Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Our New Order.exe

"C:\Users\user\Desktop\Our New Order.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6260
Target ID:	0
Parent PID:	4040
Name:	Our New Order.exe
Path:	C:\Users\user\Desktop\Our New Order.exe
Commandline:	"C:\Users\user\Desktop\Our New Order.exe"
Size:	656384
MD5:	82516477EB2A15DDE3CC3EFBB05FDE03
Time:	03:58:40
Date:	28/03/2025
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xe80000
Modulesize:	679936
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Initial sample is a PE file and has a suspicious name	System Summary
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6628
Target ID:	1
Parent PID:	6260
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	03:58:42
Date:	28/03/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x1b0000
Modulesize:	57344
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6708
Target ID:	2
Parent PID:	6260
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	03:58:42
Date:	28/03/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x320000
Modulesize:	57344
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6724
Target ID:	3
Parent PID:	6260
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	03:58:42
Date:	28/03/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7f0000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Snake Keylogger	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://reallyfreegeoip.org8

unknown

http://checkip.dyndns.org/

158.101.44.242

https://api.telegram.org

unknown

https://api.telegram.org/bot

unknown

http://checkip.dyndns.org/q

unknown

http://reallyfreegeoip.org

unknown

https://reallyfreegeoip.org

unknown

https://api.telegram.org/bot8055495510:AAGjjx2olozS_1Cl8WNZ40y4V688zWzQeEs/sendDocument?chat_id=1437

unknown

https://reallyfreegeoip.org/xml/45.92.229.138

104.21.32.1

http://checkip.dyndns.org

unknown

https://reallyfreegeoip.org/xml/45.92.229.138$

unknown

http://checkip.dyndns.com

unknown

http://api.telegram.org

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://api.telegram.org/bot8055495510:AAGjjx2olozS_1Cl8WNZ40y4V688zWzQeEs/sendDocument?chat_id=1437092720&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake

149.154.167.220

https://reallyfreegeoip.org/xml/

unknown

There are 6 hidden URLs, click here to show them.

Domains

Name

Malicious

reallyfreegeoip.org

104.21.32.1

Details

Name:	reallyfreegeoip.org
IP:	104.21.32.1
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Tries to detect the country of the analysis system (by using the IP)	Location Tracking
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Suricata IDS alerts with low severity for network traffic	Networking
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

api.telegram.org

149.154.167.220

Details

Name:	api.telegram.org
IP:	149.154.167.220
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
Uses the Telegram API (likely for C&C communication)	Networking	Web Service
HTTP GET or POST without a user agent	Networking
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

checkip.dyndns.com

158.101.44.242

checkip.dyndns.org

unknown

Details

Name:	checkip.dyndns.org
TargetID:	-1
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

149.154.167.220

api.telegram.org

United Kingdom

Details

IP:	149.154.167.220
TargetID:	3
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	62041
ASN name:	TELEGRAMRU
Private:	false
Domain:	api.telegram.org

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

104.21.32.1

reallyfreegeoip.org

United States

Details

IP:	104.21.32.1
TargetID:	3
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	reallyfreegeoip.org

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

158.101.44.242

checkip.dyndns.com

United States

Details

IP:	158.101.44.242
TargetID:	3
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	United States
Countrycode:	USA
ASN number:	31898
ASN name:	ORACLE-BMC-31898US
Private:	false
Domain:	checkip.dyndns.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

Download

2B81000

trusted library allocation

page read and write

44A8000

trusted library allocation

page read and write

2D4E000

trusted library allocation

page read and write

2E14000

trusted library allocation

page read and write

2DDE000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

3320000

trusted library allocation

page read and write

3250000

heap

page execute and read and write

4FDE000

trusted library allocation

page read and write

5B10000

heap

page read and write

30F0000

trusted library allocation

page read and write

2CC6000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

797E000

stack

page read and write

12C0000

heap

page read and write

2CCB000

trusted library allocation

page read and write

BACE000

stack

page read and write

DF2000

trusted library allocation

page read and write

11A0000

heap

page read and write

1330000

heap

page read and write

3220000

heap

page read and write

105E000

stack

page read and write

60D0000

heap

page read and write

BDCD000

stack

page read and write

7CA2000

trusted library allocation

page read and write

2D12000

trusted library allocation

page read and write

BBCE000

stack

page read and write

7B0E000

stack

page read and write

79B0000

trusted library section

page read and write

32A0000

trusted library allocation

page read and write

32D1000

trusted library allocation

page read and write

59C0000

trusted library allocation

page execute and read and write

E80000

unkown

page readonly

5140000

trusted library allocation

page execute and read and write

5090000

trusted library allocation

page read and write

570B000

trusted library allocation

page read and write

3C19000

trusted library allocation

page read and write

DF5000

trusted library allocation

page execute and read and write

6134000

heap

page read and write

2C32000

trusted library allocation

page read and write

3BE8000

trusted library allocation

page read and write

7BED000

stack

page read and write

2C44000

trusted library allocation

page read and write

2DDA000

trusted library allocation

page read and write

5A10000

heap

page read and write

1633000

trusted library allocation

page execute and read and write

3BA9000

trusted library allocation

page read and write

3100000

trusted library allocation

page read and write

5C30000

trusted library allocation

page read and write

5ED0000

heap

page read and write

DC3000

trusted library allocation

page execute and read and write

D5E000

stack

page read and write

3310000

trusted library allocation

page read and write

7980000

trusted library section

page read and write

11C0000

trusted library allocation

page execute and read and write

644E000

stack

page read and write

65F0000

trusted library allocation

page execute and read and write

14A8000

heap

page read and write

311B000

trusted library allocation

page execute and read and write

2CCF000

trusted library allocation

page read and write

2C5F000

trusted library allocation

page read and write

1380000

heap

page read and write

1630000

trusted library allocation

page read and write

4441000

trusted library allocation

page read and write

1460000

heap

page read and write

148E000

heap

page read and write

32DD000

trusted library allocation

page read and write

1385000

heap

page read and write

329C000

stack

page read and write

32D6000

trusted library allocation

page read and write

2C74000

trusted library allocation

page read and write

15FE000

stack

page read and write

5C20000

trusted library allocation

page execute and read and write

628E000

stack

page read and write

11E0000

trusted library allocation

page read and write

155B000

heap

page read and write

5B7B000

stack

page read and write

5ED5000

heap

page read and write

553D000

stack

page read and write

2D31000

trusted library allocation

page read and write

56FE000

stack

page read and write

4FC0000

trusted library allocation

page read and write

163D000

trusted library allocation

page execute and read and write

4C7E000

stack

page read and write

4FF2000

trusted library allocation

page read and write

5163000

heap

page read and write

2DFD000

trusted library allocation

page read and write

2C2A000

trusted library allocation

page read and write

3315000

trusted library allocation

page read and write

5A00000

trusted library allocation

page read and write

2B6E000

stack

page read and write

14C7000

heap

page read and write

58F0000

trusted library allocation

page read and write

3C03000

trusted library allocation

page read and write

D85000

heap

page read and write

A89000

stack

page read and write

DE6000

trusted library allocation

page execute and read and write

2CE8000

trusted library allocation

page read and write

2CF6000

trusted library allocation

page read and write

15BE000

stack

page read and write

D60000

heap

page read and write

3117000

trusted library allocation

page execute and read and write

32BB000

trusted library allocation

page read and write

34B8000

trusted library allocation

page read and write

655B000

trusted library allocation

page read and write

B87000

stack

page read and write

515E000

trusted library allocation

page read and write

6630000

trusted library allocation

page execute and read and write

32CE000

trusted library allocation

page read and write

E96000

heap

page read and write

DDD000

trusted library allocation

page execute and read and write

3106000

trusted library allocation

page execute and read and write

5EBE000

stack

page read and write

77C4000

heap

page read and write

DD0000

trusted library allocation

page read and write

2E72000

trusted library allocation

page read and write

5A13000

heap

page read and write

5C00000

trusted library allocation

page read and write

5710000

trusted library allocation

page execute and read and write

6620000

heap

page read and write

156A000

heap

page read and write

3300000

trusted library allocation

page read and write

2C7E000

trusted library allocation

page read and write

4FED000

trusted library allocation

page read and write

59F0000

heap

page read and write

E60000

heap

page read and write

4449000

trusted library allocation

page read and write

343E000

stack

page read and write

4FE1000

trusted library allocation

page read and write

5150000

trusted library allocation

page read and write

1565000

heap

page read and write

2CDB000

trusted library allocation

page read and write

5E0E000

stack

page read and write

4FC6000

trusted library allocation

page read and write

7B4E000

stack

page read and write

4469000

trusted library allocation

page read and write

E68000

heap

page read and write

5C60000

heap

page read and write

2DC2000

trusted library allocation

page read and write

6570000

trusted library allocation

page execute and read and write

7C2D000

stack

page read and write

2CBE000

trusted library allocation

page read and write

30FD000

trusted library allocation

page execute and read and write

2CD7000

trusted library allocation

page read and write

2DD5000

trusted library allocation

page read and write

1620000

trusted library allocation

page read and write

F11000

heap

page read and write

D80000

heap

page read and write

6560000

trusted library allocation

page read and write

65B5000

heap

page read and write

11F0000

heap

page read and write

11E4000

trusted library allocation

page read and write

3441000

trusted library allocation

page read and write

6580000

trusted library allocation

page read and write

506D000

stack

page read and write

F47000

heap

page read and write

BFCF000

stack

page read and write

612B000

heap

page read and write

3B81000

trusted library allocation

page read and write

7C6E000

stack

page read and write

1558000

heap

page read and write

59E0000

trusted library section

page readonly

DFB000

trusted library allocation

page execute and read and write

DF7000

trusted library allocation

page execute and read and write

32B0000

trusted library allocation

page read and write

3188000

trusted library allocation

page read and write

BDD0000

heap

page read and write

6128000

heap

page read and write

DC0000

trusted library allocation

page read and write

58E0000

trusted library allocation

page execute and read and write

2D2E000

trusted library allocation

page read and write

6640000

heap

page read and write

1480000

heap

page read and write

654F000

stack

page read and write

2D40000

trusted library allocation

page read and write

E82000

unkown

page readonly

53F0000

heap

page execute and read and write

E5E000

stack

page read and write

4FCB000

trusted library allocation

page read and write

2DB7000

trusted library allocation

page read and write

6590000

trusted library allocation

page read and write

2E07000

trusted library allocation

page read and write

2CD3000

trusted library allocation

page read and write

4FCE000

trusted library allocation

page read and write

638F000

stack

page read and write

2C86000

trusted library allocation

page read and write

174F000

stack

page read and write

DE0000

trusted library allocation

page read and write

194F000

stack

page read and write

1467000

heap

page read and write

2E0E000

trusted library allocation

page read and write

77A0000

heap

page read and write

115E000

stack

page read and write

5C10000

trusted library allocation

page read and write

624E000

stack

page read and write

6550000

trusted library allocation

page read and write

151F000

heap

page read and write

2E01000

trusted library allocation

page read and write

119E000

stack

page read and write

640E000

stack

page read and write

137E000

stack

page read and write

4FDA000

trusted library allocation

page read and write

60CE000

stack

page read and write

5EC0000

trusted library allocation

page read and write

7A40000

trusted library allocation

page execute and read and write

58FD000

trusted library allocation

page read and write

DE2000

trusted library allocation

page read and write

DCD000

trusted library allocation

page execute and read and write

317E000

stack

page read and write

2CBA000

trusted library allocation

page read and write

2C82000

trusted library allocation

page read and write

14C4000

heap

page read and write

2B70000

heap

page execute and read and write

5708000

trusted library allocation

page read and write

79A0000

trusted library allocation

page read and write

FBA000

stack

page read and write

C0CE000

stack

page read and write

11D0000

trusted library allocation

page read and write

3240000

trusted library allocation

page execute and read and write

DEA000

trusted library allocation

page execute and read and write

5FC0000

trusted library allocation

page execute and read and write

58D0000

heap

page read and write

BCCE000

stack

page read and write

3130000

trusted library allocation

page read and write

2DBC000

trusted library allocation

page read and write

3110000

trusted library allocation

page read and write

93DF000

stack

page read and write

32F0000

trusted library allocation

page read and write

4FE6000

trusted library allocation

page read and write

3330000

heap

page read and write

184E000

stack

page read and write

620D000

stack

page read and write

2DCB000

trusted library allocation

page read and write

3C0D000

trusted library allocation

page read and write

12A0000

trusted library allocation

page read and write

3112000

trusted library allocation

page read and write

310A000

trusted library allocation

page execute and read and write

1634000

trusted library allocation

page read and write

5B20000

trusted library allocation

page read and write

6580000

heap

page read and write

5C40000

trusted library allocation

page read and write

7A8E000

stack

page read and write

2C47000

trusted library allocation

page read and write

DC4000

trusted library allocation

page read and write

5160000

heap

page read and write

3529000

trusted library allocation

page read and write

D10000

heap

page read and write

E8A000

heap

page read and write

5706000

trusted library allocation

page read and write

5700000

trusted library allocation

page read and write

1640000

heap

page read and write

5890000

trusted library allocation

page read and write

5170000

heap

page read and write

2C8A000

trusted library allocation

page read and write

6590000

heap

page read and write

2C3B000

trusted library allocation

page read and write

7ACE000

stack

page read and write

2D04000

trusted library allocation

page read and write

63CE000

stack

page read and write

5000000

trusted library allocation

page read and write

5900000

trusted library allocation

page read and write

D0E000

stack

page read and write

5B30000

heap

page execute and read and write

14B5000

heap

page read and write

2CC2000

trusted library allocation

page read and write

54FE000

stack

page read and write

3102000

trusted library allocation

page read and write

58F2000

trusted library allocation

page read and write

12F7000

stack

page read and write

BF0000

heap

page read and write

7680000

heap

page read and write

1320000

heap

page read and write

DB0000

trusted library allocation

page read and write

There are 263 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Our New Order.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportOur New Order.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
Our New Order.exe