File name:

New Quotation.exe

Full analysis: https://app.any.run/tasks/ed444a3d-e6c2-4a48-b40e-e506fde5f491
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: August 01, 2025, 05:58:26
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
auto-sch-xml
ims-api
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

F5005B42237D968C5770C165F6798C28

SHA1:

778BD89EFD7B5F1312B1F6FE29817EA21BE40F78

SHA256:

58EA06E2F9F4C8108E1803CA0869805EAE62C5F9F0651E6B53E66A0AAFB3C349

SSDEEP:

24576:xqu05hwihrgarvrJFx7/8itL+mpcycwYuR2A:xqu05hwihrgarvrJFx7/8itLZpcycruz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • New Quotation.exe (PID: 1668)

    • Actions looks like stealing of personal data

      • New Quotation.exe (PID: 1352)

    • Steals credentials from Web Browsers

      • New Quotation.exe (PID: 1352)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • New Quotation.exe (PID: 1668)

    • Reads security settings of Internet Explorer

      • New Quotation.exe (PID: 1668)

    • Application launched itself

      • New Quotation.exe (PID: 1668)

    • Connects to SMTP port

      • New Quotation.exe (PID: 1352)

    • The process verifies whether the antivirus software is installed

      • New Quotation.exe (PID: 1352)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • New Quotation.exe (PID: 1352)

  • INFO

    • Checks supported languages

      • New Quotation.exe (PID: 1668)
      • New Quotation.exe (PID: 1352)

    • Reads the machine GUID from the registry

      • New Quotation.exe (PID: 1668)
      • New Quotation.exe (PID: 1352)

    • Reads the computer name

      • New Quotation.exe (PID: 1668)
      • New Quotation.exe (PID: 1352)

    • Creates files or folders in the user directory

      • New Quotation.exe (PID: 1668)

    • Create files in a temporary directory

      • New Quotation.exe (PID: 1668)

    • Process checks computer location settings

      • New Quotation.exe (PID: 1668)

    • Disables trace logs

      • New Quotation.exe (PID: 1352)

    • Checks proxy server information

      • New Quotation.exe (PID: 1352)

    • Reads the software policy settings

      • New Quotation.exe (PID: 1352)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (49.4)
.scr | Windows screen saver (23.4)
.dll | Win32 Dynamic Link Library (generic) (11.7)
.exe | Win32 Executable (generic) (8)
.exe | Generic Win/DOS Executable (3.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2061:07:12 21:40:35+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 514560
InitializedDataSize: 23552
UninitializedDataSize: -
EntryPoint: 0x7f8ae
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: 快速反應訓練遊戲
CompanyName: 晶彩遊戲工作室
FileDescription: 三鍵反應遊戲
FileVersion: 0.0.0.0
InternalName: pHN.exe
LegalCopyright:
OriginalFileName: pHN.exe
ProductName: 三鍵反應遊戲
ProductVersion: 0.0.0.0
AssemblyVersion: 0.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
141
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start new quotation.exe schtasks.exe no specs conhost.exe no specs new quotation.exe slui.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1352"C:\Users\admin\AppData\Local\Temp\New Quotation.exe"C:\Users\admin\AppData\Local\Temp\New Quotation.exe
New Quotation.exe
User:
admin
Company:
晶彩遊戲工作室
Integrity Level:
MEDIUM
Description:
三鍵反應遊戲
Version:
0.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\new quotation.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
1668"C:\Users\admin\AppData\Local\Temp\New Quotation.exe" C:\Users\admin\AppData\Local\Temp\New Quotation.exe
explorer.exe
User:
admin
Company:
晶彩遊戲工作室
Integrity Level:
MEDIUM
Description:
三鍵反應遊戲
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\new quotation.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2680"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nhINUCPKv" /XML "C:\Users\admin\AppData\Local\Temp\tmp5896.tmp"C:\Windows\SysWOW64\schtasks.exeNew Quotation.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4456C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5188\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
2 160
Read events
2 146
Write events
14
Delete events
0

Modification events

(PID) Process:(1352) New Quotation.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\New Quotation_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1352) New Quotation.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\New Quotation_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(1352) New Quotation.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\New Quotation_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(1352) New Quotation.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\New Quotation_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(1352) New Quotation.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\New Quotation_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(1352) New Quotation.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\New Quotation_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(1352) New Quotation.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\New Quotation_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(1352) New Quotation.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\New Quotation_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1352) New Quotation.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\New Quotation_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(1352) New Quotation.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\New Quotation_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
1
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
1668New Quotation.exeC:\Users\admin\AppData\Local\Temp\tmp5896.tmpxml
MD5:4E00ABF7388E42DBADC096A72759DD13
SHA256:66C5AB5F15CA4132C494A27B3003970110BAA4E00BD15B272FC0C56C82875E5F
1668New Quotation.exeC:\Users\admin\AppData\Roaming\nhINUCPKv.exeexecutable
MD5:F5005B42237D968C5770C165F6798C28
SHA256:58EA06E2F9F4C8108E1803CA0869805EAE62C5F9F0651E6B53E66A0AAFB3C349
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
24
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2064
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1268
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5368
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5368
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1352
New Quotation.exe
GET
200
193.122.6.168:80
http://checkip.dyndns.org/
unknown
whitelisted
1352
New Quotation.exe
GET
200
193.122.6.168:80
http://checkip.dyndns.org/
unknown
whitelisted
1352
New Quotation.exe
GET
200
193.122.6.168:80
http://checkip.dyndns.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
504
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2064
svchost.exe
20.190.160.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2064
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.110
whitelisted
login.live.com
  • 20.190.160.67
  • 20.190.160.64
  • 20.190.160.5
  • 40.126.32.138
  • 20.190.160.132
  • 20.190.160.17
  • 40.126.32.76
  • 20.190.160.22
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
  • 23.216.77.42
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
checkip.dyndns.org
  • 193.122.6.168
  • 193.122.130.0
  • 158.101.44.242
  • 132.226.247.73
  • 132.226.8.169
whitelisted
reallyfreegeoip.org
  • 104.21.96.1
  • 104.21.48.1
  • 104.21.64.1
  • 104.21.16.1
  • 104.21.32.1
  • 104.21.112.1
  • 104.21.80.1
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
New Quotation.exe