly

4914000

heap

page read and write

D0E000

unkown

page readonly

3F0D000

direct allocation

page read and write

570000

heap

page read and write

708000

heap

page read and write

3F7E000

direct allocation

page read and write

154B000

heap

page read and write

601E000

stack

page read and write

4920000

heap

page read and write

3C40000

direct allocation

page read and write

6280000

trusted library allocation

page execute and read and write

490000

heap

page read and write

3F7E000

direct allocation

page read and write

5A0000

heap

page read and write

CED000

unkown

page readonly

115C000

stack

page read and write

D24000

unkown

page readonly

4FB0000

trusted library allocation

page read and write

610000

trusted library allocation

page read and write

D1A000

unkown

page write copy

3D63000

direct allocation

page read and write

950000

heap

page read and write

3F7E000

direct allocation

page read and write

C40000

heap

page read and write

3D63000

direct allocation

page read and write

44CE000

stack

page read and write

3D63000

direct allocation

page read and write

6290000

heap

page read and write

2423000

trusted library allocation

page read and write

3DE0000

direct allocation

page read and write

615E000

stack

page read and write

5CA0000

trusted library allocation

page read and write

5BC0000

trusted library allocation

page read and write

117B000

stack

page read and write

705000

heap

page read and write

1797000

heap

page read and write

5CAB000

trusted library allocation

page read and write

2270000

heap

page read and write

4810000

heap

page read and write

16B5000

heap

page read and write

410000

system

page execute and read and write

2380000

heap

page execute and read and write

3D63000

direct allocation

page read and write

3F0D000

direct allocation

page read and write

65B000

trusted library allocation

page execute and read and write

D1A000

unkown

page read and write

5B00000

trusted library allocation

page read and write

1750000

heap

page read and write

16C4000

heap

page read and write

3F09000

direct allocation

page read and write

23F0000

trusted library allocation

page read and write

62D000

trusted library allocation

page execute and read and write

484E000

trusted library allocation

page read and write

2411000

trusted library allocation

page read and write

D0E000

unkown

page readonly

174C000

heap

page read and write

210E000

stack

page read and write

9B0000

trusted library allocation

page read and write

59BF000

stack

page read and write

151E000

heap

page read and write

15F9000

heap

page read and write

5B20000

trusted library allocation

page read and write

15F8000

heap

page read and write

61D000

trusted library allocation

page execute and read and write

655000

trusted library allocation

page execute and read and write

D1F000

unkown

page write copy

9DE000

stack

page read and write

59FD000

stack

page read and write

611E000

stack

page read and write

3F7E000

direct allocation

page read and write

3F7E000

direct allocation

page read and write

3F0D000

direct allocation

page read and write

4B1C000

stack

page read and write

C60000

unkown

page readonly

1552000

heap

page read and write

4890000

trusted library allocation

page read and write

5F5D000

stack

page read and write

3F09000

direct allocation

page read and write

652000

trusted library allocation

page read and write

1555000

heap

page read and write

5A5000

heap

page read and write

600000

trusted library allocation

page read and write

657000

trusted library allocation

page execute and read and write

5B10000

trusted library allocation

page read and write

2428000

trusted library allocation

page read and write

5C9E000

stack

page read and write

38F0000

heap

page read and write

3F7E000

direct allocation

page read and write

3F0D000

direct allocation

page read and write

7F990000

trusted library allocation

page execute and read and write

484B000

trusted library allocation

page read and write

1750000

heap

page read and write

119D000

stack

page read and write

C61000

unkown

page execute read

3DE0000

direct allocation

page read and write

3C40000

direct allocation

page read and write

485E000

trusted library allocation

page read and write

2391000

trusted library allocation

page read and write

56FE000

heap

page read and write

CED000

unkown

page readonly

77E000

heap

page read and write

3F09000

direct allocation

page read and write

3C40000

direct allocation

page read and write

6D0000

heap

page read and write

6C0000

trusted library allocation

page execute and read and write

1555000

heap

page read and write

3DE0000

direct allocation

page read and write

15F8000

heap

page read and write

4FA0000

heap

page read and write

5B07000

trusted library allocation

page read and write

3F0D000

direct allocation

page read and write

174C000

heap

page read and write

241D000

trusted library allocation

page read and write

116F000

stack

page read and write

1320000

heap

page read and write

3D63000

direct allocation

page read and write

3DE0000

direct allocation

page read and write

1510000

heap

page read and write

5AFD000

stack

page read and write

DA000

stack

page read and write

6270000

trusted library allocation

page read and write

3C40000

direct allocation

page read and write

89E000

stack

page read and write

1D0E000

stack

page read and write

6D8000

heap

page read and write

4FC0000

trusted library allocation

page execute and read and write

3D63000

direct allocation

page read and write

D57000

unkown

page readonly

226F000

stack

page read and write

3F0D000

direct allocation

page read and write

9C0000

heap

page read and write

640000

trusted library allocation

page read and write

5B70000

trusted library allocation

page execute and read and write

4866000

trusted library allocation

page read and write

8DA000

stack

page read and write

24FD000

trusted library allocation

page read and write

237E000

stack

page read and write

7A3000

heap

page read and write

85E000

stack

page read and write

3F09000

direct allocation

page read and write

613000

trusted library allocation

page execute and read and write

646000

trusted library allocation

page execute and read and write

3C40000

direct allocation

page read and write

486D000

trusted library allocation

page read and write

3DE0000

direct allocation

page read and write

242C000

trusted library allocation

page read and write

1555000

heap

page read and write

1609000

heap

page read and write

4910000

heap

page read and write

1796000

heap

page read and write

4900000

heap

page execute and read and write

4880000

trusted library allocation

page read and write

175F000

heap

page read and write

3F7E000

direct allocation

page read and write

3DE0000

direct allocation

page read and write

5C5E000

stack

page read and write

2404000

trusted library allocation

page read and write

630000

heap

page read and write

38F4000

heap

page read and write

9C6000

heap

page read and write

1628000

heap

page read and write

3F0D000

direct allocation

page read and write

4830000

trusted library allocation

page read and write

1D9000

stack

page read and write

6BE000

stack

page read and write

174B000

heap

page execute and read and write

6EE000

heap

page read and write

918000

trusted library allocation

page read and write

625E000

stack

page read and write

4FB8000

trusted library allocation

page read and write

33B9000

trusted library allocation

page read and write

620000

trusted library allocation

page read and write

5EE000

stack

page read and write

4C2E000

unkown

page read and write

99E000

stack

page read and write

33F8000

trusted library allocation

page read and write

3F09000

direct allocation

page read and write

4840000

trusted library allocation

page read and write

6F9000

heap

page read and write

5B2D000

trusted library allocation

page read and write

1582000

heap

page read and write

3391000

trusted library allocation

page read and write

3F09000

direct allocation

page read and write

65F0000

heap

page read and write

614000

trusted library allocation

page read and write

154A000

heap

page read and write

3DE0000

direct allocation

page read and write

73D000

heap

page read and write

3C40000

direct allocation

page read and write

5694000

heap

page read and write

4938000

heap

page read and write

670000

trusted library allocation

page read and write

940000

heap

page read and write

43CC000

stack

page read and write

4F9D000

stack

page read and write

64A000

trusted library allocation

page execute and read and write

D24000

unkown

page readonly

4872000

trusted library allocation

page read and write

174C000

heap

page read and write

4861000

trusted library allocation

page read and write

151A000

heap

page read and write

3C40000

direct allocation

page read and write

48EC000

stack

page read and write

There are 214 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
New_Order_Inquiry.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportNew_Order_Inquiry.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
New_Order_Inquiry.exe