Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

ORDER SPECIFICATION.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.275411324523825
Filename:	ORDER SPECIFICATION.exe
Filesize:	1036288
MD5:	34070a881f75f12cd4e5bfcb3bdf48c6
SHA1:	68d694a74aa970c84bf48ca15c979b408970843a
SHA256:	562b14cbead15ecad71e6e25e6c00656e47c3cf6e7d12eec64bfb4b9a6aaca05
SHA512:	c2bcac60beacd3f58e90bf1b04ad5b9dd4397c4e38efa191c1c74ace3bbeaf2ca0c35c17d5f29b21e414061fc27177084c220b5d2fd951f7c1ba0131ac86ffca
SSDEEP:	24576:N6gObWRvPAbx/N35bTeguR2EHPF9kPps:BObIAt/nbTeguRdnd
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............R.... ........@.. .......................@............@................................

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation
.NET source code contains very large array initializations	System Summary	Disable or Modify Tools
.NET source code contains very large strings	System Summary	System Network Configuration Discovery
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information	Credentials in Registry
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to harvest and steal ftp login credentials	Stealing of Sensitive Information
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORDER SPECIFICATION.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORDER SPECIFICATION.exe.log
Category:	dropped
Dump:	ORDER SPECIFICATION.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\ORDER SPECIFICATION.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\ORDER SPECIFICATION.exe

"C:\Users\user\Desktop\ORDER SPECIFICATION.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2576
Target ID:	0
Parent PID:	1028
Name:	ORDER SPECIFICATION.exe
Path:	C:\Users\user\Desktop\ORDER SPECIFICATION.exe
Commandline:	"C:\Users\user\Desktop\ORDER SPECIFICATION.exe"
Size:	1036288
MD5:	34070A881F75F12CD4E5BFCB3BDF48C6
Time:	11:31:53
Date:	18/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x40000
Modulesize:	1064960
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\ORDER SPECIFICATION.exe

"C:\Users\user\Desktop\ORDER SPECIFICATION.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6128
Target ID:	2
Parent PID:	2576
Name:	ORDER SPECIFICATION.exe
Path:	C:\Users\user\Desktop\ORDER SPECIFICATION.exe
Commandline:	"C:\Users\user\Desktop\ORDER SPECIFICATION.exe"
Size:	1036288
MD5:	34070A881F75F12CD4E5BFCB3BDF48C6
Time:	11:31:56
Date:	18/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x140000
Modulesize:	1064960
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\ORDER SPECIFICATION.exe

"C:\Users\user\Desktop\ORDER SPECIFICATION.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6664
Target ID:	3
Parent PID:	2576
Name:	ORDER SPECIFICATION.exe
Path:	C:\Users\user\Desktop\ORDER SPECIFICATION.exe
Commandline:	"C:\Users\user\Desktop\ORDER SPECIFICATION.exe"
Size:	1036288
MD5:	34070A881F75F12CD4E5BFCB3BDF48C6
Time:	11:31:56
Date:	18/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xcd0000
Modulesize:	1064960
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

https://api.ipify.org/

104.26.12.205

http://r3.o.lencr.org0

unknown

https://api.ipify.org

unknown

http://mail.techwiser.in

unknown

https://account.dyn.com/

unknown

https://api.ipify.org/t

unknown

http://tempuri.org/DataSet1.xsd)Microsoft

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://x1.c.lencr.org/0

unknown

http://x1.i.lencr.org/0

unknown

http://r3.i.lencr.org/0

unknown

There are 1 hidden URLs, click here to show them.

Domains

Name

Malicious

mail.techwiser.in

162.241.123.30

Details

Name:	mail.techwiser.in
IP:	162.241.123.30
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol
URLs found in memory or binary data	Networking

api.ipify.org

104.26.12.205

Details

Name:	api.ipify.org
IP:	104.26.12.205
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

162.241.123.30

mail.techwiser.in

United States

Details

IP:	162.241.123.30
TargetID:	3
Current Path:	C:\Users\user\Desktop\ORDER SPECIFICATION.exe
Country:	United States
Countrycode:	USA
ASN number:	46606
ASN name:	UNIFIEDLAYER-AS-1US
Private:	false
Domain:	mail.techwiser.in

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Sigma detected: Suspicious Outbound SMTP Connections	System Summary
Uses SMTP (mail sending)	Networking	Application Layer Protocol

104.26.12.205

api.ipify.org

United States

Details

IP:	104.26.12.205
TargetID:	3
Current Path:	C:\Users\user\Desktop\ORDER SPECIFICATION.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ORDER SPECIFICATION_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ORDER SPECIFICATION_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ORDER SPECIFICATION_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ORDER SPECIFICATION_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ORDER SPECIFICATION_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ORDER SPECIFICATION_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ORDER SPECIFICATION_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ORDER SPECIFICATION_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ORDER SPECIFICATION_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ORDER SPECIFICATION_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ORDER SPECIFICATION_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ORDER SPECIFICATION_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ORDER SPECIFICATION_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ORDER SPECIFICATION_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

3169000

trusted library allocation

page read and write

3141000

trusted library allocation

page read and write

432E000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

6C00000

trusted library allocation

page read and write

16A0000

trusted library allocation

page read and write

5A0E000

stack

page read and write

5610000

heap

page read and write

49C0000

trusted library allocation

page execute and read and write

5683000

heap

page read and write

138C000

heap

page read and write

16B0000

trusted library allocation

page read and write

5691000

heap

page read and write

45AC000

stack

page read and write

7A0000

heap

page read and write

69CF000

heap

page read and write

574F000

stack

page read and write

6A59000

heap

page read and write

400000

remote allocation

page execute and read and write

77E000

stack

page read and write

4922000

trusted library allocation

page read and write

49A0000

heap

page read and write

4940000

trusted library allocation

page read and write

A47000

trusted library allocation

page execute and read and write

16D7000

trusted library allocation

page execute and read and write

813000

trusted library allocation

page execute and read and write

83BD000

stack

page read and write

2470000

trusted library allocation

page read and write

A4B000

trusted library allocation

page execute and read and write

16D0000

trusted library allocation

page read and write

40000

unkown

page readonly

B00000

trusted library allocation

page execute and read and write

8070000

heap

page read and write

16C0000

trusted library allocation

page read and write

2F6B000

trusted library allocation

page read and write

5750000

heap

page read and write

59CC000

stack

page read and write

4960000

trusted library allocation

page read and write

1331000

heap

page read and write

72B0000

heap

page read and write

1260000

heap

page read and write

7EE000

stack

page read and write

6D67000

trusted library allocation

page read and write

4930000

trusted library allocation

page read and write

6C70000

trusted library allocation

page read and write

554E000

stack

page read and write

BB0000

heap

page read and write

564E000

stack

page read and write

16D2000

trusted library allocation

page read and write

5640000

heap

page execute and read and write

5C0E000

stack

page read and write

70E0000

trusted library allocation

page read and write

491D000

trusted library allocation

page read and write

594E000

stack

page read and write

69F5000

heap

page read and write

937000

heap

page read and write

16BD000

trusted library allocation

page execute and read and write

16DB000

trusted library allocation

page execute and read and write

4C60000

heap

page execute and read and write

2FA0000

heap

page execute and read and write

4B80000

trusted library allocation

page read and write

840000

heap

page read and write

540000

heap

page read and write

2490000

heap

page read and write

830000

trusted library allocation

page read and write

48F4000

trusted library allocation

page read and write

662E000

stack

page read and write

820000

trusted library allocation

page read and write

2FB4000

trusted library allocation

page read and write

59FE000

stack

page read and write

6C60000

trusted library allocation

page execute and read and write

560C000

stack

page read and write

6A7E000

heap

page read and write

34B1000

trusted library allocation

page read and write

48FB000

trusted library allocation

page read and write

49BB000

trusted library allocation

page read and write

4C0E000

stack

page read and write

2F6E000

trusted library allocation

page read and write

823000

trusted library allocation

page read and write

1220000

heap

page read and write

6BF8000

trusted library allocation

page read and write

8DD000

heap

page read and write

2FE0000

heap

page read and write

5B4E000

stack

page read and write

672E000

stack

page read and write

B10000

trusted library allocation

page read and write

A60000

trusted library allocation

page read and write

313D000

trusted library allocation

page read and write

620000

heap

page read and write

5670000

heap

page read and write

2F86000

trusted library allocation

page read and write

4C4E000

stack

page read and write

12C8000

heap

page read and write

AF0000

heap

page execute and read and write

12EA000

heap

page read and write

4CF0000

trusted library section

page read and write

2480000

trusted library allocation

page read and write

6C80000

trusted library allocation

page execute and read and write

528E000

stack

page read and write

817D000

stack

page read and write

4CD1000

trusted library allocation

page read and write

48F0000

trusted library allocation

page read and write

6D1F000

stack

page read and write

901000

heap

page read and write

6BEE000

stack

page read and write

30F1000

trusted library allocation

page read and write

6D60000

trusted library allocation

page read and write

24E6000

trusted library allocation

page read and write

800000

trusted library allocation

page read and write

4158000

trusted library allocation

page read and write

16A4000

trusted library allocation

page read and write

7FD90000

trusted library allocation

page execute and read and write

4CE0000

trusted library allocation

page execute and read and write

2F1E000

stack

page read and write

68AE000

stack

page read and write

1363000

heap

page read and write

4911000

trusted library allocation

page read and write

7110000

heap

page read and write

1D9000

stack

page read and write

106A000

stack

page read and write

4BC0000

heap

page read and write

63EF000

stack

page read and write

40F1000

trusted library allocation

page read and write

134E000

heap

page read and write

4E70000

trusted library allocation

page read and write

312F000

trusted library allocation

page read and write

4B90000

trusted library allocation

page read and write

4119000

trusted library allocation

page read and write

4F7000

stack

page read and write

AAE000

stack

page read and write

24B1000

trusted library allocation

page read and write

490E000

trusted library allocation

page read and write

2F7E000

trusted library allocation

page read and write

5B0E000

stack

page read and write

1310000

heap

page read and write

814000

trusted library allocation

page read and write

BA0000

trusted library allocation

page execute and read and write

16AD000

trusted library allocation

page execute and read and write

12C0000

heap

page read and write

6BF0000

trusted library allocation

page read and write

16C2000

trusted library allocation

page read and write

4935000

trusted library allocation

page read and write

686E000

stack

page read and write

A42000

trusted library allocation

page read and write

1737000

heap

page read and write

1250000

heap

page read and write

6C10000

trusted library allocation

page read and write

317E000

trusted library allocation

page read and write

87F000

heap

page read and write

7C63000

trusted library allocation

page read and write

16C6000

trusted library allocation

page execute and read and write

135C000

heap

page read and write

42000

unkown

page readonly

248F000

trusted library allocation

page read and write

2F7A000

trusted library allocation

page read and write

6C0D000

trusted library allocation

page read and write

2F8D000

trusted library allocation

page read and write

5680000

heap

page read and write

245F000

stack

page read and write

1730000

heap

page read and write

3519000

trusted library allocation

page read and write

867000

heap

page read and write

25CC000

trusted library allocation

page read and write

3F15000

trusted library allocation

page read and write

69AD000

stack

page read and write

49B0000

trusted library allocation

page read and write

7FFE000

stack

page read and write

4B60000

trusted library allocation

page read and write

B20000

trusted library allocation

page read and write

1720000

trusted library allocation

page read and write

4CAE000

stack

page read and write

4E6E000

stack

page read and write

11D0000

heap

page read and write

1169000

stack

page read and write

2493000

heap

page read and write

670000

heap

page read and write

4CC0000

trusted library section

page read and write

2F81000

trusted library allocation

page read and write

A3E000

stack

page read and write

AEB000

stack

page read and write

676E000

stack

page read and write

810000

trusted library allocation

page read and write

8D6000

heap

page read and write

12F4000

heap

page read and write

16D5000

trusted library allocation

page execute and read and write

69B0000

heap

page read and write

1710000

trusted library allocation

page read and write

5AFE000

stack

page read and write

6C17000

trusted library allocation

page read and write

6A73000

heap

page read and write

16F0000

trusted library allocation

page read and write

66E000

stack

page read and write

2F5C000

stack

page read and write

140000

unkown

page readonly

2F72000

trusted library allocation

page read and write

24A0000

heap

page read and write

6C5E000

stack

page read and write

2580000

trusted library allocation

page read and write

2460000

trusted library allocation

page read and write

83D0000

trusted library section

page read and write

6A4D000

heap

page read and write

6AEE000

stack

page read and write

8180000

heap

page read and write

4BA0000

trusted library allocation

page execute and read and write

7120000

trusted library allocation

page execute and read and write

836000

trusted library allocation

page execute and read and write

3E2A000

trusted library allocation

page read and write

6D70000

trusted library allocation

page read and write

85F000

heap

page read and write

1690000

trusted library allocation

page read and write

84A000

heap

page read and write

82D000

trusted library allocation

page execute and read and write

16A3000

trusted library allocation

page execute and read and write

2708000

trusted library allocation

page read and write

12F6000

heap

page read and write

2705000

trusted library allocation

page read and write

5B8E000

stack

page read and write

34B9000

trusted library allocation

page read and write

83A000

trusted library allocation

page execute and read and write

16CA000

trusted library allocation

page execute and read and write

7EFB000

stack

page read and write

4916000

trusted library allocation

page read and write

50F8000

trusted library allocation

page read and write

62EE000

stack

page read and write

2F60000

trusted library allocation

page read and write

30EE000

stack

page read and write

2FB0000

trusted library allocation

page read and write

12DE000

heap

page read and write

6A41000

heap

page read and write

BA7E000

stack

page read and write

806D000

stack

page read and write

81D000

trusted library allocation

page execute and read and write

7F080000

trusted library allocation

page execute and read and write

65EE000

stack

page read and write

1700000

trusted library allocation

page execute and read and write

2FC0000

trusted library allocation

page read and write

837E000

stack

page read and write

3126000

trusted library allocation

page read and write

B6D000

stack

page read and write

3186000

trusted library allocation

page read and write

49B2000

trusted library allocation

page read and write

881000

heap

page read and write

874000

heap

page read and write

4CB0000

trusted library section

page read and write

84E000

heap

page read and write

There are 235 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
ORDER SPECIFICATION.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportORDER SPECIFICATION.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
ORDER SPECIFICATION.exe