Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

rQuotation.exe

PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Entropy:	5.3677918797110635
Filename:	rQuotation.exe
Filesize:	1876079
MD5:	19c0bb3b7e9c41e5d47b78566e04d3de
SHA1:	ee19431fbe432dc27074a776c8d3cd1ee3f5f708
SHA256:	a60e8f372f54d47394a2091f56649707f1a0fffadb0afc3600f8ec103ff53d6e
SHA512:	f93084699839ea5da8ad449490bc73ac0694f5a858b367ba25a1aa82f4900caa6b292d9ff8d1d8768ae3f9705e628446b3497168e4b06a129fc3862fa47b93cc
SSDEEP:	12288:iXTOt5ewyLVvhjH838znIkxg0B2jdtH+Ti1TDRckULP6pE+cz:iyefLdhjc38jIQg0B2ZHRnULi0
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."...0.................. ....@...... ....................................`................................

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code references suspicious native API functions	HIPS / PFW / Operating System Protection Evasion	Native API
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Checks if the current process is being debugged	Anti Debugging	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Encrypted Channel
Enables debug privileges	Anti Debugging
One or more processes crash	System Summary
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary
Uses Microsoft Silverlight	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rQuotation.exe_e4f27283d01878559fa8842b7cf5abf4516a719_5a22651d_971fdfdb-35fe-474f-9556-a675ed73134a\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rQuotation.exe_e4f27283d01878559fa8842b7cf5abf4516a719_5a22651d_971fdfdb-35fe-474f-9556-a675ed73134a\Report.wer
Category:	dropped
Dump:	Report.wer.7.dr
ID:	dr_4
Target ID:	7
Process:	C:\Windows\System32\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	1.0864548571164316
Encrypted:	false
Ssdeep:	192:f1Uu1A4Ta2l50UnU9aWBe3ZFlnG0/zuiF8Z24lO8QZC:CKA4T1YUnU9amwG2zuiF8Y4lO8Qs
Size:	65536
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
PE file does not import any functions	System Summary
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\Microsoft\Windows\WER\Temp\WER12E6.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER12E6.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER12E6.tmp.WERInternalMetadata.xml.7.dr
ID:	dr_2
Target ID:	7
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.712730037816931
Encrypted:	false
Ssdeep:	192:R6l7wVeJ6Fh36Y9kvMXQgmfhc6Jqrprw89btF/fYvm:R6lXJgh6YevMXQgmf2iut9f9
Size:	9056
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1316.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER1316.tmp.xml
Category:	dropped
Dump:	WER1316.tmp.xml.7.dr
ID:	dr_3
Target ID:	7
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.509984019776081
Encrypted:	false
Ssdeep:	48:cvIwWl8zsoJg771I9FyWpW8VY2Ym8M4JyNAFE+xyq85iewL8Q4d:uIjfuI76T7ViJySxz/L34d
Size:	4766
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFF7.tmp.dmp

Mini DuMP crash report, 16 streams, Mon Jul 1 16:42:59 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WERFF7.tmp.dmp
Category:	dropped
Dump:	WERFF7.tmp.dmp.7.dr
ID:	dr_1
Target ID:	7
Process:	C:\Windows\System32\WerFault.exe
Type:	Mini DuMP crash report, 16 streams, Mon Jul 1 16:42:59 2024, 0x1205a4 type
Entropy:	3.358458680323315
Encrypted:	false
Ssdeep:	3072:nq7nJwnXAz+yXx4WgcS59GbybN1CCq8FX3+vP8ZpUVT:ngJwyBGabiqI3Q0pU
Size:	475578
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.7.dr
ID:	dr_0
Target ID:	7
Process:	C:\Windows\System32\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.466036028196891
Encrypted:	false
Ssdeep:	6144:MIXfpi67eLPU9skLmb0b4FWSPKaJG8nAgejZMMhA2gX4WABl0uNYdwBCswSbt:xXD94FWlLZMM6YFH++t
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\rQuotation.exe

"C:\Users\user\Desktop\rQuotation.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6476
Target ID:	0
Parent PID:	2580
Name:	rQuotation.exe
Path:	C:\Users\user\Desktop\rQuotation.exe
Commandline:	"C:\Users\user\Desktop\rQuotation.exe"
Size:	1876079
MD5:	19C0BB3B7E9C41E5D47B78566E04D3DE
Time:	12:42:55
Date:	01/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x1910e580000
Modulesize:	57344
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected UAC Bypass using CMSTP	Exploits
Initial sample is a PE file and has a suspicious name	System Summary
Yara detected Generic Downloader	Networking
PE file does not import any functions	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7032
Target ID:	3
Parent PID:	6476
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	12:42:58
Date:	01/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xd10000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: RegAsm connects to smtp port	Networking
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7072
Target ID:	4
Parent PID:	6476
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	12:42:58
Date:	01/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x100000
Modulesize:	73728
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: RegAsm connects to smtp port	Networking
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6492
Target ID:	1
Parent PID:	6476
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	12:42:55
Date:	01/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 6476 -s 1120

Details

Is windows:	true
Is dropped:	false
PID:	6188
Target ID:	7
Parent PID:	6476
Name:	WerFault.exe
Path:	C:\Windows\System32\WerFault.exe
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6476 -s 1120
Size:	570736
MD5:	FD27D9F6D02763BDE32511B5DF7FF7A0
Time:	12:42:58
Date:	01/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6e1ed0000
Modulesize:	581632
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://www.apache.org/licenses/LICENSE-2.0

unknown

http://www.fontbureau.com

unknown

http://www.fontbureau.com/designersG

unknown

http://terminal4.veeblehosting.com

unknown

http://www.fontbureau.com/designers/?

unknown

http://www.founder.com.cn/cn/bThe

unknown

https://account.dyn.com/

unknown

http://www.fontbureau.com/designers?

unknown

http://www.tiro.com

unknown

http://upx.sf.net

unknown

http://www.fontbureau.com/designers

unknown

http://www.goodfont.co.kr

unknown

http://www.carterandcone.coml

unknown

http://www.sajatypeworks.com

unknown

http://www.typography.netD

unknown

http://www.fontbureau.com/designers/cabarga.htmlN

unknown

http://www.founder.com.cn/cn/cThe

unknown

http://www.galapagosdesign.com/staff/dennis.htm

unknown

http://www.founder.com.cn/cn

unknown

http://www.fontbureau.com/designers/frere-user.html

unknown

http://x1.c.lencr.org/0

unknown

http://x1.i.lencr.org/0

unknown

http://www.jiyu-kobo.co.jp/

unknown

http://ip-api.com

unknown

http://r3.o.lencr.org0

unknown

http://www.galapagosdesign.com/DPlease

unknown

http://www.fontbureau.com/designers8

unknown

http://www.fonts.com

unknown

http://www.sandoll.co.kr

unknown

http://www.urwpp.deDPlease

unknown

http://www.zhongyicts.com.cn

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://www.sakkal.com

unknown

http://ip-api.com/line/?fields=hosting

208.95.112.1

http://r3.i.lencr.org/0&

unknown

There are 25 hidden URLs, click here to show them.

Domains

Name

Malicious

ip-api.com

208.95.112.1

Details

Name:	ip-api.com
IP:	208.95.112.1
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Check if machine is in data center or colocation facility	Malware Analysis System Evasion	Security Software Discovery
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

terminal4.veeblehosting.com

108.170.55.203

Details

Name:	terminal4.veeblehosting.com
IP:	108.170.55.203
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Sigma detected: RegAsm connects to smtp port	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Uses SMTP (mail sending)	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

208.95.112.1

ip-api.com

United States

108.170.55.203

terminal4.veeblehosting.com

United States

Details

IP:	108.170.55.203
TargetID:	3
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	United States
Countrycode:	USA
ASN number:	20454
ASN name:	SSASN2US
Private:	false
Domain:	terminal4.veeblehosting.com

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: RegAsm connects to smtp port	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Uses SMTP (mail sending)	Networking	Application Layer Protocol

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\regasm_RASMANCS

FileDirectory

\REGISTRY\A\{06efb718-7a17-877d-cc1f-149de1f981f0}\Root\InventoryApplicationFile\rquotation.exe|d54f880fab411311

ProgramId

\REGISTRY\A\{06efb718-7a17-877d-cc1f-149de1f981f0}\Root\InventoryApplicationFile\rquotation.exe|d54f880fab411311

FileId

\REGISTRY\A\{06efb718-7a17-877d-cc1f-149de1f981f0}\Root\InventoryApplicationFile\rquotation.exe|d54f880fab411311

LowerCaseLongPath

\REGISTRY\A\{06efb718-7a17-877d-cc1f-149de1f981f0}\Root\InventoryApplicationFile\rquotation.exe|d54f880fab411311

LongPathHash

\REGISTRY\A\{06efb718-7a17-877d-cc1f-149de1f981f0}\Root\InventoryApplicationFile\rquotation.exe|d54f880fab411311

Name

\REGISTRY\A\{06efb718-7a17-877d-cc1f-149de1f981f0}\Root\InventoryApplicationFile\rquotation.exe|d54f880fab411311

OriginalFileName

\REGISTRY\A\{06efb718-7a17-877d-cc1f-149de1f981f0}\Root\InventoryApplicationFile\rquotation.exe|d54f880fab411311

Publisher

\REGISTRY\A\{06efb718-7a17-877d-cc1f-149de1f981f0}\Root\InventoryApplicationFile\rquotation.exe|d54f880fab411311

Version

\REGISTRY\A\{06efb718-7a17-877d-cc1f-149de1f981f0}\Root\InventoryApplicationFile\rquotation.exe|d54f880fab411311

BinFileVersion

\REGISTRY\A\{06efb718-7a17-877d-cc1f-149de1f981f0}\Root\InventoryApplicationFile\rquotation.exe|d54f880fab411311

BinaryType

\REGISTRY\A\{06efb718-7a17-877d-cc1f-149de1f981f0}\Root\InventoryApplicationFile\rquotation.exe|d54f880fab411311

ProductName

\REGISTRY\A\{06efb718-7a17-877d-cc1f-149de1f981f0}\Root\InventoryApplicationFile\rquotation.exe|d54f880fab411311

ProductVersion

\REGISTRY\A\{06efb718-7a17-877d-cc1f-149de1f981f0}\Root\InventoryApplicationFile\rquotation.exe|d54f880fab411311

LinkDate

\REGISTRY\A\{06efb718-7a17-877d-cc1f-149de1f981f0}\Root\InventoryApplicationFile\rquotation.exe|d54f880fab411311

BinProductVersion

\REGISTRY\A\{06efb718-7a17-877d-cc1f-149de1f981f0}\Root\InventoryApplicationFile\rquotation.exe|d54f880fab411311

AppxPackageFullName

\REGISTRY\A\{06efb718-7a17-877d-cc1f-149de1f981f0}\Root\InventoryApplicationFile\rquotation.exe|d54f880fab411311

AppxPackageRelativeId

\REGISTRY\A\{06efb718-7a17-877d-cc1f-149de1f981f0}\Root\InventoryApplicationFile\rquotation.exe|d54f880fab411311

Size

\REGISTRY\A\{06efb718-7a17-877d-cc1f-149de1f981f0}\Root\InventoryApplicationFile\rquotation.exe|d54f880fab411311

Language

\REGISTRY\A\{06efb718-7a17-877d-cc1f-149de1f981f0}\Root\InventoryApplicationFile\rquotation.exe|d54f880fab411311

Usn

There are 24 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

2ED1000

trusted library allocation

page read and write

1912044B000

trusted library allocation

page read and write

191105E8000

trusted library allocation

page read and write

2EFE000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

2F21000

trusted library allocation

page read and write

2CA7000

trusted library allocation

page execute and read and write

6350000

heap

page read and write

3F07000

trusted library allocation

page read and write

6B7E000

stack

page read and write

1910E8C0000

heap

page read and write

7FFD9B770000

trusted library allocation

page read and write

191208EA000

trusted library allocation

page read and write

54C0000

trusted library allocation

page read and write

5512000

trusted library allocation

page read and write

4C266FE000

stack

page read and write

DBA000

stack

page read and write

19110373000

trusted library allocation

page read and write

56E0000

heap

page read and write

7FFD9B910000

trusted library allocation

page read and write

1910E6B3000

heap

page read and write

7FFD9B890000

trusted library allocation

page execute and read and write

59DE000

stack

page read and write

4C267FF000

stack

page read and write

1910E8F0000

trusted library section

page readonly

5ADE000

stack

page read and write

2CA2000

trusted library allocation

page read and write

1280000

heap

page read and write

7FFD9B77D000

trusted library allocation

page execute and read and write

2CA0000

trusted library allocation

page read and write

1910E6B0000

heap

page read and write

1912A320000

heap

page read and write

1910E8B0000

trusted library allocation

page read and write

7FFD9B788000

trusted library allocation

page read and write

2C92000

trusted library allocation

page read and write

1910E582000

unkown

page readonly

2D80000

trusted library allocation

page execute and read and write

1912A210000

trusted library section

page read and write

7FFD9B7CC000

trusted library allocation

page execute and read and write

7FFD9B79D000

trusted library allocation

page execute and read and write

7FFD9B930000

trusted library allocation

page read and write

1910E6E4000

heap

page read and write

7FFD9B773000

trusted library allocation

page execute and read and write

5B9E000

stack

page read and write

6940000

trusted library allocation

page read and write

54E0000

trusted library allocation

page read and write

7FFD9B79B000

trusted library allocation

page execute and read and write

7FFD9B970000

trusted library allocation

page execute and read and write

2F29000

trusted library allocation

page read and write

7FF422180000

trusted library allocation

page execute and read and write

2D90000

heap

page execute and read and write

4C265FB000

stack

page read and write

56D0000

heap

page execute and read and write

2C90000

trusted library allocation

page read and write

54EB000

trusted library allocation

page read and write

4C264FC000

stack

page read and write

1115000

heap

page read and write

4C261FF000

stack

page read and write

7FFD9B940000

trusted library allocation

page read and write

7FFD9B782000

trusted library allocation

page read and write

2CA5000

trusted library allocation

page execute and read and write

7FFD9B96A000

trusted library allocation

page read and write

1910E67C000

heap

page read and write

54F2000

trusted library allocation

page read and write

2F1D000

trusted library allocation

page read and write

2C9A000

trusted library allocation

page execute and read and write

1910E840000

heap

page read and write

7FFD9B927000

trusted library allocation

page read and write

58DC000

stack

page read and write

7F5E0000

trusted library allocation

page execute and read and write

4C269FD000

stack

page read and write

54D0000

trusted library allocation

page read and write

4C263FD000

stack

page read and write

7FFD9B830000

trusted library allocation

page execute and read and write

43E000

remote allocation

page execute and read and write

2EFA000

trusted library allocation

page read and write

19128A59000

heap

page read and write

1910E68E000

heap

page read and write

1910EB45000

heap

page read and write

191282A0000

trusted library allocation

page read and write

19129B40000

trusted library allocation

page read and write

558C000

stack

page read and write

503D000

stack

page read and write

7FFD9B820000

trusted library allocation

page read and write

1912A20A000

trusted library section

page read and write

624F000

stack

page read and write

1912068F000

trusted library allocation

page read and write

19120281000

trusted library allocation

page read and write

668E000

stack

page read and write

191101F5000

heap

page read and write

127D000

heap

page read and write

166D000

trusted library allocation

page execute and read and write

2EFC000

trusted library allocation

page read and write

3EC9000

trusted library allocation

page read and write

1910E620000

heap

page read and write

300F000

trusted library allocation

page read and write

165D000

trusted library allocation

page execute and read and write

19120277000

trusted library allocation

page read and write

1910E640000

heap

page read and write

6860000

trusted library allocation

page read and write

2D60000

heap

page read and write

2D5C000

stack

page read and write

56C0000

trusted library allocation

page read and write

67C0000

trusted library allocation

page read and write

1910E6DB000

heap

page read and write

5501000

trusted library allocation

page read and write

1910E73D000

heap

page read and write

6DE0000

heap

page read and write

19128A6B000

heap

page read and write

1910E738000

heap

page read and write

54FA000

trusted library allocation

page read and write

1660000

trusted library allocation

page read and write

130B000

heap

page read and write

1910E975000

heap

page read and write

19128A50000

heap

page read and write

1490000

heap

page read and write

2CAB000

trusted library allocation

page execute and read and write

7FFD9B960000

trusted library allocation

page read and write

1910E731000

heap

page read and write

6950000

trusted library allocation

page read and write

1670000

heap

page read and write

550D000

trusted library allocation

page read and write

5520000

trusted library allocation

page read and write

5506000

trusted library allocation

page read and write

3EA1000

trusted library allocation

page read and write

1240000

heap

page read and write

2CD0000

heap

page read and write

1912A040000

trusted library section

page read and write

1912A360000

heap

page read and write

1654000

trusted library allocation

page read and write

5530000

trusted library allocation

page read and write

67CD000

trusted library allocation

page read and write

685E000

stack

page read and write

1110000

heap

page read and write

1910E880000

trusted library allocation

page read and write

54E6000

trusted library allocation

page read and write

7FFD9B772000

trusted library allocation

page read and write

124B000

heap

page read and write

2D1E000

stack

page read and write

1910E670000

heap

page read and write

19110260000

heap

page execute and read and write

5B5D000

stack

page read and write

19128A40000

heap

page read and write

1912027D000

trusted library allocation

page read and write

6DF0000

heap

page read and write

10F9000

stack

page read and write

1912A35D000

heap

page read and write

2E9F000

stack

page read and write

680D000

stack

page read and write

7FFD9B780000

trusted library allocation

page read and write

191102D3000

trusted library allocation

page read and write

54FE000

trusted library allocation

page read and write

191101F0000

heap

page read and write

1910E580000

unkown

page readonly

1910E6DE000

heap

page read and write

4C262FE000

stack

page read and write

400000

remote allocation

page execute and read and write

4C25FFF000

stack

page read and write

1910E676000

heap

page read and write

19129F40000

heap

page read and write

7FFD9B92C000

trusted library allocation

page read and write

566E000

stack

page read and write

12D5000

heap

page read and write

4C25EF2000

stack

page read and write

56C9000

trusted library allocation

page read and write

2C96000

trusted library allocation

page execute and read and write

6356000

heap

page read and write

1210000

heap

page read and write

635C000

heap

page read and write

562E000

stack

page read and write

1910E8B3000

trusted library allocation

page read and write

56AD000

stack

page read and write

1274000

heap

page read and write

67B0000

trusted library allocation

page read and write

67A0000

trusted library allocation

page read and write

7FFD9B920000

trusted library allocation

page read and write

7FFD9B962000

trusted library allocation

page read and write

2F10000

trusted library allocation

page read and write

1130000

heap

page read and write

7FFD9B794000

trusted library allocation

page read and write

7FFD9B82C000

trusted library allocation

page execute and read and write

63D4000

heap

page read and write

19129B62000

trusted library allocation

page read and write

7FFD9B826000

trusted library allocation

page read and write

7FFD9B856000

trusted library allocation

page execute and read and write

6810000

trusted library allocation

page execute and read and write

6790000

trusted library allocation

page execute and read and write

7FFD9B790000

trusted library allocation

page read and write

7FFD9B78D000

trusted library allocation

page execute and read and write

7FFD9B950000

trusted library allocation

page read and write

2EA1000

trusted library allocation

page read and write

4C260FE000

stack

page read and write

1640000

trusted library allocation

page read and write

1910E699000

heap

page read and write

2CC0000

trusted library allocation

page read and write

1911027D000

trusted library allocation

page read and write

56B0000

heap

page read and write

6867000

trusted library allocation

page read and write

6370000

heap

page read and write

1910E970000

heap

page read and write

1910E8A0000

trusted library allocation

page read and write

67A7000

trusted library allocation

page read and write

19120271000

trusted library allocation

page read and write

7FFD9B916000

trusted library allocation

page read and write

6E40000

trusted library allocation

page execute and read and write

6C7E000

stack

page read and write

1912A6D0000

heap

page execute and read and write

1910E610000

heap

page read and write

6377000

heap

page read and write

1910E900000

heap

page read and write

1676000

heap

page read and write

55E0000

heap

page read and write

2F04000

trusted library allocation

page read and write

7FFD9B774000

trusted library allocation

page read and write

54EE000

trusted library allocation

page read and write

4C268FE000

stack

page read and write

678D000

stack

page read and write

7FFD9B980000

trusted library allocation

page read and write

1653000

trusted library allocation

page execute and read and write

1910EB40000

heap

page read and write

4EA8000

trusted library allocation

page read and write

1910E910000

heap

page read and write

1910E765000

heap

page read and write

19110271000

trusted library allocation

page read and write

55E3000

heap

page read and write

1650000

trusted library allocation

page read and write

There are 216 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
rQuotation.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportrQuotation.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
rQuotation.exe