Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

order and drawings_pdf.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.970462540382765
Filename:	order and drawings_pdf.exe
Filesize:	1075200
MD5:	4726039e5f4d03f6f3f9cc0cd8d423a1
SHA1:	3dc80b737f67481eb0385b2a25058309c7a63989
SHA256:	9970fc1f94630a822d109fd53bcb3fe1ed51bd5359007e3e4f570c0f85f3a040
SHA512:	69487f9904d791cfe64cfeb6f7707032a843858eae747fcec5b3ca88286ce2de43e8324a9c85482c1d9353f7509ef749e7dc68775335f940e2178d8094218dd5
SSDEEP:	24576:6tb20pkaCqT5TBWgNQ7a7Na6KD3176FE6A:nVg5tQ7a7NatDZ6C5
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Binary is likely a compiled AutoIt script file	System Summary
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Switches to a custom stack to bypass stack traces	Malware Analysis System Evasion
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Exfiltration Over Alternative Protocol
Contains functionality to launch a process as a different user	System Summary	Valid Accounts Native API Access Token Manipulation
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Process Discovery
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to shutdown / reboot the system	System Summary	System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Process Discovery
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found evaded block containing many API calls	Malware Analysis System Evasion	Process Discovery
Found evasive API chain (date check)	Malware Analysis System Evasion
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information	System Shutdown/Reboot
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Sample file is different than original file name gathered from version info	System Summary	System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
Contains functionality for error logging	System Summary
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary
Contains functionality to check free disk space	System Summary
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enum processes or threads	System Summary	Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion
PE file has an executable .text section and no other executable section	System Summary
Program exit points	Malware Analysis System Evasion
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\aut620D.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\aut620D.tmp
Category:	dropped
Dump:	aut620D.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\order and drawings_pdf.exe
Type:	data
Entropy:	7.7509512082493
Encrypted:	false
Ssdeep:	3072:zkJ8WyZF4iMaM2hBgstc9S4VMLPk25IPByB8l:AkZF4FStcHKPk254yBO
Size:	142822
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\gobioid

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\gobioid
Category:	dropped
Dump:	gobioid.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\order and drawings_pdf.exe
Type:	data
Entropy:	6.547601133334871
Encrypted:	false
Ssdeep:	6144:XfVfnz3jhvnRkIZ5AE/V36YYI/wEJdYQ7ZTL8SJ:XNfz35nRUE/V5JV/N
Size:	239104
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\order and drawings_pdf.exe

"C:\Users\user\Desktop\order and drawings_pdf.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7292
Target ID:	0
Parent PID:	1028
Name:	order and drawings_pdf.exe
Path:	C:\Users\user\Desktop\order and drawings_pdf.exe
Commandline:	"C:\Users\user\Desktop\order and drawings_pdf.exe"
Size:	1075200
MD5:	4726039E5F4D03F6F3F9CC0CD8D423A1
Time:	04:15:01
Date:	20/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x620000
Modulesize:	1101824
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Binary is likely a compiled AutoIt script file	System Summary
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\order and drawings_pdf.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7360
Target ID:	2
Parent PID:	7292
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\order and drawings_pdf.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	04:15:02
Date:	20/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x1f0000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://api.ipify.org/

104.26.12.205

Details

Name:	https://api.ipify.org/
IP:	104.26.12.205
TargetID:	2
From Memory:	false
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://api.ipify.org

unknown

Details

Name:	https://api.ipify.org
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\order and drawings_pdf.exe
Source:	order and drawings_pdf.exe, 00000000.00000002.2085096156.0000000003670000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4520282599.00000000005C2000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4522755984.00000000024B1000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://account.dyn.com/

unknown

Details

Name:	https://account.dyn.com/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\order and drawings_pdf.exe
Source:	order and drawings_pdf.exe, 00000000.00000002.2085096156.0000000003670000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4520282599.00000000005C2000.00000040.80000000.00040000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://api.ipify.org/t

unknown

Details

Name:	https://api.ipify.org/t
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000002.00000002.4522755984.00000000024B1000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000002.00000002.4522755984.00000000024B1000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://ftp.gizemetiket.com.tr

unknown

Details

Name:	http://ftp.gizemetiket.com.tr
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000002.00000002.4522755984.00000000026C8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4522755984.000000000257C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4522755984.000000000252C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4522755984.000000000280C000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

api.ipify.org

104.26.12.205

Details

Name:	api.ipify.org
IP:	104.26.12.205
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

ftp.gizemetiket.com.tr

93.89.225.40

Details

Name:	ftp.gizemetiket.com.tr
IP:	93.89.225.40
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Uses FTP	Networking	Application Layer Protocol Exfiltration Over Alternative Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

104.26.12.205

api.ipify.org

United States

Details

IP:	104.26.12.205
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

93.89.225.40

ftp.gizemetiket.com.tr

Turkey

Details

IP:	93.89.225.40
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	Turkey
Countrycode:	TUR
ASN number:	51557
ASN name:	TR-FBSTR
Private:	false
Domain:	ftp.gizemetiket.com.tr

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Uses FTP	Networking	Application Layer Protocol Exfiltration Over Alternative Protocol

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

3670000

direct allocation

page read and write

2501000

trusted library allocation

page read and write

5C2000

system

page execute and read and write

252C000

trusted library allocation

page read and write

628000

heap

page read and write

2532000

trusted library allocation

page read and write

5E40000

trusted library allocation

page read and write

C60000

heap

page read and write

960000

heap

page read and write

EC08000

trusted library allocation

page read and write

C6A000

heap

page read and write

EC30000

trusted library allocation

page read and write

5DED000

trusted library allocation

page read and write

B2C000

stack

page read and write

654000

heap

page read and write

37D3000

direct allocation

page read and write

D32000

heap

page read and write

8ED000

trusted library allocation

page execute and read and write

AEC000

stack

page read and write

4AC0000

heap

page read and write

EBF4000

trusted library allocation

page read and write

3890000

direct allocation

page read and write

D50000

heap

page read and write

27A0000

trusted library allocation

page read and write

76F0000

heap

page read and write

64A000

heap

page read and write

4A0E000

trusted library allocation

page read and write

7F710000

trusted library allocation

page execute and read and write

D80000

heap

page read and write

371C000

trusted library allocation

page read and write

4C69000

trusted library allocation

page read and write

620000

unkown

page readonly

AFE000

stack

page read and write

39BD000

direct allocation

page read and write

3850000

direct allocation

page read and write

940000

trusted library allocation

page read and write

5B7E000

stack

page read and write

D1CE000

trusted library allocation

page read and write

EBFE000

trusted library allocation

page read and write

90B000

trusted library allocation

page execute and read and write

4E7E000

stack

page read and write

EC0D000

trusted library allocation

page read and write

E54000

heap

page read and write

367C000

trusted library allocation

page read and write

EBEF000

trusted library allocation

page read and write

6310000

trusted library allocation

page execute and read and write

369C000

trusted library allocation

page read and write

588000

stack

page read and write

6CE000

unkown

page readonly

8E0000

trusted library allocation

page read and write

8FA000

trusted library allocation

page execute and read and write

49F0000

trusted library allocation

page read and write

D1C9000

trusted library allocation

page read and write

6780000

trusted library allocation

page read and write

6350000

heap

page read and write

4AD0000

heap

page read and write

AEF0000

trusted library allocation

page read and write

621000

unkown

page execute read

6AA000

heap

page read and write

39B9000

direct allocation

page read and write

34B1000

trusted library allocation

page read and write

26C8000

trusted library allocation

page read and write

4A02000

trusted library allocation

page read and write

397D000

direct allocation

page read and write

351C000

trusted library allocation

page read and write

24E6000

trusted library allocation

page read and write

2542000

trusted library allocation

page read and write

25C4000

trusted library allocation

page read and write

613E000

stack

page read and write

359C000

trusted library allocation

page read and write

49EE000

stack

page read and write

36B0000

direct allocation

page read and write

4A30000

trusted library allocation

page read and write

5DE0000

trusted library allocation

page read and write

A6E000

stack

page read and write

4F7E000

stack

page read and write

4C70000

heap

page execute and read and write

8D3000

trusted library allocation

page execute and read and write

676D000

stack

page read and write

36B0000

direct allocation

page read and write

4AE0000

heap

page read and write

36F0000

direct allocation

page read and write

EC3F000

trusted library allocation

page read and write

9FCE000

trusted library allocation

page read and write

8D4000

trusted library allocation

page read and write

CAD000

heap

page read and write

702000

heap

page read and write

365C000

trusted library allocation

page read and write

B3E000

stack

page read and write

14DE000

stack

page read and write

67F0000

trusted library allocation

page read and write

967000

heap

page read and write

3850000

direct allocation

page read and write

EBEB000

trusted library allocation

page read and write

EC17000

trusted library allocation

page read and write

AEC000

stack

page read and write

503D000

stack

page read and write

3979000

direct allocation

page read and write

3813000

direct allocation

page read and write

D4F000

heap

page read and write

4C5C000

stack

page read and write

5E60000

trusted library allocation

page execute and read and write

905000

trusted library allocation

page execute and read and write

EC03000

trusted library allocation

page read and write

3194000

heap

page read and write

657000

heap

page read and write

397D000

direct allocation

page read and write

AAE000

stack

page read and write

6AD000

unkown

page readonly

2526000

trusted library allocation

page read and write

6DF000

unkown

page write copy

EC35000

trusted library allocation

page read and write

6AD000

unkown

page readonly

589E000

heap

page read and write

86F0000

trusted library allocation

page read and write

620000

heap

page read and write

35DC000

trusted library allocation

page read and write

39B9000

direct allocation

page read and write

8F6000

trusted library allocation

page execute and read and write

4A8C000

stack

page read and write

49FE000

trusted library allocation

page read and write

3813000

direct allocation

page read and write

4C1C000

stack

page read and write

6770000

trusted library allocation

page read and write

4A11000

trusted library allocation

page read and write

355C000

trusted library allocation

page read and write

6330000

trusted library allocation

page read and write

3890000

direct allocation

page read and write

4C60000

trusted library allocation

page read and write

36B0000

direct allocation

page read and write

D1C6000

trusted library allocation

page read and write

930000

trusted library allocation

page execute and read and write

8F0000

trusted library allocation

page read and write

E47000

heap

page read and write

373C000

trusted library allocation

page read and write

C6E000

heap

page read and write

69C000

heap

page read and write

EB2000

heap

page read and write

EC21000

trusted library allocation

page read and write

CA8000

heap

page execute and read and write

B0B000

stack

page read and write

39BD000

direct allocation

page read and write

62F0000

heap

page read and write

58BC000

heap

page read and write

37D3000

direct allocation

page read and write

39EE000

direct allocation

page read and write

5640000

heap

page read and write

5EFE000

stack

page read and write

B40000

trusted library allocation

page read and write

6B8000

heap

page read and write

67E0000

heap

page read and write

620000

unkown

page readonly

7A0000

heap

page read and write

2696000

trusted library allocation

page read and write

5E50000

trusted library allocation

page read and write

3850000

direct allocation

page read and write

907000

trusted library allocation

page execute and read and write

CAD000

heap

page read and write

CED000

heap

page read and write

357C000

trusted library allocation

page read and write

252A000

trusted library allocation

page read and write

253A000

trusted library allocation

page read and write

48A000

stack

page read and write

730000

heap

page read and write

5E46000

trusted library allocation

page read and write

9FC6000

trusted library allocation

page read and write

3890000

direct allocation

page read and write

EC1C000

trusted library allocation

page read and write

58D8000

heap

page read and write

3A2E000

direct allocation

page read and write

39EE000

direct allocation

page read and write

4AD4000

heap

page read and write

EC3A000

trusted library allocation

page read and write

363C000

trusted library allocation

page read and write

62E0000

trusted library allocation

page read and write

4F90000

heap

page read and write

950000

trusted library allocation

page read and write

109E000

stack

page read and write

4A16000

trusted library allocation

page read and write

920000

trusted library allocation

page read and write

CA9000

heap

page read and write

36BC000

trusted library allocation

page read and write

8C0000

trusted library allocation

page read and write

7D5000

heap

page read and write

B50000

heap

page read and write

D61000

heap

page read and write

C9E000

heap

page read and write

39BD000

direct allocation

page read and write

B60000

heap

page read and write

3850000

direct allocation

page read and write

353C000

trusted library allocation

page read and write

257C000

trusted library allocation

page read and write

2528000

trusted library allocation

page read and write

CA9000

heap

page read and write

36F0000

direct allocation

page read and write

58C5000

heap

page read and write

6E4000

unkown

page readonly

3979000

direct allocation

page read and write

4FFC000

stack

page read and write

5F50000

trusted library allocation

page execute and read and write

5DF7000

trusted library allocation

page read and write

CF3000

heap

page read and write

149F000

stack

page read and write

EBF9000

trusted library allocation

page read and write

49FB000

trusted library allocation

page read and write

3DA000

stack

page read and write

36DC000

trusted library allocation

page read and write

2544000

trusted library allocation

page read and write

CB0000

heap

page read and write

24A0000

heap

page read and write

34D9000

trusted library allocation

page read and write

36B0000

direct allocation

page read and write

35FC000

trusted library allocation

page read and write

EC2B000

trusted library allocation

page read and write

7700000

heap

page read and write

8F2000

trusted library allocation

page read and write

6DA000

unkown

page read and write

39EE000

direct allocation

page read and write

B70000

heap

page read and write

58BA000

heap

page read and write

77C000

stack

page read and write

36FC000

trusted library allocation

page read and write

3A2E000

direct allocation

page read and write

C9F000

heap

page read and write

662D000

stack

page read and write

39EE000

direct allocation

page read and write

5DF0000

trusted library allocation

page read and write

EC26000

trusted library allocation

page read and write

5C7E000

stack

page read and write

35DD000

heap

page read and write

2408000

trusted library allocation

page read and write

4A1D000

trusted library allocation

page read and write

27C5000

trusted library allocation

page read and write

617E000

stack

page read and write

257A000

trusted library allocation

page read and write

24EF000

trusted library allocation

page read and write

CD4000

heap

page read and write

5E3D000

stack

page read and write

B56000

heap

page read and write

2546000

trusted library allocation

page read and write

6E4000

unkown

page readonly

4D7C000

stack

page read and write

E54000

heap

page read and write

397D000

direct allocation

page read and write

621000

unkown

page execute read

AF0000

heap

page execute and read and write

3979000

direct allocation

page read and write

5F40000

trusted library allocation

page read and write

6300000

heap

page read and write

26EF000

trusted library allocation

page read and write

D12000

heap

page read and write

397D000

direct allocation

page read and write

8D0000

trusted library allocation

page read and write

5840000

heap

page read and write

3160000

heap

page read and write

6CE000

unkown

page readonly

1900000

heap

page read and write

36F0000

direct allocation

page read and write

37D3000

direct allocation

page read and write

24FD000

trusted library allocation

page read and write

35BC000

trusted library allocation

page read and write

24B1000

trusted library allocation

page read and write

D4F000

heap

page read and write

B50000

heap

page read and write

5CDE000

stack

page read and write

3A2E000

direct allocation

page read and write

CAD000

heap

page read and write

18DE000

stack

page read and write

CA9000

heap

page read and write

280C000

trusted library allocation

page read and write

CA9000

heap

page read and write

652C000

stack

page read and write

CB9000

heap

page read and write

3979000

direct allocation

page read and write

780000

heap

page read and write

6F6000

heap

page read and write

45AE000

stack

page read and write

666B000

stack

page read and write

28A5000

trusted library allocation

page read and write

5C0000

system

page execute and read and write

4A22000

trusted library allocation

page read and write

3813000

direct allocation

page read and write

39B9000

direct allocation

page read and write

67E9000

heap

page read and write

28CA000

trusted library allocation

page read and write

564A000

heap

page read and write

9FC9000

trusted library allocation

page read and write

6DA000

unkown

page write copy

23FE000

stack

page read and write

5DDE000

stack

page read and write

27D5000

trusted library allocation

page read and write

902000

trusted library allocation

page read and write

690000

heap

page read and write

3190000

heap

page read and write

8DD000

trusted library allocation

page execute and read and write

361C000

trusted library allocation

page read and write

2769000

trusted library allocation

page read and write

EC12000

trusted library allocation

page read and write

37D3000

direct allocation

page read and write

7D0000

heap

page read and write

583C000

stack

page read and write

67E7000

heap

page read and write

507E000

stack

page read and write

There are 293 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
order and drawings_pdf.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportorder and drawings_pdf.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
order and drawings_pdf.exe