Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

RFQ#1047.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.9709267708957725
Filename:	RFQ#1047.exe
Filesize:	634368
MD5:	6846f1fb78fad5224b98b0137e7a862d
SHA1:	f40fa249d6464ef5c1f9e39748162fd5d70e7aaa
SHA256:	66a0cfa14afdb23dec776fa355b9f89551405989b9838db6398c77ee6c73c084
SHA512:	dce3134e45ba2a21efcfb4d3f4080dbecdb98d4dd4dafafd7f87daea5822350aab05dd0148b6a53e7ed7e8af26db7ee6a89de6312d1ea921b81f5a10b20326dc
SSDEEP:	12288:tnteikJg6ZUpq4BRAa0yTow0ADZVY8HnvcHEx0MTOw:3eBJgxpq4B+adowrZfnvckG
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....7...............0.................. ........@.. ....................... ............@................................

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation
.NET source code contains very large array initializations	System Summary	Disable or Modify Tools
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging	Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ#1047.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ#1047.exe.log
Category:	dropped
Dump:	RFQ#1047.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\RFQ#1047.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\RFQ#1047.exe

"C:\Users\user\Desktop\RFQ#1047.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2488
Target ID:	0
Parent PID:	4004
Name:	RFQ#1047.exe
Path:	C:\Users\user\Desktop\RFQ#1047.exe
Commandline:	"C:\Users\user\Desktop\RFQ#1047.exe"
Size:	634368
MD5:	6846F1FB78FAD5224B98B0137E7A862D
Time:	17:13:54
Date:	16/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x210000
Modulesize:	663552
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6440
Target ID:	3
Parent PID:	2488
Name:	MSBuild.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Size:	262432
MD5:	8FDF47E0FF70C40ED3A17014AEEA4232
Time:	17:13:55
Date:	16/04/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x440000
Modulesize:	262144
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: MSBuild connects to smtp port	Networking
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://r3.o.lencr.org0

unknown

Details

Name:	http://r3.o.lencr.org0
TargetID:	3
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source:	MSBuild.exe, 00000003.00000002.4575146951.0000000005B11000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4571683281.0000000002851000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4567897518.0000000000A24000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://account.dyn.com/

unknown

Details

Name:	https://account.dyn.com/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\RFQ#1047.exe
Source:	RFQ#1047.exe, 00000000.00000002.2135311417.000000000389E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4564658212.0000000000402000.00000040.00000400.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://x1.c.lencr.org/0

unknown

Details

Name:	http://x1.c.lencr.org/0
TargetID:	3
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source:	MSBuild.exe, 00000003.00000002.4567897518.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4575146951.0000000005B11000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4571683281.0000000002851000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://x1.i.lencr.org/0

unknown

Details

Name:	http://x1.i.lencr.org/0
TargetID:	3
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source:	MSBuild.exe, 00000003.00000002.4567897518.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4575146951.0000000005B11000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4571683281.0000000002851000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://r3.i.lencr.org/0

unknown

Details

Name:	http://r3.i.lencr.org/0
TargetID:	3
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source:	MSBuild.exe, 00000003.00000002.4575146951.0000000005B11000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4571683281.0000000002851000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.4567897518.0000000000A24000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

mail.xpl.co.nz

203.170.87.105

Details

Name:	mail.xpl.co.nz
IP:	203.170.87.105
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Sigma detected: MSBuild connects to smtp port	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Uses SMTP (mail sending)	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

fp2e7a.wpc.phicdn.net

192.229.211.108

IPs

Domain

Country

Malicious

203.170.87.105

mail.xpl.co.nz

Australia

Details

IP:	203.170.87.105
TargetID:	3
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Country:	Australia
Countrycode:	AUS
ASN number:	38719
ASN name:	DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU
Private:	false
Domain:	mail.xpl.co.nz

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: MSBuild connects to smtp port	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Uses SMTP (mail sending)	Networking	Application Layer Protocol

Memdumps

Base Address

Regiontype

Protect

Malicious

2851000

trusted library allocation

page read and write

389E000

trusted library allocation

page read and write

28C9000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

D00000

heap

page read and write

5D0000

heap

page read and write

3661000

trusted library allocation

page read and write

AD7000

heap

page read and write

C4D000

trusted library allocation

page execute and read and write

C6B000

trusted library allocation

page execute and read and write

870000

trusted library allocation

page read and write

24EE000

stack

page read and write

C56000

trusted library allocation

page execute and read and write

8400000

heap

page read and write

89D000

trusted library allocation

page execute and read and write

8F9000

stack

page read and write

284E000

stack

page read and write

9EF000

stack

page read and write

63AD000

stack

page read and write

C62000

trusted library allocation

page read and write

4C40000

heap

page read and write

385E000

trusted library allocation

page read and write

C5A000

trusted library allocation

page execute and read and write

4AAB000

trusted library allocation

page read and write

2740000

heap

page read and write

A3A000

heap

page read and write

4B32000

trusted library allocation

page read and write

26D0000

trusted library allocation

page read and write

53B6000

trusted library allocation

page read and write

AF30000

heap

page read and write

97E000

heap

page read and write

400000

remote allocation

page execute and read and write

4ABE000

trusted library allocation

page read and write

A3E000

heap

page read and write

A58000

heap

page read and write

36B7000

trusted library allocation

page read and write

5DBB000

trusted library allocation

page read and write

4AC1000

trusted library allocation

page read and write

4CA0000

trusted library allocation

page execute and read and write

274A000

trusted library allocation

page read and write

A20000

trusted library allocation

page read and write

24F0000

trusted library allocation

page read and write

4AA0000

trusted library allocation

page read and write

5F6D000

stack

page read and write

4DCC000

stack

page read and write

847B000

heap

page read and write

A00000

heap

page read and write

A44000

heap

page read and write

26DB000

trusted library allocation

page read and write

5D6E000

stack

page read and write

846B000

heap

page read and write

893000

trusted library allocation

page read and write

9EE000

heap

page read and write

DC0000

heap

page read and write

6D20000

trusted library section

page read and write

28E1000

trusted library allocation

page read and write

93E000

stack

page read and write

9FE000

heap

page read and write

9F0000

trusted library allocation

page execute and read and write

26FD000

trusted library allocation

page read and write

CE0000

trusted library allocation

page read and write

FFB90000

trusted library allocation

page execute and read and write

890000

trusted library allocation

page read and write

580000

heap

page read and write

28B7000

trusted library allocation

page read and write

265F000

stack

page read and write

8B7000

trusted library allocation

page execute and read and write

50A0000

heap

page read and write

53C0000

trusted library allocation

page execute and read and write

A6E000

heap

page read and write

CC0000

trusted library allocation

page read and write

C40000

trusted library allocation

page read and write

6510000

trusted library allocation

page read and write

53A0000

trusted library allocation

page read and write

2661000

trusted library allocation

page read and write

3753000

trusted library allocation

page read and write

863E000

stack

page read and write

26FC000

trusted library allocation

page read and write

6CB0000

trusted library section

page read and write

2540000

trusted library allocation

page execute and read and write

C2E000

stack

page read and write

B12F000

stack

page read and write

B16D000

stack

page read and write

CD0000

heap

page read and write

5AF0000

heap

page read and write

B0C000

heap

page read and write

210000

unkown

page readonly

6CC0000

trusted library allocation

page execute and read and write

C3D000

trusted library allocation

page execute and read and write

68C2000

trusted library allocation

page read and write

27DE000

trusted library allocation

page read and write

950000

trusted library allocation

page read and write

CB0000

heap

page read and write

5B11000

heap

page read and write

C30000

trusted library allocation

page read and write

4B50000

trusted library allocation

page read and write

4E70000

heap

page read and write

6530000

heap

page read and write

AF2D000

stack

page read and write

6870000

heap

page read and write

26F1000

trusted library allocation

page read and write

4F7C000

stack

page read and write

996000

heap

page read and write

5DAD000

stack

page read and write

4C90000

heap

page read and write

3C0000

heap

page read and write

585000

heap

page read and write

4C20000

trusted library section

page readonly

8E0000

heap

page read and write

4F0E000

stack

page read and write

717E000

stack

page read and write

C80000

trusted library allocation

page read and write

2714000

trusted library allocation

page read and write

C67000

trusted library allocation

page execute and read and write

6500000

heap

page read and write

3705000

trusted library allocation

page read and write

4CB0000

trusted library allocation

page read and write

26B0000

trusted library allocation

page read and write

4ACD000

trusted library allocation

page read and write

7F9D0000

trusted library allocation

page execute and read and write

4E40000

trusted library allocation

page read and write

4E5C000

trusted library allocation

page read and write

8410000

heap

page read and write

A10000

trusted library allocation

page read and write

4F90000

heap

page read and write

A30000

heap

page read and write

4C9B000

stack

page read and write

212000

unkown

page readonly

960000

heap

page read and write

4CD0000

trusted library section

page read and write

4B20000

heap

page read and write

25AE000

stack

page read and write

5FAE000

stack

page read and write

475C000

stack

page read and write

CFF000

stack

page read and write

26F6000

trusted library allocation

page read and write

34A000

stack

page read and write

8481000

heap

page read and write

5420000

trusted library allocation

page execute and read and write

884000

trusted library allocation

page read and write

4D10000

heap

page execute and read and write

6F3E000

stack

page read and write

26A0000

trusted library allocation

page execute and read and write

6CE0000

trusted library allocation

page read and write

C52000

trusted library allocation

page read and write

570000

heap

page read and write

3879000

trusted library allocation

page read and write

C90000

heap

page read and write

6520000

trusted library allocation

page execute and read and write

D07000

heap

page read and write

4CE0000

heap

page read and write

26E2000

trusted library allocation

page read and write

50AE000

heap

page read and write

268C000

stack

page read and write

50A000

stack

page read and write

64EF000

stack

page read and write

26EE000

trusted library allocation

page read and write

8D0000

trusted library allocation

page read and write

6F7000

stack

page read and write

2550000

heap

page execute and read and write

ADB000

heap

page read and write

5CE000

stack

page read and write

28DB000

trusted library allocation

page read and write

880000

trusted library allocation

page read and write

C33000

trusted library allocation

page execute and read and write

253E000

stack

page read and write

26C0000

trusted library allocation

page read and write

2720000

trusted library allocation

page read and write

C34000

trusted library allocation

page read and write

6DB0000

trusted library allocation

page read and write

28DD000

trusted library allocation

page read and write

5AE3000

heap

page read and write

A64000

heap

page read and write

38B9000

trusted library allocation

page read and write

2700000

trusted library allocation

page read and write

4C30000

heap

page read and write

AE2E000

stack

page read and write

4C50000

heap

page read and write

B09000

heap

page read and write

5AE0000

heap

page read and write

28D1000

trusted library allocation

page read and write

CB0000

trusted library allocation

page read and write

9DA000

heap

page read and write

C65000

trusted library allocation

page execute and read and write

2710000

trusted library allocation

page read and write

8B2000

trusted library allocation

page read and write

63EE000

stack

page read and write

A46000

heap

page read and write

5DB0000

trusted library allocation

page read and write

2690000

heap

page execute and read and write

27CA000

trusted library allocation

page read and write

25B8000

trusted library allocation

page read and write

8435000

heap

page read and write

53B0000

trusted library allocation

page read and write

26DE000

trusted library allocation

page read and write

C2F000

stack

page read and write

6CD0000

trusted library allocation

page execute and read and write

80E000

stack

page read and write

3851000

trusted library allocation

page read and write

62AE000

stack

page read and write

4E49000

trusted library allocation

page read and write

4B30000

trusted library allocation

page read and write

3669000

trusted library allocation

page read and write

8A6000

trusted library allocation

page execute and read and write

AD2E000

stack

page read and write

4FB0000

heap

page read and write

5AE5000

heap

page read and write

4F95000

heap

page read and write

4FD0000

heap

page read and write

4FA0000

heap

page read and write

60AE000

stack

page read and write

88D000

trusted library allocation

page execute and read and write

9EA000

heap

page read and write

6EBF000

stack

page read and write

4B40000

trusted library allocation

page execute and read and write

2813000

trusted library allocation

page read and write

AD3000

heap

page read and write

24F8000

trusted library allocation

page read and write

6EFE000

stack

page read and write

8E5000

heap

page read and write

5410000

trusted library allocation

page read and write

965C000

trusted library allocation

page read and write

4E60000

heap

page execute and read and write

4AE0000

trusted library allocation

page read and write

CAB000

stack

page read and write

A71000

heap

page read and write

540D000

stack

page read and write

C50000

trusted library allocation

page read and write

3B0000

heap

page read and write

853E000

stack

page read and write

70FF000

stack

page read and write

4CF0000

trusted library allocation

page read and write

8A0000

trusted library allocation

page read and write

28C5000

trusted library allocation

page read and write

26AF000

trusted library allocation

page read and write

B26F000

stack

page read and write

53A7000

trusted library allocation

page read and write

968000

heap

page read and write

494D000

stack

page read and write

8AA000

trusted library allocation

page execute and read and write

2AE000

unkown

page readonly

994000

heap

page read and write

4AA4000

trusted library allocation

page read and write

84D000

stack

page read and write

6CA0000

trusted library section

page read and write

CC5000

trusted library allocation

page read and write

3E0000

heap

page read and write

A24000

heap

page read and write

98A000

heap

page read and write

8470000

heap

page read and write

4E74000

heap

page read and write

4C53000

heap

page read and write

27FE000

trusted library allocation

page read and write

4E50000

trusted library allocation

page read and write

713D000

stack

page read and write

6DA0000

trusted library allocation

page read and write

883000

trusted library allocation

page execute and read and write

4AC6000

trusted library allocation

page read and write

C6E000

stack

page read and write

8BB000

trusted library allocation

page execute and read and write

There are 250 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
RFQ#1047.exe

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportRFQ#1047.exe

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
RFQ#1047.exe