Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Order 20201103.exe

PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order 20201103.exe.log

ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\tmp2C02.tmp

SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 2, database pages 20, cookie 0xc, schema 4, UTF-8, version-valid-for 2

dropped

C:\Users\user\AppData\Local\Temp\tmp2C03.tmp

SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 2, database pages 20, cookie 0xc, schema 4, UTF-8, version-valid-for 2

dropped

C:\Users\user\AppData\Local\Temp\tmp2C23.tmp

SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 5, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 5

dropped

C:\Users\user\AppData\Local\Temp\tmp2C34.tmp

SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 5, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 5

dropped

C:\Users\user\AppData\Local\Temp\tmp2C54.tmp

SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 5, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 5

dropped

C:\Users\user\AppData\Local\Temp\tmp2C55.tmp

SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 5, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 5

dropped

C:\Users\user\AppData\Local\Temp\tmp2C76.tmp

SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 5, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 5

dropped

C:\Users\user\AppData\Local\Temp\tmp2C77.tmp

SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 5, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 5

dropped

C:\Users\user\AppData\Local\Temp\tmp6460.tmp

SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 5, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 5

dropped

C:\Users\user\AppData\Local\Temp\tmp6471.tmp

SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 5, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 5

dropped

C:\Users\user\AppData\Local\Temp\tmp6491.tmp

SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 5, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 5

dropped

C:\Users\user\AppData\Local\Temp\tmp64A2.tmp

SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 5, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 5

dropped

C:\Users\user\AppData\Local\Temp\tmp64C2.tmp

SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 5, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 5

dropped

C:\Users\user\AppData\Local\Temp\tmp9C1F.tmp

SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 5, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 5

dropped

C:\Users\user\AppData\Local\Temp\tmp9C3F.tmp

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1

dropped

C:\Users\user\AppData\Local\Temp\tmp9C50.tmp

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1

dropped

C:\Users\user\AppData\Local\Temp\tmp9C51.tmp

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1

dropped

C:\Users\user\AppData\Local\Temp\tmp9C61.tmp

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1

dropped

C:\Users\user\AppData\Local\Temp\tmp9C62.tmp

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1

dropped

C:\Users\user\AppData\Local\Temp\tmp9C73.tmp

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1

dropped

C:\Users\user\AppData\Local\Temp\tmp9C74.tmp

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8

dropped

C:\Users\user\AppData\Local\Temp\tmp9C84.tmp

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8

dropped

C:\Users\user\AppData\Local\Temp\tmpA5A.tmp

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8

dropped

C:\Users\user\AppData\Local\Temp\tmpA6A.tmp

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8

dropped

C:\Users\user\AppData\Local\Temp\tmpA7B.tmp

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8

dropped

C:\Users\user\AppData\Local\Temp\tmpA8C.tmp

SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3

dropped

C:\Users\user\AppData\Local\Temp\tmpA9C.tmp

dropped

C:\Users\user\AppData\Local\Temp\tmpBA52.tmp

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\tmpBA63.tmp

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\tmpBA64.tmp

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\tmpD374.tmp

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8

dropped

C:\Users\user\AppData\Local\Temp\tmpD385.tmp

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8

dropped

C:\Users\user\AppData\Local\Temp\tmpD395.tmp

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8

dropped

C:\Users\user\AppData\Local\Temp\tmpD3A6.tmp

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8

dropped

C:\Users\user\AppData\Local\Temp\tmpD3B6.tmp

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8

dropped

C:\Users\user\AppData\Local\Temp\tmpD3C7.tmp

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8

dropped

C:\Users\user\AppData\Local\Temp\tmpD3D8.tmp

SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8

dropped

C:\Users\user\AppData\Local\Temp\tmpF338.tmp

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\tmpF339.tmp

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\tmpF33A.tmp

ASCII text, with very long lines (1024), with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\tmpF36A.tmp

SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 2, database pages 20, cookie 0xc, schema 4, UTF-8, version-valid-for 2

dropped

C:\Users\user\AppData\Local\Temp\tmpF37A.tmp

SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 2, database pages 20, cookie 0xc, schema 4, UTF-8, version-valid-for 2

dropped

C:\Users\user\AppData\Local\Temp\tmpF39B.tmp

SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 2, database pages 20, cookie 0xc, schema 4, UTF-8, version-valid-for 2

dropped

C:\Users\user\AppData\Local\Temp\tmpF39C.tmp

SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 2, database pages 20, cookie 0xc, schema 4, UTF-8, version-valid-for 2

dropped

There are 36 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Order 20201103.exe

"C:\Users\user\Desktop\Order 20201103.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6408
Target ID:	0
Parent PID:	4040
Name:	Order 20201103.exe
Path:	C:\Users\user\Desktop\Order 20201103.exe
Commandline:	"C:\Users\user\Desktop\Order 20201103.exe"
Size:	97792
MD5:	5BB99AC790AEEEA6267BB29FB67FF860
Time:	07:02:22
Date:	13/03/2025
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x480000
Modulesize:	122880
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Initial sample is a PE file and has a suspicious name	System Summary
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6428
Target ID:	1
Parent PID:	6408
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	07:02:22
Date:	13/03/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff74be10000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://159.89.179.83:16383/

159.89.179.83

159.89.179.83:16383

https://ipinfo.io/ip%appdata%

unknown

https://duckduckgo.com/ac/?q=

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous

unknown

http://tempuri.org/Endpoint/CheckConnectResponse

unknown

http://schemas.datacontract.org/2004/07/

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX

unknown

http://tempuri.org/Endpoint/EnvironmentSettings

unknown

https://www.ecosia.org/newtab/v20Y&

unknown

https://api.ip.sb/geoip%USERPEnvironmentROFILE%

unknown

https://api.ip.sb/geoip

104.26.13.31

http://schemas.xmlsoap.org/soap/envelope/

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

https://ac.ecosia.org?q=

unknown

http://tempuri.org/

unknown

http://tempuri.org/Endpoint/CheckConnect

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

http://159.89.179.83:16383

unknown

http://tempuri.org/Endpoint/VerifyUpdateResponse

unknown

http://tempuri.org/Endpoint/SetEnvironment

unknown

http://tempuri.org/Endpoint/SetEnvironmentResponse

unknown

http://tempuri.org/Endpoint/GetUpdates

unknown

https://www.google.com/images/branding/product/ico/googleg_alldp.ico

unknown

https://api.ipify.orgcookies//settinString.Removeg

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing

unknown

https://duckduckgo.com/chrome_newtabv20

unknown

http://tempuri.org/Endpoint/GetUpdatesResponse

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

http://tempuri.org/Endpoint/EnvironmentSettingsResponse

unknown

http://tempuri.org/Endpoint/VerifyUpdate

unknown

http://tempuri.org/0

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

https://gemini.google.com/app?q=

unknown

http://schemas.xmlsoap.org/soap/actor/next

unknown

There are 26 hidden URLs, click here to show them.

Domains

Name

Malicious

api.ip.sb.cdn.cloudflare.net

104.26.13.31

api.ip.sb

unknown

Details

Name:	api.ip.sb
TargetID:	-1
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

159.89.179.83

unknown

United States

Details

IP:	159.89.179.83
TargetID:	0
Current Path:	C:\Users\user\Desktop\Order 20201103.exe
Country:	United States
Countrycode:	USA
ASN number:	14061
ASN name:	DIGITALOCEAN-ASNUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
HTTP GET or POST without a user agent	Networking
Connects to IPs without corresponding DNS lookups	Networking
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

104.26.13.31

api.ip.sb.cdn.cloudflare.net

United States

Details

IP:	104.26.13.31
TargetID:	0
Current Path:	C:\Users\user\Desktop\Order 20201103.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ip.sb.cdn.cloudflare.net

Signature Hits	Behavior Group	Mitre Attack
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Order 20201103_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Order 20201103_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Order 20201103_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Order 20201103_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Order 20201103_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Order 20201103_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Order 20201103_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Order 20201103_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Order 20201103_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Order 20201103_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Order 20201103_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Order 20201103_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Order 20201103_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Order 20201103_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

482000

unkown

page readonly

8F7000

stack

page read and write

5690000

trusted library allocation

page execute and read and write

7510000

trusted library allocation

page execute and read and write

270C000

stack

page read and write

51B0000

trusted library allocation

page read and write

620E000

stack

page read and write

4D1B000

trusted library allocation

page read and write

6240000

trusted library allocation

page read and write

50A0000

trusted library allocation

page read and write

26CE000

stack

page read and write

25CE000

stack

page read and write

4D70000

heap

page execute and read and write

3949000

trusted library allocation

page read and write

93E000

heap

page read and write

C90000

trusted library allocation

page read and write

73D0000

trusted library allocation

page read and write

67EE000

stack

page read and write

6260000

trusted library allocation

page read and write

55FD000

stack

page read and write

2720000

heap

page execute and read and write

4D3E000

trusted library allocation

page read and write

73C0000

heap

page read and write

2580000

trusted library allocation

page read and write

5110000

trusted library allocation

page read and write

6A96000

trusted library allocation

page read and write

5EB8000

heap

page read and write

67AE000

stack

page read and write

63C0000

trusted library allocation

page read and write

7500000

heap

page read and write

4D50000

trusted library allocation

page read and write

6A90000

trusted library allocation

page read and write

6A32000

trusted library allocation

page read and write

6235000

trusted library allocation

page read and write

4770000

trusted library allocation

page read and write

2A27000

trusted library allocation

page read and write

50F0000

trusted library allocation

page execute and read and write

5E13000

heap

page read and write

6228000

trusted library allocation

page read and write

920000

heap

page read and write

7570000

trusted library allocation

page read and write

9E5000

heap

page read and write

524E000

stack

page read and write

DDF000

stack

page read and write

2750000

trusted library allocation

page read and write

62CD000

stack

page read and write

5DE5000

heap

page read and write

6244000

trusted library allocation

page read and write

6A5D000

trusted library allocation

page read and write

71A0000

trusted library allocation

page read and write

490D000

stack

page read and write

8B70000

heap

page read and write

623F000

trusted library allocation

page read and write

27C0000

trusted library allocation

page read and write

51C0000

trusted library allocation

page execute and read and write

6219000

trusted library allocation

page read and write

563E000

stack

page read and write

50C0000

trusted library allocation

page read and write

2C4A000

trusted library allocation

page read and write

622A000

trusted library allocation

page read and write

63AE000

stack

page read and write

519A000

trusted library allocation

page read and write

4778000

trusted library allocation

page read and write

7120000

trusted library allocation

page read and write

4CCE000

stack

page read and write

6A4E000

trusted library allocation

page read and write

734D000

stack

page read and write

480000

unkown

page readonly

95C000

heap

page read and write

536B000

trusted library allocation

page read and write

2730000

trusted library allocation

page read and write

5180000

trusted library allocation

page read and write

755E000

stack

page read and write

4D26000

trusted library allocation

page read and write

63B0000

trusted library allocation

page read and write

2754000

trusted library allocation

page read and write

37DF000

trusted library allocation

page read and write

7EFC0000

trusted library allocation

page execute and read and write

60FE000

stack

page read and write

51A0000

trusted library allocation

page read and write

6A56000

trusted library allocation

page read and write

6252000

trusted library allocation

page read and write

4E7F000

stack

page read and write

6215000

trusted library allocation

page read and write

6210000

trusted library allocation

page read and write

704C000

stack

page read and write

2ABB000

trusted library allocation

page read and write

6A70000

trusted library allocation

page read and write

6A65000

trusted library allocation

page read and write

5FBF000

stack

page read and write

3771000

trusted library allocation

page read and write

CA2000

trusted library allocation

page read and write

7560000

trusted library allocation

page execute and read and write

2A17000

trusted library allocation

page read and write

7170000

trusted library allocation

page read and write

7124000

trusted library allocation

page read and write

6A48000

trusted library allocation

page read and write

5DC0000

heap

page read and write

2997000

trusted library allocation

page read and write

7D6E000

stack

page read and write

2740000

trusted library allocation

page read and write

27DC000

trusted library allocation

page read and write

5100000

trusted library allocation

page read and write

687D000

heap

page read and write

5E90000

heap

page read and write

C9D000

trusted library allocation

page execute and read and write

6A36000

trusted library allocation

page read and write

535E000

stack

page read and write

CD0000

heap

page read and write

275A000

trusted library allocation

page read and write

6A44000

trusted library allocation

page read and write

73E0000

trusted library allocation

page read and write

4D60000

trusted library allocation

page read and write

519D000

trusted library allocation

page read and write

7C6E000

stack

page read and write

4F7E000

stack

page read and write

5DBE000

stack

page read and write

A6E000

stack

page read and write

6A51000

trusted library allocation

page read and write

52B000

stack

page read and write

5120000

trusted library allocation

page execute and read and write

2C41000

trusted library allocation

page read and write

682E000

stack

page read and write

622F000

trusted library allocation

page read and write

4D21000

trusted library allocation

page read and write

AA5000

heap

page read and write

27E0000

trusted library allocation

page read and write

5EA8000

heap

page read and write

C83000

trusted library allocation

page execute and read and write

2760000

heap

page read and write

4D41000

trusted library allocation

page read and write

3B36000

trusted library allocation

page read and write

6830000

heap

page read and write

6250000

trusted library allocation

page read and write

6883000

heap

page read and write

6A34000

trusted library allocation

page read and write

C84000

trusted library allocation

page read and write

C8D000

trusted library allocation

page execute and read and write

5682000

trusted library allocation

page read and write

377D000

trusted library allocation

page read and write

92E000

heap

page read and write

6A62000

trusted library allocation

page read and write

978000

heap

page read and write

73BE000

stack

page read and write

520D000

stack

page read and write

AA0000

heap

page read and write

2710000

trusted library allocation

page execute and read and write

5E7E000

heap

page read and write

4C8E000

stack

page read and write

6AA0000

trusted library allocation

page read and write

900000

heap

page read and write

6A58000

trusted library allocation

page read and write

2AB1000

trusted library allocation

page read and write

5680000

trusted library allocation

page read and write

5081000

trusted library allocation

page read and write

73E3000

trusted library allocation

page read and write

630F000

stack

page read and write

5360000

trusted library allocation

page read and write

7110000

trusted library allocation

page read and write

2A96000

trusted library allocation

page read and write

3782000

trusted library allocation

page read and write

6212000

trusted library allocation

page read and write

6330000

trusted library allocation

page read and write

6255000

trusted library allocation

page read and write

CB2000

trusted library allocation

page read and write

969000

heap

page read and write

6360000

heap

page read and write

50B0000

trusted library allocation

page read and write

2A30000

trusted library allocation

page read and write

6100000

trusted library allocation

page execute and read and write

6AD0000

trusted library allocation

page read and write

5A0000

heap

page read and write

5E64000

heap

page read and write

63D0000

trusted library allocation

page read and write

73F0000

heap

page read and write

CA0000

trusted library allocation

page read and write

60BE000

stack

page read and write

5170000

trusted library allocation

page read and write

4D0E000

stack

page read and write

5ED000

stack

page read and write

C7F000

stack

page read and write

7150000

trusted library allocation

page execute and read and write

8B86000

heap

page read and write

CB0000

trusted library allocation

page read and write

65B0000

heap

page read and write

7160000

trusted library allocation

page execute and read and write

A90000

trusted library allocation

page read and write

CBB000

trusted library allocation

page execute and read and write

C80000

trusted library allocation

page read and write

683A000

heap

page read and write

6A3F000

trusted library allocation

page read and write

2A14000

trusted library allocation

page read and write

7350000

trusted library allocation

page execute and read and write

A02000

heap

page read and write

6A80000

trusted library allocation

page execute and read and write

CA6000

trusted library allocation

page execute and read and write

27E8000

trusted library allocation

page read and write

590000

heap

page read and write

4D10000

trusted library allocation

page read and write

CB5000

trusted library allocation

page execute and read and write

3C36000

trusted library allocation

page read and write

5660000

trusted library allocation

page read and write

2BE3000

trusted library allocation

page read and write

683E000

heap

page read and write

CB7000

trusted library allocation

page execute and read and write

5250000

trusted library allocation

page execute and read and write

536E000

trusted library allocation

page read and write

6320000

trusted library allocation

page execute and read and write

930000

heap

page read and write

507E000

stack

page read and write

2771000

trusted library allocation

page read and write

4D32000

trusted library allocation

page read and write

926000

heap

page read and write

6A3C000

trusted library allocation

page read and write

623A000

trusted library allocation

page read and write

There are 205 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Order 20201103.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportOrder 20201103.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
Order 20201103.exe