Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

QUOTATIONS#08673.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.116575951378602
Filename:	QUOTATIONS#08673.exe
Filesize:	1255193
MD5:	1522208299a09118d66f8935cba32719
SHA1:	a4d2b0aedd7025d2c9a9fe68865d99292fe9281e
SHA256:	dbcfe75ffa225fe589d46508dfcf014bbdb4444855b3bbb1560249ec1ee2dad9
SHA512:	15107e1a1e9f54ee501678296b052c4fcc1e96c8f521b241d5f1855b16bbd821dd1a55705589238adeb9a34df0220f93c02bd173d63a3ffe2f235b7a7189ff17
SSDEEP:	24576:1fmMv6Ckr7Mny5QZc3uZxgCSvu9OfZxd6Qu:13v+7/5QZyuZrSvuwZ6T
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection	Exploitation for Privilege Escalation
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Contains functionality to detect sleep reduction / modifications	Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion
Switches to a custom stack to bypass stack traces	Malware Analysis System Evasion
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Masquerading Application Window Discovery
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Exfiltration Over Alternative Protocol
Contains functionality to launch a process as a different user	System Summary	Valid Accounts Native API Access Token Manipulation
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to read the PEB	Anti Debugging
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to shutdown / reboot the system	System Summary	System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion	Masquerading
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information	System Shutdown/Reboot
PE file contains an invalid checksum	Data Obfuscation
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Sample file is different than original file name gathered from version info	System Summary	System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
Contains functionality for error logging	System Summary
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary
Contains functionality to check free disk space	System Summary	System Information Discovery
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enum processes or threads	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Might use command line arguments	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Reads ini files	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\newapp.exe.log

ASCII text, with CRLF line terminators

modified

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\newapp.exe.log
Category:	modified
Dump:	newapp.exe.log.4.dr
ID:	dr_3
Target ID:	4
Process:	C:\Users\user\AppData\Roaming\newapp\newapp.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.090621108356562
Encrypted:	false
Ssdeep:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
Size:	142
Whitelisted:	false
Reputation:	high

C:\Users\user\AppData\Local\Temp\hypopygidium

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\hypopygidium
Category:	dropped
Dump:	hypopygidium.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\QUOTATIONS#08673.exe
Type:	data
Entropy:	6.457769471355962
Encrypted:	false
Ssdeep:	6144:kNvoiXAMfH2Lq86EzKFb/HEnPPNL6MUmOimn10cGD1G:+o5MfH2e86Eq+PNLrOPnn
Size:	249856
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Roaming\newapp\newapp.exe

PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

modified

Details

File:	C:\Users\user\AppData\Roaming\newapp\newapp.exe
Category:	modified
Dump:	newapp.exe.2.dr
ID:	dr_1
Target ID:	2
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	6.16795797263964
Encrypted:	false
Ssdeep:	768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
Size:	45984
Whitelisted:	true
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses Microsoft Silverlight	System Summary

\Device\ConDrv

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.6.dr
ID:	dr_4
Target ID:	6
Process:	C:\Users\user\AppData\Roaming\newapp\newapp.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.442398121585593
Encrypted:	false
Ssdeep:	24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
Size:	1141
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\QUOTATIONS#08673.exe

"C:\Users\user\Desktop\QUOTATIONS#08673.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3276
Target ID:	0
Parent PID:	4084
Name:	QUOTATIONS#08673.exe
Path:	C:\Users\user\Desktop\QUOTATIONS#08673.exe
Commandline:	"C:\Users\user\Desktop\QUOTATIONS#08673.exe"
Size:	1255193
MD5:	1522208299A09118D66F8935CBA32719
Time:	08:52:38
Date:	04/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	880640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
PE file contains an invalid checksum	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\QUOTATIONS#08673.exe"

Details

Is windows:	true
Is dropped:	false
PID:	3648
Target ID:	2
Parent PID:	3276
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\QUOTATIONS#08673.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	08:52:40
Date:	04/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x3d0000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Users\user\AppData\Roaming\newapp\newapp.exe

"C:\Users\user\AppData\Roaming\newapp\newapp.exe"

Details

Is windows:	false
Is dropped:	true
PID:	7096
Target ID:	4
Parent PID:	4084
Name:	newapp.exe
Path:	C:\Users\user\AppData\Roaming\newapp\newapp.exe
Commandline:	"C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	08:52:54
Date:	04/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0xfe0000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Users\user\AppData\Roaming\newapp\newapp.exe

"C:\Users\user\AppData\Roaming\newapp\newapp.exe"

Details

Is windows:	false
Is dropped:	true
PID:	5756
Target ID:	6
Parent PID:	4084
Name:	newapp.exe
Path:	C:\Users\user\AppData\Roaming\newapp\newapp.exe
Commandline:	"C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	08:53:03
Date:	04/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0xa0000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Hides that the sample has been downloaded from the Internet (zone.identifier)	Hooking and other Techniques for Hiding and Protection	Hidden Files and Directories
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	5932
Target ID:	5
Parent PID:	7096
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	08:52:57
Date:	04/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff6ee680000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	3552
Target ID:	7
Parent PID:	5756
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	08:53:04
Date:	04/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff6ee680000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://api.ipify.org/

104.26.13.205

Details

Name:	https://api.ipify.org/
IP:	104.26.13.205
TargetID:	2
From Memory:	false
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://api.ipify.org

unknown

Details

Name:	https://api.ipify.org
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\QUOTATIONS#08673.exe
Source:	QUOTATIONS#08673.exe, 00000000.00000002.1510436656.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3964255983.00000000007A2000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3965724933.00000000027F1000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://account.dyn.com/

unknown

Details

Name:	https://account.dyn.com/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\QUOTATIONS#08673.exe
Source:	QUOTATIONS#08673.exe, 00000000.00000002.1510436656.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3964255983.00000000007A2000.00000040.80000000.00040000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://api.ipify.org/t

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://ftp.ercolina-usa.com

unknown

Details

Name:	http://ftp.ercolina-usa.com
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000002.00000002.3965724933.000000000286C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3965724933.00000000029E5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3965724933.0000000002A09000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://ercolina-usa.com

unknown

Details

Name:	http://ercolina-usa.com
TargetID:	2
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000002.00000002.3965724933.000000000286C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3965724933.00000000029E5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3965724933.0000000002A09000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

ercolina-usa.com

192.254.225.136

Details

Name:	ercolina-usa.com
IP:	192.254.225.136
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Uses FTP	Networking	Application Layer Protocol Exfiltration Over Alternative Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

ftp.ercolina-usa.com

unknown

Details

Name:	ftp.ercolina-usa.com
TargetID:	-1

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

api.ipify.org

104.26.13.205

Details

Name:	api.ipify.org
IP:	104.26.13.205
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

192.254.225.136

ercolina-usa.com

United States

Details

IP:	192.254.225.136
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	United States
Countrycode:	USA
ASN number:	46606
ASN name:	UNIFIEDLAYER-AS-1US
Private:	false
Domain:	ercolina-usa.com

Signature Hits	Behavior Group	Mitre Attack
Uses FTP	Networking	Application Layer Protocol Exfiltration Over Alternative Protocol

104.26.13.205

api.ipify.org

United States

Details

IP:	104.26.13.205
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS

FileDirectory

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

newapp

There are 6 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

286C000

trusted library allocation

page read and write

7A2000

system

page execute and read and write

2841000

trusted library allocation

page read and write

2FC0000

direct allocation

page read and write

1A30000

trusted library allocation

page read and write

37F1000

trusted library allocation

page read and write

2320000

heap

page read and write

A45000

trusted library allocation

page execute and read and write

8BF000

stack

page read and write

A80000

heap

page read and write

4BE000

unkown

page readonly

3CF6000

heap

page read and write

3DF9000

heap

page read and write

51D0000

heap

page read and write

177E000

stack

page read and write

3DF9000

heap

page read and write

4420000

direct allocation

page read and write

65D000

trusted library allocation

page execute and read and write

745000

heap

page read and write

482000

unkown

page readonly

5B1E000

stack

page read and write

475E000

direct allocation

page read and write

48EE000

stack

page read and write

AC8000

heap

page read and write

27AB000

trusted library allocation

page read and write

2411000

trusted library allocation

page read and write

A4E000

stack

page read and write

6840000

heap

page read and write

5080000

heap

page read and write

5E70000

trusted library allocation

page read and write

46ED000

direct allocation

page read and write

51BE000

stack

page read and write

A00000

trusted library allocation

page read and write

5890000

heap

page execute and read and write

1A0000

heap

page read and write

45C0000

direct allocation

page read and write

ABA000

heap

page read and write

45C0000

direct allocation

page read and write

A42000

trusted library allocation

page read and write

30B0000

trusted library allocation

page read and write

59FF000

heap

page read and write

4543000

direct allocation

page read and write

59B0000

heap

page read and write

A14000

trusted library allocation

page read and write

A74000

heap

page read and write

D8E000

stack

page read and write

16AF000

stack

page read and write

4EFE000

stack

page read and write

3E07000

heap

page read and write

91F000

stack

page read and write

45C0000

direct allocation

page read and write

3097000

trusted library allocation

page execute and read and write

4C30000

trusted library allocation

page read and write

4420000

direct allocation

page read and write

3EEF000

heap

page read and write

475E000

direct allocation

page read and write

8D5000

heap

page read and write

598E000

stack

page read and write

45AE000

stack

page read and write

27CD000

trusted library allocation

page read and write

7A0000

system

page execute and read and write

1A50000

trusted library allocation

page read and write

A98000

heap

page read and write

B68000

heap

page read and write

4EAC000

stack

page read and write

490000

unkown

page write copy

542E000

stack

page read and write

4331000

trusted library allocation

page read and write

64E0000

trusted library allocation

page read and write

475E000

direct allocation

page read and write

46ED000

direct allocation

page read and write

5FDD000

trusted library allocation

page read and write

3DF9000

heap

page read and write

4543000

direct allocation

page read and write

46E9000

direct allocation

page read and write

332F000

stack

page read and write

AEF000

heap

page read and write

494E000

stack

page read and write

A20000

trusted library allocation

page read and write

100000

heap

page read and write

5E79000

trusted library allocation

page read and write

ABA000

heap

page read and write

475E000

direct allocation

page read and write

E46000

heap

page read and write

5A46000

heap

page read and write

3F36000

heap

page read and write

400000

unkown

page readonly

13C000

stack

page read and write

2868000

trusted library allocation

page read and write

14E0000

heap

page read and write

23B0000

trusted library allocation

page execute and read and write

45C0000

direct allocation

page read and write

5C1E000

stack

page read and write

4F9000

stack

page read and write

B22000

heap

page read and write

26EE000

stack

page read and write

3331000

trusted library allocation

page read and write

4DAC000

stack

page read and write

A70000

heap

page read and write

67D000

trusted library allocation

page execute and read and write

A30000

trusted library allocation

page read and write

166E000

stack

page read and write

475E000

direct allocation

page read and write

3D0F000

heap

page read and write

960000

heap

page read and write

3220000

heap

page execute and read and write

3F28000

heap

page read and write

13E0000

heap

page read and write

3B51000

heap

page read and write

E40000

heap

page read and write

5ADE000

stack

page read and write

27D2000

trusted library allocation

page read and write

3D06000

heap

page read and write

3DF9000

heap

page read and write

46ED000

direct allocation

page read and write

4420000

direct allocation

page read and write

3986000

trusted library allocation

page read and write

4A7000

unkown

page read and write

46E9000

direct allocation

page read and write

46ED000

direct allocation

page read and write

282F000

trusted library allocation

page read and write

74B000

heap

page read and write

27A0000

trusted library allocation

page read and write

665000

heap

page read and write

4AE000

unkown

page readonly

3EEE000

heap

page read and write

3EEF000

heap

page read and write

66A000

stack

page read and write

3E51000

heap

page read and write

A32000

trusted library allocation

page read and write

C8C000

stack

page read and write

13FF000

heap

page read and write

AB0000

heap

page read and write

654000

trusted library allocation

page read and write

599A000

heap

page read and write

8D0000

heap

page read and write

5A6C000

heap

page read and write

49B0000

heap

page execute and read and write

4258000

heap

page read and write

3B50000

heap

page read and write

E0C000

stack

page read and write

50CE000

stack

page read and write

4543000

direct allocation

page read and write

AC5000

heap

page read and write

3EEF000

heap

page read and write

3EEF000

heap

page read and write

3F0C000

heap

page read and write

490000

unkown

page read and write

3EEE000

heap

page read and write

3EEF000

heap

page read and write

4543000

direct allocation

page read and write

640000

trusted library allocation

page read and write

3EEF000

heap

page read and write

3DF9000

heap

page read and write

3F36000

heap

page read and write

3DF9000

heap

page read and write

653000

trusted library allocation

page execute and read and write

3000000

heap

page read and write

1404000

heap

page read and write

5D0E000

stack

page read and write

A10000

trusted library allocation

page read and write

27E0000

heap

page read and write

4420000

direct allocation

page read and write

AAE000

heap

page read and write

29E5000

trusted library allocation

page read and write

6FE000

stack

page read and write

27C1000

trusted library allocation

page read and write

840000

heap

page read and write

3DF9000

heap

page read and write

9C0000

heap

page read and write

674000

trusted library allocation

page read and write

A60000

trusted library allocation

page read and write

3D4B000

heap

page read and write

60EF000

stack

page read and write

3D0C000

heap

page read and write

313C000

stack

page read and write

60E000

stack

page read and write

4BC000

unkown

page readonly

3DF8000

heap

page read and write

95C000

stack

page read and write

3EEF000

heap

page read and write

588E000

stack

page read and write

820000

heap

page read and write

728000

heap

page read and write

4AB000

unkown

page readonly

B61000

heap

page read and write

503E000

stack

page read and write

162E000

stack

page read and write

2826000

trusted library allocation

page read and write

45C0000

direct allocation

page read and write

3819000

trusted library allocation

page read and write

E30000

trusted library allocation

page read and write

475E000

direct allocation

page read and write

3DF9000

heap

page read and write

4543000

direct allocation

page read and write

27C6000

trusted library allocation

page read and write

46ED000

direct allocation

page read and write

3E8F000

heap

page read and write

91E000

stack

page read and write

720000

heap

page read and write

3C50000

heap

page read and write

3DF9000

heap

page read and write

231F000

stack

page read and write

46E9000

direct allocation

page read and write

12AE000

stack

page read and write

AE6000

heap

page read and write

45C0000

direct allocation

page read and write

FE2000

unkown

page readonly

1A54000

trusted library allocation

page read and write

1A43000

trusted library allocation

page execute and read and write

287B000

trusted library allocation

page read and write

3DF9000

heap

page read and write

5990000

heap

page read and write

A85000

heap

page read and write

3BE2000

heap

page read and write

A3A000

trusted library allocation

page execute and read and write

140B000

heap

page read and write

30FE000

stack

page read and write

1F0000

heap

page read and write

A00000

heap

page read and write

46E9000

direct allocation

page read and write

1F0000

heap

page read and write

A4B000

trusted library allocation

page execute and read and write

127C000

stack

page read and write

3E61000

heap

page read and write

5770000

trusted library allocation

page read and write

6030000

trusted library allocation

page execute and read and write

599C000

heap

page read and write

700000

trusted library allocation

page execute and read and write

612C000

stack

page read and write

27B2000

trusted library allocation

page read and write

3F20000

heap

page read and write

8CF000

stack

page read and write

4FFE000

stack

page read and write

3200000

heap

page read and write

3F24000

heap

page execute and read and write

3EEF000

heap

page read and write

4420000

direct allocation

page read and write

6050000

trusted library allocation

page execute and read and write

7E0000

system

page execute and read and write

2340000

trusted library allocation

page read and write

62EC000

stack

page read and write

64B0000

trusted library allocation

page read and write

3DF9000

heap

page read and write

FEA000

unkown

page readonly

1A60000

heap

page read and write

A2D000

trusted library allocation

page execute and read and write

6040000

trusted library allocation

page read and write

2A15000

trusted library allocation

page read and write

3E8F000

heap

page read and write

ABE000

heap

page read and write

3DB2000

heap

page read and write

46ED000

direct allocation

page read and write

DCE000

stack

page read and write

4AB000

unkown

page readonly

E10000

trusted library allocation

page read and write

3E50000

heap

page read and write

9A000

stack

page read and write

602D000

stack

page read and write

5FE7000

trusted library allocation

page read and write

3F36000

heap

page read and write

27AE000

trusted library allocation

page read and write

69B000

trusted library allocation

page execute and read and write

3DF9000

heap

page read and write

5FE0000

trusted library allocation

page read and write

793000

heap

page read and write

1515000

heap

page read and write

3004000

heap

page read and write

A90000

heap

page read and write

3F0C000

heap

page read and write

6140000

trusted library allocation

page read and write

697000

trusted library allocation

page execute and read and write

400000

unkown

page readonly

3D9A000

heap

page read and write

2866000

trusted library allocation

page read and write

3BC3000

heap

page read and write

A90000

heap

page read and write

46ED000

direct allocation

page read and write

6500000

heap

page read and write

1417000

heap

page read and write

4543000

direct allocation

page read and write

2A21000

trusted library allocation

page read and write

5780000

trusted library allocation

page read and write

3150000

heap

page read and write

2790000

heap

page execute and read and write

45C0000

direct allocation

page read and write

3F25000

heap

page read and write

46E9000

direct allocation

page read and write

A70000

heap

page read and write

4C60000

heap

page execute and read and write

3EEE000

heap

page read and write

5FD0000

trusted library allocation

page read and write

137A000

stack

page read and write

A13000

trusted library allocation

page execute and read and write

4AE000

unkown

page readonly

4BFE000

stack

page read and write

2E5F000

heap

page read and write

A47000

trusted library allocation

page execute and read and write

2A09000

trusted library allocation

page read and write

482000

unkown

page readonly

498E000

stack

page read and write

4420000

direct allocation

page read and write

4CFF000

stack

page read and write

4BE000

unkown

page readonly

475E000

direct allocation

page read and write

5C0D000

stack

page read and write

1A4D000

trusted library allocation

page execute and read and write

660000

heap

page read and write

3EEF000

heap

page read and write

3B4F000

stack

page read and write

3DE3000

heap

page read and write

1EE000

stack

page read and write

27F1000

trusted library allocation

page read and write

3F20000

heap

page read and write

3DF9000

heap

page read and write

110000

heap

page read and write

E20000

trusted library allocation

page read and write

13E8000

heap

page read and write

2A19000

trusted library allocation

page read and write

7F090000

trusted library allocation

page execute and read and write

769000

stack

page read and write

1A44000

trusted library allocation

page read and write

4ABE000

stack

page read and write

374E000

stack

page read and write

401000

unkown

page execute read

6147000

trusted library allocation

page read and write

59DE000

stack

page read and write

95E000

stack

page read and write

670000

trusted library allocation

page read and write

3858000

trusted library allocation

page read and write

46E9000

direct allocation

page read and write

4BC000

unkown

page readonly

757000

heap

page read and write

6130000

trusted library allocation

page execute and read and write

26F8000

trusted library allocation

page read and write

588E000

stack

page read and write

970000

heap

page read and write

27BE000

trusted library allocation

page read and write

3EEF000

heap

page read and write

599E000

stack

page read and write

5EBE000

stack

page read and write

A36000

trusted library allocation

page execute and read and write

88C000

stack

page read and write

5820000

trusted library allocation

page execute and read and write

9DE000

stack

page read and write

5D4E000

stack

page read and write

286A000

trusted library allocation

page read and write

A6F000

stack

page read and write

3411000

trusted library allocation

page read and write

3DF9000

heap

page read and write

2A00000

trusted library allocation

page read and write

2872000

trusted library allocation

page read and write

4314000

heap

page read and write

A1D000

trusted library allocation

page execute and read and write

3CFF000

heap

page read and write

14F0000

heap

page read and write

A80000

trusted library allocation

page execute and read and write

145A000

heap

page read and write

3EEF000

heap

page read and write

3DF9000

heap

page read and write

3E51000

heap

page read and write

3E51000

heap

page read and write

4420000

direct allocation

page read and write

283D000

trusted library allocation

page read and write

3140000

trusted library allocation

page execute and read and write

2400000

heap

page read and write

8CE000

stack

page read and write

1670000

heap

page read and write

1510000

heap

page read and write

187F000

stack

page read and write

46E9000

direct allocation

page read and write

4C70000

heap

page read and write

4BBE000

stack

page read and write

64BB000

trusted library allocation

page read and write

4543000

direct allocation

page read and write

5E4E000

stack

page read and write

29B6000

trusted library allocation

page read and write

3090000

trusted library allocation

page read and write

401000

unkown

page execute read

507E000

unkown

page read and write

2370000

heap

page execute and read and write

FE0000

unkown

page readonly

1A5D000

trusted library allocation

page execute and read and write

710000

trusted library allocation

page read and write

309B000

trusted library allocation

page execute and read and write

29C3000

trusted library allocation

page read and write

5FBE000

stack

page read and write

3F1D000

heap

page read and write

64F0000

trusted library allocation

page execute and read and write

830000

heap

page read and write

3EEF000

heap

page read and write

There are 381 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
QUOTATIONS#08673.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportQUOTATIONS#08673.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
QUOTATIONS#08673.exe