Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

NEW QUOTATION.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.880783190465589
Filename:	NEW QUOTATION.exe
Filesize:	711168
MD5:	271bed3b2972f11259073f7e3cde6bb4
SHA1:	f944ac33a1fb6d0b1fd8a97147487976a1b334c7
SHA256:	ccadaf700c4557efd158b2578d62710414c288b13d1c7a1eec1b06957ea8837b
SHA512:	4f87507e1a709cdc0829f285efc602429c15b0aa11e9785f3504b3a7d6768f3e74640c608c1e2445c0da5b100bd5ad6af849d493758d0c76e6ca46fb3dc53d0d
SSDEEP:	12288:xAvIPc9MUWeQRfMIqaBwqKEhcEvGR7yd4Cz3ARSteRM:xAzWeQROS+R7ydlbAgcS
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ........@.. ....................... ............@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation
.NET source code contains very large array initializations	System Summary	Disable or Modify Tools
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)	Anti Debugging
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)	Malware Analysis System Evasion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information	Credentials in Registry
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Checks if the current process is being debugged	Anti Debugging
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
.NET source code contains methods with suspicious names	System Summary	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NEW QUOTATION.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NEW QUOTATION.exe.log
Category:	dropped
Dump:	NEW QUOTATION.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\NEW QUOTATION.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\NEW QUOTATION.exe

"C:\Users\user\Desktop\NEW QUOTATION.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5812
Target ID:	0
Parent PID:	1028
Name:	NEW QUOTATION.exe
Path:	C:\Users\user\Desktop\NEW QUOTATION.exe
Commandline:	"C:\Users\user\Desktop\NEW QUOTATION.exe"
Size:	711168
MD5:	271BED3B2972F11259073F7E3CDE6BB4
Time:	14:16:00
Date:	16/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xc60000
Modulesize:	729088
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Initial sample is a PE file and has a suspicious name	System Summary
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\NEW QUOTATION.exe

"C:\Users\user\Desktop\NEW QUOTATION.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5332
Target ID:	3
Parent PID:	5812
Name:	NEW QUOTATION.exe
Path:	C:\Users\user\Desktop\NEW QUOTATION.exe
Commandline:	"C:\Users\user\Desktop\NEW QUOTATION.exe"
Size:	711168
MD5:	271BED3B2972F11259073F7E3CDE6BB4
Time:	14:16:01
Date:	16/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xea0000
Modulesize:	729088
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Telegram RAT	Stealing of Sensitive Information, Remote Access Functionality
Initial sample is a PE file and has a suspicious name	System Summary
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

https://account.dyn.com/

unknown

Details

Name:	https://account.dyn.com/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\NEW QUOTATION.exe
Source:	NEW QUOTATION.exe, 00000000.00000002.2059597640.00000000042EE000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://api.telegram.org

unknown

Details

Name:	https://api.telegram.org
TargetID:	3
From Memory:	true
Current Path:	C:\Users\user\Desktop\NEW QUOTATION.exe
Source:	NEW QUOTATION.exe, 00000003.00000002.4522520156.00000000032E5000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
URLs found in memory or binary data	Networking

http://api.telegram.org

unknown

Details

Name:	http://api.telegram.org
TargetID:	3
From Memory:	true
Current Path:	C:\Users\user\Desktop\NEW QUOTATION.exe
Source:	NEW QUOTATION.exe, 00000003.00000002.4522520156.00000000032E5000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://api.telegram.org/bot6359985836:AAEpvgyD3CBEihuwlXNMLbKTgPfew2N22lc/sendDocument

149.154.167.220

Details

Name:	https://api.telegram.org/bot6359985836:AAEpvgyD3CBEihuwlXNMLbKTgPfew2N22lc/sendDocument
IP:	149.154.167.220
TargetID:	3
From Memory:	false
Current Path:	C:\Users\user\Desktop\NEW QUOTATION.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	3
From Memory:	true
Current Path:	C:\Users\user\Desktop\NEW QUOTATION.exe
Source:	NEW QUOTATION.exe, 00000003.00000002.4522520156.0000000003281000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://api.telegram.org/bot6359985836:AAEpvgyD3CBEihuwlXNMLbKTgPfew2N22lc/

unknown

Details

Name:	https://api.telegram.org/bot6359985836:AAEpvgyD3CBEihuwlXNMLbKTgPfew2N22lc/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\NEW QUOTATION.exe
Source:	NEW QUOTATION.exe, 00000000.00000002.2059597640.00000000042EE000.00000004.00000800.00020000.00000000.sdmp, NEW QUOTATION.exe, 00000003.00000002.4522520156.0000000003281000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
URLs found in memory or binary data	Networking

http://ip-api.com/line/?fields=hosting

208.95.112.1

Details

Name:	http://ip-api.com/line/?fields=hosting
IP:	208.95.112.1
TargetID:	3
From Memory:	false
Current Path:	C:\Users\user\Desktop\NEW QUOTATION.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking

http://ip-api.com

unknown

Details

Name:	http://ip-api.com
TargetID:	3
From Memory:	true
Current Path:	C:\Users\user\Desktop\NEW QUOTATION.exe
Source:	NEW QUOTATION.exe, 00000003.00000002.4522520156.0000000003281000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

ip-api.com

208.95.112.1

Details

Name:	ip-api.com
IP:	208.95.112.1
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Check if machine is in data center or colocation facility	Malware Analysis System Evasion	Security Software Discovery
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

api.telegram.org

149.154.167.220

Details

Name:	api.telegram.org
IP:	149.154.167.220
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
Uses the Telegram API (likely for C&C communication)	Networking	Web Service
HTTP GET or POST without a user agent	Networking
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

208.95.112.1

ip-api.com

United States

149.154.167.220

api.telegram.org

United Kingdom

Details

IP:	149.154.167.220
TargetID:	3
Current Path:	C:\Users\user\Desktop\NEW QUOTATION.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	62041
ASN name:	TELEGRAMRU
Private:	false
Domain:	api.telegram.org

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NEW QUOTATION_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NEW QUOTATION_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NEW QUOTATION_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NEW QUOTATION_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NEW QUOTATION_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NEW QUOTATION_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NEW QUOTATION_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NEW QUOTATION_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NEW QUOTATION_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NEW QUOTATION_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NEW QUOTATION_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NEW QUOTATION_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NEW QUOTATION_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NEW QUOTATION_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

32E9000

trusted library allocation

page read and write

32B0000

trusted library allocation

page read and write

32DD000

trusted library allocation

page read and write

42EE000

trusted library allocation

page read and write

7360000

trusted library section

page read and write

6FD0000

heap

page read and write

2E90000

trusted library allocation

page read and write

7CCE000

stack

page read and write

1190000

heap

page read and write

159A000

heap

page read and write

2F96000

trusted library allocation

page read and write

17C7000

trusted library allocation

page execute and read and write

75C0000

trusted library allocation

page execute and read and write

11B0000

heap

page read and write

7D0E000

stack

page read and write

1775000

trusted library allocation

page execute and read and write

1544000

trusted library allocation

page read and write

7500000

trusted library section

page read and write

6EE0000

trusted library allocation

page read and write

14B5000

heap

page read and write

2EF0000

heap

page read and write

315E000

trusted library allocation

page read and write

1292000

heap

page read and write

7C8E000

stack

page read and write

3306000

trusted library allocation

page read and write

571A000

trusted library allocation

page read and write

6FBE000

stack

page read and write

5955000

heap

page read and write

1543000

trusted library allocation

page execute and read and write

74A0000

heap

page read and write

5700000

trusted library allocation

page read and write

17CB000

trusted library allocation

page execute and read and write

723E000

stack

page read and write

2E00000

trusted library allocation

page read and write

17E0000

heap

page read and write

1285000

heap

page read and write

4119000

trusted library allocation

page read and write

A4AE000

stack

page read and write

6D93000

trusted library allocation

page read and write

3270000

heap

page read and write

35DE000

trusted library allocation

page read and write

1560000

trusted library allocation

page read and write

2F9D000

trusted library allocation

page read and write

6C80000

heap

page read and write

3194000

trusted library allocation

page read and write

17D0000

heap

page execute and read and write

5790000

trusted library section

page readonly

42A9000

trusted library allocation

page read and write

125A000

heap

page read and write

15A7000

heap

page read and write

1550000

trusted library allocation

page read and write

55B0000

trusted library allocation

page read and write

760E000

stack

page read and write

2FE0000

trusted library allocation

page read and write

A6EF000

stack

page read and write

146E000

stack

page read and write

127C000

heap

page read and write

4281000

trusted library allocation

page read and write

75EE000

stack

page read and write

318F000

trusted library allocation

page read and write

C62000

unkown

page readonly

A5AF000

stack

page read and write

C60000

unkown

page readonly

155D000

trusted library allocation

page execute and read and write

1578000

heap

page read and write

572D000

trusted library allocation

page read and write

35FB000

trusted library allocation

page read and write

5721000

trusted library allocation

page read and write

2EF3000

heap

page read and write

5970000

heap

page read and write

717E000

stack

page read and write

1562000

trusted library allocation

page read and write

33EE000

trusted library allocation

page read and write

17B6000

trusted library allocation

page execute and read and write

5744000

trusted library allocation

page read and write

2FB0000

trusted library allocation

page read and write

31CE000

stack

page read and write

6D83000

trusted library allocation

page read and write

31D8000

trusted library allocation

page read and write

310F000

stack

page read and write

32DB000

trusted library allocation

page read and write

7430000

trusted library allocation

page read and write

1344000

heap

page read and write

5750000

trusted library allocation

page read and write

7510000

trusted library section

page read and write

7410000

heap

page read and write

DAA000

stack

page read and write

5590000

heap

page read and write

58ED000

stack

page read and write

57A0000

heap

page execute and read and write

4203000

trusted library allocation

page read and write

125E000

heap

page read and write

5E00000

trusted library allocation

page read and write

67BD000

stack

page read and write

42E9000

trusted library allocation

page read and write

7F340000

trusted library allocation

page execute and read and write

2E4E000

stack

page read and write

70B0000

heap

page read and write

5940000

trusted library section

page read and write

6EC0000

trusted library allocation

page read and write

2F60000

trusted library allocation

page read and write

53BD000

stack

page read and write

151E000

stack

page read and write

17D7000

heap

page read and write

570B000

trusted library allocation

page read and write

1777000

trusted library allocation

page execute and read and write

6DA0000

trusted library allocation

page read and write

123D000

trusted library allocation

page execute and read and write

5712000

trusted library allocation

page read and write

6CF6000

heap

page read and write

5DE0000

heap

page read and write

55D0000

trusted library allocation

page read and write

1540000

trusted library allocation

page read and write

2EB9000

trusted library allocation

page read and write

5990000

heap

page read and write

1234000

trusted library allocation

page read and write

1278000

heap

page read and write

735E000

stack

page read and write

57BC000

stack

page read and write

17E7000

heap

page read and write

17C0000

trusted library allocation

page read and write

1250000

heap

page read and write

4167000

trusted library allocation

page read and write

7400000

heap

page read and write

161E000

stack

page read and write

6DFE000

stack

page read and write

52BC000

stack

page read and write

5760000

heap

page execute and read and write

35CC000

trusted library allocation

page read and write

1350000

heap

page read and write

725E000

stack

page read and write

1233000

trusted library allocation

page execute and read and write

5732000

trusted library allocation

page read and write

55A0000

heap

page read and write

6F7E000

stack

page read and write

5860000

heap

page read and write

74EE000

stack

page read and write

12F7000

heap

page read and write

17C0000

trusted library allocation

page read and write

41B5000

trusted library allocation

page read and write

1120000

heap

page read and write

5E07000

trusted library allocation

page read and write

7EEB0000

trusted library allocation

page execute and read and write

8D47000

trusted library allocation

page read and write

6CE1000

heap

page read and write

5706000

trusted library allocation

page read and write

15A4000

heap

page read and write

7520000

trusted library allocation

page execute and read and write

1790000

trusted library allocation

page read and write

7680000

trusted library allocation

page read and write

5726000

trusted library allocation

page read and write

1772000

trusted library allocation

page read and write

A3AE000

stack

page read and write

1243000

trusted library allocation

page read and write

6C8C000

heap

page read and write

2F7B000

trusted library allocation

page read and write

5550000

trusted library allocation

page read and write

5AE0000

trusted library allocation

page read and write

57EC000

stack

page read and write

15DF000

heap

page read and write

6D80000

trusted library allocation

page read and write

43C000

remote allocation

page execute and read and write

733E000

stack

page read and write

154D000

trusted library allocation

page execute and read and write

3111000

trusted library allocation

page read and write

7530000

trusted library allocation

page read and write

570E000

trusted library allocation

page read and write

7450000

heap

page read and write

16AE000

stack

page read and write

10F7000

stack

page read and write

1296000

heap

page read and write

124D000

trusted library allocation

page execute and read and write

14FE000

stack

page read and write

1470000

heap

page read and write

2F00000

heap

page execute and read and write

3313000

trusted library allocation

page read and write

2EB0000

trusted library allocation

page read and write

5B9C000

stack

page read and write

1520000

trusted library allocation

page read and write

58F0000

heap

page read and write

7470000

trusted library allocation

page execute and read and write

5740000

trusted library allocation

page read and write

11B5000

heap

page read and write

2F50000

trusted library allocation

page execute and read and write

32F5000

trusted library allocation

page read and write

6CC2000

heap

page read and write

3000000

heap

page read and write

6ED0000

trusted library allocation

page execute and read and write

1603000

heap

page read and write

1290000

heap

page read and write

11FE000

stack

page read and write

18EF000

stack

page read and write

5853000

heap

page read and write

6D9D000

trusted library allocation

page read and write

1537000

heap

page read and write

17A0000

trusted library allocation

page execute and read and write

400000

remote allocation

page execute and read and write

2F8E000

trusted library allocation

page read and write

3281000

trusted library allocation

page read and write

43E000

remote allocation

page execute and read and write

17C2000

trusted library allocation

page read and write

A5EE000

stack

page read and write

7540000

trusted library section

page read and write

1220000

trusted library allocation

page read and write

30CE000

stack

page read and write

2F70000

trusted library allocation

page read and write

1770000

trusted library allocation

page read and write

17D0000

heap

page read and write

2E8E000

stack

page read and write

520C000

stack

page read and write

70BE000

heap

page read and write

55C0000

trusted library allocation

page execute and read and write

1530000

heap

page read and write

77B2000

trusted library allocation

page read and write

177B000

trusted library allocation

page execute and read and write

118E000

stack

page read and write

5910000

trusted library allocation

page execute and read and write

14B0000

heap

page read and write

3302000

trusted library allocation

page read and write

5850000

heap

page read and write

32E5000

trusted library allocation

page read and write

571E000

trusted library allocation

page read and write

2FA2000

trusted library allocation

page read and write

5931000

trusted library allocation

page read and write

17B0000

trusted library allocation

page read and write

1140000

heap

page read and write

2FC0000

trusted library allocation

page read and write

3379000

trusted library allocation

page read and write

FE9000

stack

page read and write

3151000

trusted library allocation

page read and write

4111000

trusted library allocation

page read and write

158F000

heap

page read and write

17BA000

trusted library allocation

page execute and read and write

2F74000

trusted library allocation

page read and write

32E1000

trusted library allocation

page read and write

5960000

heap

page read and write

156A000

trusted library allocation

page execute and read and write

1240000

trusted library allocation

page read and write

68BF000

stack

page read and write

2F91000

trusted library allocation

page read and write

6DB0000

trusted library allocation

page execute and read and write

2FD0000

trusted library allocation

page read and write

165D000

heap

page read and write

2F4C000

stack

page read and write

5900000

heap

page read and write

1500000

heap

page read and write

1230000

trusted library allocation

page read and write

2FD5000

trusted library allocation

page read and write

5DF0000

trusted library allocation

page read and write

1110000

heap

page read and write

1566000

trusted library allocation

page execute and read and write

5950000

heap

page read and write

1570000

heap

page read and write

17B0000

trusted library allocation

page read and write

12F9000

stack

page read and write

There are 245 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
NEW QUOTATION.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportNEW QUOTATION.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
NEW QUOTATION.exe