Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

QUG24-2003700542005180.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.648063753687643
Filename:	QUG24-2003700542005180.exe
Filesize:	1637307
MD5:	4d151d1ebd28b68f34fd4257facaaf17
SHA1:	a39819abe4b3fd045cebb212b1822cffea1f0ecc
SHA256:	5757fdf90d7cae2b8d0419e68dccb704a042546c1ab9af84e8e08fae6717b11c
SHA512:	f55d0a98030e96ff12c7ca045500078051bcb22e4a26f20af2ba838e62a37ee0ad97d3eaf26fcd70a99ae4f07dee079d15bfeb2fb8bdeb3ca21fe1a85ee78157
SSDEEP:	24576:ffmMv6Ckr7Mny5QL3XjgNuQFzTKWHT5eqSxfsN/vSc2tFK6LcmTBCdaW5:f3v+7/5QL3Xj2uQFzTPhM+iTzLbwda+
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection	Disable or Modify Tools
.NET source code contains method to dynamically call methods (often used by packers)	Data Obfuscation
.NET source code contains potential unpacker	Data Obfuscation	Software Packing
.NET source code contains very large array initializations	System Summary	Disable or Modify Tools
Contains functionality to detect sleep reduction / modifications	Malware Analysis System Evasion	File and Directory Discovery
Machine Learning detection for sample	AV Detection
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection Disable or Modify Tools
Switches to a custom stack to bypass stack traces	Malware Analysis System Evasion	Security Software Discovery
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to block mouse and keyboard input (often used to hinder debugging)	Anti Debugging	Disable or Modify Tools
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Masquerading Application Window Discovery
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to execute programs as a different user	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Contains functionality to launch a process as a different user	System Summary	Valid Accounts Native API Access Token Manipulation
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	Disable or Modify Tools
Contains functionality to read the PEB	Anti Debugging
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing	Disable or Modify Tools
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to shutdown / reboot the system	System Summary	System Shutdown/Reboot
Contains functionality to simulate keystroke presses	HIPS / PFW / Operating System Protection Evasion
Contains functionality to simulate mouse events	HIPS / PFW / Operating System Protection Evasion	Masquerading
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information	Disable or Modify Tools System Shutdown/Reboot
PE file contains an invalid checksum	Data Obfuscation
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Disable or Modify Tools Input Capture
Sample file is different than original file name gathered from version info	System Summary	System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary	Disable or Modify Tools Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
.NET source code contains calls to encryption/decryption functions	System Summary
.NET source code contains functionality to register a task	System Summary	Scheduled Task/Job
Contains functionality for error logging	System Summary	Disable or Modify Tools
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary
Contains functionality to check free disk space	System Summary	System Information Discovery
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enum processes or threads	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Discovery
Might use command line arguments	System Summary	Command and Scripting Interpreter Masquerading
PE file has an executable .text section and no other executable section	System Summary
Reads ini files	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary	Disable or Modify Tools
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading Disable or Modify Tools
Uses an in-process (OLE) Automation server	System Summary
Submission file is bigger than most known malware samples	System Summary	Disable or Modify Tools

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
Category:	dropped
Dump:	RegSvcs.exe.log.8.dr
ID:	dr_1
Target ID:	8
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.354120267532675
Encrypted:	false
Ssdeep:	24:ML9E4KlKDE4KhKiKhRAE4Kze41qE4qpsXE4qdKqE4Ks:MxHKlYHKh3oRAHKze41qHpH8HKs
Size:	1022
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

C:\Users\user\AppData\Local\Temp\isochronally

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\isochronally
Category:	dropped
Dump:	isochronally.6.dr
ID:	dr_0
Target ID:	6
Process:	C:\Users\user\Desktop\QUG24-2003700542005180.exe
Type:	data
Entropy:	7.96371597606799
Encrypted:	false
Ssdeep:	12288:0ZfuKXExHNYyx2NV0iIomklkMVSnCnTmVFZZ:0Zp6HNYyeV0iIFS7VOSWZZ
Size:	436224
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\QUG24-2003700542005180.exe

"C:\Users\user\Desktop\QUG24-2003700542005180.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5644
Target ID:	6
Parent PID:	2592
Name:	QUG24-2003700542005180.exe
Path:	C:\Users\user\Desktop\QUG24-2003700542005180.exe
Commandline:	"C:\Users\user\Desktop\QUG24-2003700542005180.exe"
Size:	1637307
MD5:	4D151D1EBD28B68F34FD4257FACAAF17
Time:	12:03:01
Date:	07/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	741376
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
OS version to string mapping found (often used in BOTs)	Stealing of Sensitive Information
PE file contains an invalid checksum	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\user\Desktop\QUG24-2003700542005180.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7324
Target ID:	8
Parent PID:	5644
Name:	RegSvcs.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Commandline:	"C:\Users\user\Desktop\QUG24-2003700542005180.exe"
Size:	45984
MD5:	9D352BC46709F0CB5EC974633A0C3C94
Time:	12:03:04
Date:	07/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xba0000
Modulesize:	57344
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Maps a DLL or memory area into another process	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Yara detected Costura Assembly Loader	Data Obfuscation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Creates files inside the user directory	System Summary	Masquerading
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

URLs

Name

Malicious

https://github.com/mgravell/protobuf-net

unknown

Details

Name:	https://github.com/mgravell/protobuf-net
TargetID:	8
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000008.00000002.1330258094.00000000056D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1329465242.0000000003F11000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1329465242.0000000003FDD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1328006964.0000000002F11000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://github.com/mgravell/protobuf-neti

unknown

Details

Name:	https://github.com/mgravell/protobuf-neti
TargetID:	8
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000008.00000002.1330258094.00000000056D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1329465242.0000000003F11000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1329465242.0000000003FDD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1328006964.0000000002F11000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://stackoverflow.com/q/14436606/23354

unknown

https://github.com/mgravell/protobuf-netJ

unknown

Details

Name:	https://github.com/mgravell/protobuf-netJ
TargetID:	8
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000008.00000002.1330258094.00000000056D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1329465242.0000000003F11000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1329465242.0000000003FDD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1328006964.0000000002F11000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://stackoverflow.com/q/11564914/23354;

unknown

Details

Name:	https://stackoverflow.com/q/11564914/23354;
TargetID:	8
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000008.00000002.1330258094.00000000056D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1329465242.0000000003F11000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1329465242.0000000003FDD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1328006964.0000000002F11000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://stackoverflow.com/q/2152978/23354

unknown

Details

Name:	https://stackoverflow.com/q/2152978/23354
TargetID:	8
From Memory:	true
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source:	RegSvcs.exe, 00000008.00000002.1330258094.00000000056D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1329465242.0000000003F11000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1329465242.0000000003FDD000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

3F11000

trusted library allocation

page read and write

5480000

trusted library section

page read and write

2F11000

trusted library allocation

page read and write

2DD5000

trusted library allocation

page read and write

41AC000

heap

page read and write

41B1000

heap

page read and write

414A000

heap

page read and write

3122000

trusted library allocation

page read and write

54C0000

trusted library allocation

page read and write

14A7000

trusted library allocation

page read and write

129D000

trusted library allocation

page execute and read and write

4739000

direct allocation

page read and write

93E000

stack

page read and write

F37000

stack

page read and write

2D80000

heap

page execute and read and write

14B0000

trusted library allocation

page read and write

14B2000

trusted library allocation

page read and write

2D50000

trusted library allocation

page read and write

54DC000

trusted library allocation

page read and write

40DE000

heap

page read and write

5AD2000

heap

page read and write

41AC000

heap

page read and write

3B42000

heap

page read and write

10CE000

stack

page read and write

12A8000

heap

page read and write

14BA000

trusted library allocation

page execute and read and write

3150000

trusted library allocation

page read and write

2FA0000

heap

page read and write

4AB000

unkown

page readonly

41AC000

heap

page read and write

5630000

trusted library section

page read and write

2DD0000

trusted library allocation

page read and write

3171000

trusted library allocation

page read and write

47A9000

direct allocation

page read and write

473D000

direct allocation

page read and write

5AD0000

heap

page read and write

56D0000

trusted library section

page read and write

2DE0000

trusted library allocation

page read and write

4AB000

unkown

page readonly

41B1000

heap

page read and write

414A000

heap

page read and write

4A7000

unkown

page read and write

40EE000

heap

page read and write

14F0000

trusted library allocation

page execute and read and write

5A40000

trusted library allocation

page execute and read and write

2E00000

heap

page read and write

FA0000

heap

page read and write

4070000

heap

page read and write

5AD4000

heap

page read and write

490000

unkown

page read and write

3124000

trusted library allocation

page read and write

400000

unkown

page readonly

3154000

trusted library allocation

page read and write

3160000

trusted library allocation

page read and write

401000

unkown

page execute read

12A0000

heap

page read and write

7F420000

trusted library allocation

page execute and read and write

40DE000

heap

page read and write

414A000

heap

page read and write

5770000

trusted library allocation

page read and write

41AC000

heap

page read and write

2F0F000

stack

page read and write

414A000

heap

page read and write

4F18000

trusted library allocation

page read and write

120000

heap

page read and write

2FA4000

heap

page read and write

41AC000

heap

page read and write

57DE000

stack

page read and write

5795000

trusted library allocation

page read and write

481E000

direct allocation

page read and write

A70000

heap

page read and write

4603000

direct allocation

page read and write

400A000

heap

page read and write

12BE000

heap

page read and write

482000

unkown

page readonly

41AC000

heap

page read and write

1500000

heap

page read and write

400F000

heap

page read and write

4475000

heap

page read and write

1385000

heap

page read and write

414A000

heap

page read and write

41AC000

heap

page read and write

8B4000

stack

page read and write

3D00000

direct allocation

page read and write

5A70000

heap

page read and write

41AC000

heap

page read and write

44E0000

direct allocation

page read and write

41AC000

heap

page read and write

5D70000

heap

page read and write

414A000

heap

page read and write

50AE000

stack

page read and write

316D000

trusted library allocation

page read and write

3173000

trusted library allocation

page read and write

4470000

direct allocation

page read and write

316F000

trusted library allocation

page read and write

4013000

heap

page read and write

4593000

direct allocation

page read and write

166F000

stack

page read and write

A0E000

stack

page read and write

4026000

trusted library allocation

page read and write

4610000

direct allocation

page read and write

47AE000

direct allocation

page read and write

149F000

stack

page read and write

3163000

trusted library allocation

page read and write

2CEE000

stack

page read and write

404C000

heap

page read and write

317B000

trusted library allocation

page read and write

1280000

trusted library allocation

page read and write

44E0000

direct allocation

page read and write

414A000

heap

page read and write

3156000

trusted library allocation

page read and write

2D2C000

stack

page read and write

4002000

heap

page read and write

9A000

stack

page read and write

4739000

direct allocation

page read and write

54B0000

trusted library allocation

page execute and read and write

10D0000

heap

page read and write

473D000

direct allocation

page read and write

A7E000

heap

page read and write

490000

unkown

page write copy

599F000

stack

page read and write

400D000

heap

page read and write

47AD000

direct allocation

page read and write

41AC000

heap

page read and write

41AC000

heap

page read and write

41AC000

heap

page read and write

40DE000

heap

page read and write

315E000

trusted library allocation

page read and write

126F000

stack

page read and write

3184000

trusted library allocation

page read and write

5C6E000

stack

page read and write

4470000

direct allocation

page read and write

4610000

direct allocation

page read and write

2DB0000

trusted library allocation

page read and write

3B4B000

heap

page read and write

414A000

heap

page read and write

400000

system

page execute and read and write

41B0000

heap

page execute and read and write

AA9000

heap

page read and write

A7A000

heap

page read and write

3146000

trusted library allocation

page read and write

3158000

trusted library allocation

page read and write

12D9000

heap

page read and write

5740000

trusted library allocation

page read and write

40DE000

heap

page read and write

41B1000

heap

page read and write

552E000

stack

page read and write

4680000

direct allocation

page read and write

110000

heap

page read and write

3BDB000

heap

page read and write

414A000

heap

page read and write

14C0000

trusted library allocation

page read and write

3177000

trusted library allocation

page read and write

14E0000

trusted library allocation

page read and write

373E000

stack

page read and write

5A1E000

stack

page read and write

414A000

heap

page read and write

111E000

stack

page read and write

12DC000

heap

page read and write

47A9000

direct allocation

page read and write

89F000

stack

page read and write

E3B000

stack

page read and write

8AF000

stack

page read and write

4680000

direct allocation

page read and write

3FFA000

heap

page read and write

408A000

heap

page read and write

47A9000

direct allocation

page read and write

4680000

direct allocation

page read and write

313F000

trusted library allocation

page read and write

2E15000

heap

page read and write

54E8000

trusted library allocation

page read and write

3FDD000

trusted library allocation

page read and write

41F6000

heap

page read and write

9BE000

stack

page read and write

4603000

direct allocation

page read and write

4593000

direct allocation

page read and write

3186000

trusted library allocation

page read and write

1364000

heap

page read and write

59DE000

stack

page read and write

414A000

heap

page read and write

31A5000

trusted library allocation

page read and write

41AC000

heap

page read and write

1294000

trusted library allocation

page read and write

53F0000

trusted library allocation

page read and write

3D70000

heap

page read and write

1370000

heap

page read and write

3E70000

heap

page read and write

481E000

direct allocation

page read and write

41B1000

heap

page read and write

4470000

direct allocation

page read and write

4094000

heap

page read and write

2D30000

trusted library allocation

page read and write

A60000

heap

page read and write

414A000

heap

page read and write

40DE000

heap

page read and write

402000

system

page execute and read and write

41AC000

heap

page read and write

2DC0000

trusted library allocation

page execute and read and write

482000

unkown

page readonly

950000

heap

page read and write

41B5000

heap

page read and write

3188000

trusted library allocation

page read and write

2FF5000

heap

page read and write

14CB000

trusted library allocation

page execute and read and write

57E0000

trusted library allocation

page read and write

40DE000

heap

page read and write

1165000

heap

page read and write

3139000

trusted library allocation

page read and write

562F000

stack

page read and write

1293000

trusted library allocation

page execute and read and write

1361000

heap

page read and write

1160000

heap

page read and write

473D000

direct allocation

page read and write

4739000

direct allocation

page read and write

481E000

direct allocation

page read and write

313D000

trusted library allocation

page read and write

414A000

heap

page read and write

313B000

trusted library allocation

page read and write

5EE0000

heap

page read and write

414A000

heap

page read and write

4011000

heap

page read and write

5400000

trusted library allocation

page execute and read and write

54D0000

trusted library allocation

page read and write

44E0000

direct allocation

page read and write

5750000

trusted library allocation

page execute and read and write

14A0000

trusted library allocation

page read and write

3126000

trusted library allocation

page read and write

47AD000

direct allocation

page read and write

54DE000

trusted library allocation

page read and write

315A000

trusted library allocation

page read and write

4603000

direct allocation

page read and write

400000

unkown

page readonly

1315000

heap

page read and write

41B1000

heap

page read and write

401B000

heap

page read and write

1290000

trusted library allocation

page read and write

40DE000

heap

page read and write

4593000

direct allocation

page read and write

3B3F000

stack

page read and write

40DE000

heap

page read and write

47AE000

direct allocation

page read and write

312A000

trusted library allocation

page read and write

126F000

stack

page read and write

41B1000

heap

page read and write

41B1000

heap

page read and write

14B6000

trusted library allocation

page execute and read and write

40DE000

heap

page read and write

3141000

trusted library allocation

page read and write

41AC000

heap

page read and write

318A000

trusted library allocation

page read and write

414A000

heap

page read and write

8FE000

stack

page read and write

A50000

heap

page read and write

5774000

trusted library allocation

page read and write

14C2000

trusted library allocation

page read and write

41B1000

heap

page read and write

3B42000

heap

page read and write

41AC000

heap

page read and write

315C000

trusted library allocation

page read and write

3175000

trusted library allocation

page read and write

14C7000

trusted library allocation

page execute and read and write

47AD000

direct allocation

page read and write

3128000

trusted library allocation

page read and write

3FFF000

heap

page read and write

3FF8000

heap

page read and write

5D6E000

stack

page read and write

401000

unkown

page execute read

4610000

direct allocation

page read and write

41AC000

heap

page read and write

54E0000

trusted library allocation

page read and write

100000

heap

page read and write

47AE000

direct allocation

page read and write

2FF0000

heap

page read and write

3143000

trusted library allocation

page read and write

40DE000

heap

page read and write

2D70000

heap

page execute and read and write

1130000

heap

page read and write

1080000

heap

page read and write

There are 268 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
QUG24-2003700542005180.exe

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportQUG24-2003700542005180.exe

Files

Processes

URLs

Memdumps

IOC Report
QUG24-2003700542005180.exe