Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

1692db4e522605d93551ddcabeffa92a2cd43e764a134833644808319784b955_dump.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.082669296180613
Filename:	1692db4e522605d93551ddcabeffa92a2cd43e764a134833644808319784b955_dump.exe
Filesize:	311296
MD5:	1fb1c8da0fabb641a76ac6759dd557dd
SHA1:	eac9ef0a2bb9058efcc01242184f7a10136a5036
SHA256:	2f05df98b8de8af85942d15c1c7d434ee62be3e3662c551a0e14d29c9531c1cc
SHA512:	44623c837f1537783e44703637407b3330db2201800f0ab5d2552f3b67368b320734e1fa12143c1ed9df75518c641817039bec7ec74c2c18d4efe22dd83739cd
SSDEEP:	3072:1q6EgY6iHrUj1DeewPMAVTmz+qGwRTAAtpSKGscZqf7D341eqiOLibBOp:8qY6iwwPv9priTA8pIscZqf7DIfL
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...q.!...............0.................. ... ....@.. ....................... ............@................................

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Installs new ROOT certificates	Persistence and Installation Behavior	Install Root Certificate
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)	Malware Analysis System Evasion
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to steal Crypto Currency Wallets	Stealing of Sensitive Information
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops certificate files (DER)	E-Banking Fraud
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary	System Information Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\Public\Desktop\Google Chrome.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 13:16:53 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide

dropped

Details

File:	C:\Users\Public\Desktop\Google Chrome.lnk
Category:	dropped
Dump:	Google Chrome.lnk.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\1692db4e522605d93551ddcabeffa92a2cd43e764a134833644808319784b955_dump.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 13:16:53 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
Entropy:	3.4510501830169997
Encrypted:	false
Ssdeep:	48:8SCLl2dfTXdARYrnvPdAKRkdAGdAKRFdAKRE:8SmlO7
Size:	2104
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1692db4e522605d93551ddcabeffa92a2cd43e764a134833644808319784b955_dump.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1692db4e522605d93551ddcabeffa92a2cd43e764a134833644808319784b955_dump.exe.log
Category:	dropped
Dump:	1692db4e522605d93551ddcabeffa92a2cd43e764a134833644808319784b955_dump.exe.log.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Users\user\Desktop\1692db4e522605d93551ddcabeffa92a2cd43e764a134833644808319784b955_dump.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.3318368586986695
Encrypted:	false
Ssdeep:	96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlqY
Size:	3274
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Temp\Tmp63A5.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Tmp63A5.tmp
Category:	dropped
Dump:	Tmp63A5.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\1692db4e522605d93551ddcabeffa92a2cd43e764a134833644808319784b955_dump.exe
Type:	data
Entropy:	7.8230547059446645
Encrypted:	false
Ssdeep:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
Size:	2662
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops certificate files (DER)	E-Banking Fraud
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\Tmp63B6.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Tmp63B6.tmp
Category:	dropped
Dump:	Tmp63B6.tmp.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\1692db4e522605d93551ddcabeffa92a2cd43e764a134833644808319784b955_dump.exe
Type:	data
Entropy:	7.8230547059446645
Encrypted:	false
Ssdeep:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
Size:	2662
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops certificate files (DER)	E-Banking Fraud

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06
Category:	dropped
Dump:	76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\1692db4e522605d93551ddcabeffa92a2cd43e764a134833644808319784b955_dump.exe
Type:	data
Entropy:	0.0
Encrypted:	false
Ssdeep:	3::
Size:	2251
Whitelisted:	true
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\1692db4e522605d93551ddcabeffa92a2cd43e764a134833644808319784b955_dump.exe

"C:\Users\user\Desktop\1692db4e522605d93551ddcabeffa92a2cd43e764a134833644808319784b955_dump.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6368
Target ID:	0
Parent PID:	1028
Name:	1692db4e522605d93551ddcabeffa92a2cd43e764a134833644808319784b955_dump.exe
Path:	C:\Users\user\Desktop\1692db4e522605d93551ddcabeffa92a2cd43e764a134833644808319784b955_dump.exe
Commandline:	"C:\Users\user\Desktop\1692db4e522605d93551ddcabeffa92a2cd43e764a134833644808319784b955_dump.exe"
Size:	311296
MD5:	1FB1C8DA0FABB641A76AC6759DD557DD
Time:	19:25:51
Date:	22/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x6b0000
Modulesize:	335872
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/sct

unknown

https://duckduckgo.com/chrome_newtab

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk

unknown

https://duckduckgo.com/ac/?q=

unknown

http://tempuri.org/Entity/Id14ResponseD

unknown

http://tempuri.org/Entity/Id23ResponseD

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary

unknown

http://tempuri.org/Entity/Id12Response

unknown

http://tempuri.org/

unknown

http://tempuri.org/Entity/Id2Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1

unknown

http://tempuri.org/Entity/Id21Response

unknown

http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap

unknown

http://tempuri.org/Entity/Id9

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID

unknown

http://tempuri.org/Entity/Id8

unknown

http://tempuri.org/Entity/Id6ResponseD

unknown

http://tempuri.org/Entity/Id5

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare

unknown

http://tempuri.org/Entity/Id4

unknown

http://tempuri.org/Entity/Id7

unknown

http://tempuri.org/Entity/Id6

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret

unknown

http://tempuri.org/Entity/Id19Response

unknown

http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence

unknown

http://tempuri.org/Entity/Id13ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/fault

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat

unknown

http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey

unknown

http://tempuri.org/Entity/Id15Response

unknown

http://tempuri.org/Entity/Id5ResponseD

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register

unknown

http://tempuri.org/Entity/Id6Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey

unknown

https://api.ip.sb/ip

unknown

http://schemas.xmlsoap.org/ws/2004/04/sc

unknown

http://tempuri.org/Entity/Id1ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel

unknown

http://tempuri.org/Entity/Id9Response

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

http://tempuri.org/Entity/Id20

unknown

http://tempuri.org/Entity/Id21

unknown

http://tempuri.org/Entity/Id22

unknown

http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1

unknown

http://tempuri.org/Entity/Id23

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1

unknown

http://tempuri.org/Entity/Id24

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue

unknown

http://tempuri.org/Entity/Id24Response

unknown

https://www.ecosia.org/newtab/

unknown

http://tempuri.org/Entity/Id1Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey

unknown

http://tempuri.org/Entity/Id21ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust

unknown

http://tempuri.org/Entity/Id10

unknown

http://tempuri.org/Entity/Id11

unknown

http://tempuri.org/Entity/Id10ResponseD

unknown

http://tempuri.org/Entity/Id12

unknown

http://tempuri.org/Entity/Id16Response

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel

unknown

http://tempuri.org/Entity/Id13

unknown

http://tempuri.org/Entity/Id14

unknown

http://tempuri.org/Entity/Id15

unknown

http://tempuri.org/Entity/Id16

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce

unknown

http://tempuri.org/Entity/Id17

unknown

http://tempuri.org/Entity/Id18

unknown

http://tempuri.org/Entity/Id5Response

unknown

http://tempuri.org/Entity/Id19

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns

unknown

http://tempuri.org/Entity/Id15ResponseD

unknown

http://tempuri.org/Entity/Id10Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Renew

unknown

http://tempuri.org/Entity/Id11ResponseD

unknown

http://tempuri.org/Entity/Id8Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT

unknown

http://schemas.xmlsoap.org/ws/2006/02/addressingidentity

unknown

http://tempuri.org/Entity/Id17ResponseD

unknown

http://schemas.xmlsoap.org/soap/envelope/

unknown

http://tempuri.org/Entity/Id8ResponseD

unknown

There are 90 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

5.42.65.115

unknown

Russian Federation

Details

IP:	5.42.65.115
TargetID:	0
Current Path:	C:\Users\user\Desktop\1692db4e522605d93551ddcabeffa92a2cd43e764a134833644808319784b955_dump.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	39493
ASN name:	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064

Blob

Details

TargetID:	0
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064
Value name:	Blob
Value data:	0B 00 00 00 01 00 00 00 48 00 00 00 54 00 69 00 74 00 61 00 6E 00 69 00 75 00 6D 00 20 00 52 00 6F 00 6F 00 74 00 20 00 43 00 65 00 72 00 74 00 69 00 66 00 69 00 63 00 61 00 74 00 65 00 20 00 41 00 75 00 74 00 68 00 6F 00 72 00 69 00 74 00 79 00 00 00 02 00 00 00 01 00 00 00 CC 00 00 00 1C 00 00 00 6C 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 7B 00 34 00 31 00 37 00 34 00 34 00 42 00 45 00 34 00 2D 00 31 00 31 00 43 00 35 00 2D 00 34 00 39 00 34 00 43 00 2D 00 41 00 32 00 31 00 33 00 2D 00 42 00 41 00 30 00 43 00 45 00 39 00 34 00 34 00 39 00 33 00 38 00 45 00 7D 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 45 00 6E 00 68 00 61 00 6E 00 63 00 65 00 64 00 20 00 43 00 72 00 79 00 70 00 74 00 6F 00 67 00 72 00 61 00 70 00 68 00 69 00 63 00 20 00 50 00 72 00 6F 00 76 00 69 00 64 00 65 00 72 00 20 00 76 00 31 00 2E 00 30 00 00 00 00 00 03 00 00 00 01 00 00 00 14 00 00 00 F1 A5 78 C4 CB 5D E7 9A 37 08 93 98 3F D4 DA 8B 67 B2 B0 64 20 00 00 00 01 00 00 00 0A 03 00 00 30 82 03 06 30 82 01 EE A0 03 02 01 02 02 08 67 F7 BE B9 6A 4C 27 98 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30 2E 31 2C 30 2A 06 03 55 04 03 0C 23 54 69 74 61 6E 69 75 6D 20 52 6F 6F 74 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6F 72 69 74 79 30 1E 17 0D 32 33 30 33 31 34 31 30 33 35 32 30 5A 17 0D 32 36 30 36 31 37 31 30 33 35 32 30 5A 30 2E 31 2C 30 2A 06 03 55 04 03 0C 23 54 69 74 61 6E 69 75 6D 20 52 6F 6F 74 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6F 72 69 74 79 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 86 E4 57 7A 58 61 CE 81 91 77 D0 05 FA 51 D5 51 5A 93 6C 61 0C CF CB DE 53 32 CD 15 1D A6 47 EE 88 1A 24 5C 9B 02 83 3B 02 AF 3D 76 FE 20 BD 3B FA F7 A2 09 73 E7 2E BD 94 40 D0 9D 8C 3D 27 13 BD F0 D0 9F EB 95 32 AC D7 A4 2D A2 A9 52 DA A8 6A 2A 88 EE 42 7D 30 95 9D 90 BF BA 05 27 6A A0 29 98 A6 98 6F C0 13 06 62 9B 79 B8 40 5D 1F 1F A6 D9 A4 2F 82 7A FC 75 66 34 0D C2 DE 27 01 2B 94 BB 4A 27 B3 CB 1C 21 9A 3C B2 C1 42 03 F3 44 51 BD 62 65 20 ED D4 DB CC 41 4F 59 3F 2A CB C4 84 79 F7 14 3C BE 13 9C FD 12 9C 91 3E 53 03 DC 20 F9 4C 44 35 89 01 B6 9A 84 8D 7E A0 2E 30 8A 31 15 60 AC 00 AE 00 9A 29 10 9A EE D9 71 3D D8 91 9B 97 ED 59 80 58 E1 7F 07 26 C7 A0 20 F7 10 AB C0 62 91 DF AA F1 81 C6 BE 6A 76 C8 9C B6 8E B0 B0 EC 1C D9 5F 32 6C 7E 55 58 8B FD 76 C5 19 02 03 01 00 01 A3 28 30 26 30 13 06 03 55 1D 25 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 30 0F 06 03 55 1D 13 01 01 FF 04 05 30 03 01 01 FF 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 03 82 01 01 00 70 85 12 93 D7 57 E9 82 79 7D C5 F7 F2 7D A8 94 EF 0C DB 32 9F 06 A6 09 6E 0C F6 04 B0 E5 47 11 56 0E F4 0F 52 82 08 2E 21 0F 55 A3 DB 41 F3 12 54 8B 76 11 F5 F0 DA CE A3 C7 8B 13 F6 FC 24 3C 02 B1 06 66 5B E6 9E 18 40 88 41 5B 27 39 99 B8 77 BE E3 53 A2 48 CE C7 EE B5 A0 95 C2 17 4B C9 52 6C AF E3 37 2C 59 DB FB E7 58 13 4E D3 51 E5 14 72 73 FE C6 85 77 AE 45 52 A6 F9 9A C8 0C A8 D0 EE 42 2A F5 28 85 8C 6B E8 1C B0 A8 03 1A B0 AE 83 C0 EB 55 64 F4 E8 7A 5C 06 29 5D 39 03 EE E2 FD F9 2D 62 A7 F4 D4 05 4D EA A7 9B CA EB DA 4E 8B 1A 6E FD 42 AE F9 D0 1C 70 75 72 8C B1 3A A8 55 7C 85 A7 25 32 B5 E2 D6 C3 E5 50 41 C9 86 7C A8 F5 62 BB D2 AB 0C 37 10 D8 31 73 EC 37 81 D1 DC AA C5 C6 E0 7E E7 26 62 4D FD C5 81 4C FF D3 36 E1 79 32 F8 9B EB 9C F7 FD BE E9 BE BF 61

Signature Hits	Behavior Group	Mitre Attack
Installs new ROOT certificates	Persistence and Installation Behavior	Install Root Certificate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Owner

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

SessionHash

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Sequence

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFiles0000

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFilesHash

Memdumps

Base Address

Regiontype

Protect

Malicious

6B2000

unkown

page readonly

74E7000

heap

page read and write

75FA000

trusted library allocation

page read and write

C90000

heap

page read and write

30D2000

trusted library allocation

page read and write

3BD8000

trusted library allocation

page read and write

311F000

trusted library allocation

page read and write

CD0000

trusted library allocation

page read and write

3B7E000

trusted library allocation

page read and write

3C59000

trusted library allocation

page read and write

2F39000

trusted library allocation

page read and write

530E000

stack

page read and write

51C0000

trusted library allocation

page read and write

3C12000

trusted library allocation

page read and write

66A0000

trusted library allocation

page read and write

7498000

heap

page read and write

4F90000

trusted library allocation

page read and write

6281000

heap

page read and write

3011000

trusted library allocation

page read and write

3E58000

trusted library allocation

page read and write

30C0000

trusted library allocation

page read and write

6730000

trusted library allocation

page read and write

75F8000

trusted library allocation

page read and write

1179000

heap

page read and write

117E000

heap

page read and write

115D000

trusted library allocation

page read and write

31ED000

trusted library allocation

page read and write

661A000

trusted library allocation

page read and write

68E0000

trusted library allocation

page read and write

7412000

heap

page read and write

650E000

stack

page read and write

6C19000

trusted library allocation

page read and write

3B93000

trusted library allocation

page read and write

6610000

trusted library allocation

page read and write

30B3000

trusted library allocation

page read and write

6615000

trusted library allocation

page read and write

2AC5000

trusted library allocation

page read and write

51B0000

trusted library allocation

page read and write

2CC8000

trusted library allocation

page read and write

7605000

trusted library allocation

page read and write

7ABF000

stack

page read and write

61A0000

trusted library allocation

page execute and read and write

111E000

trusted library allocation

page read and write

B9E000

stack

page read and write

10F0000

trusted library allocation

page read and write

2CC2000

trusted library allocation

page read and write

75FF000

trusted library allocation

page read and write

3BA2000

trusted library allocation

page read and write

5330000

heap

page read and write

6672000

trusted library allocation

page read and write

76CE000

stack

page read and write

75E9000

trusted library allocation

page read and write

30C7000

trusted library allocation

page read and write

1151000

trusted library allocation

page read and write

7BFE000

stack

page read and write

6618000

trusted library allocation

page read and write

3051000

trusted library allocation

page read and write

746A000

heap

page read and write

760A000

trusted library allocation

page read and write

563F000

stack

page read and write

DD1000

heap

page read and write

2C08000

trusted library allocation

page read and write

6900000

trusted library allocation

page read and write

6625000

trusted library allocation

page read and write

6247000

heap

page read and write

D55000

heap

page read and write

7C70000

trusted library allocation

page read and write

77A0000

trusted library allocation

page read and write

3E3E000

trusted library allocation

page read and write

2B88000

trusted library allocation

page read and write

1100000

trusted library allocation

page read and write

2F0D000

trusted library allocation

page read and write

3B6F000

trusted library allocation

page read and write

83E0000

heap

page read and write

6C3A000

trusted library allocation

page read and write

2CE3000

trusted library allocation

page read and write

3E27000

trusted library allocation

page read and write

52CE000

stack

page read and write

10DC000

stack

page read and write

30FA000

trusted library allocation

page read and write

6650000

trusted library allocation

page read and write

50A0000

heap

page read and write

75E2000

trusted library allocation

page read and write

E06000

heap

page read and write

3BD3000

trusted library allocation

page read and write

114E000

trusted library allocation

page read and write

2FD9000

trusted library allocation

page read and write

3B9F000

trusted library allocation

page read and write

68D0000

trusted library allocation

page read and write

3018000

trusted library allocation

page read and write

6273000

heap

page read and write

89DE000

stack

page read and write

4F20000

trusted library allocation

page read and write

6C60000

trusted library allocation

page read and write

3E4E000

trusted library allocation

page read and write

614E000

stack

page read and write

667E000

trusted library allocation

page read and write

2E87000

trusted library allocation

page read and write

76E0000

trusted library allocation

page read and write

4F40000

trusted library allocation

page read and write

4F92000

trusted library allocation

page read and write

2F40000

trusted library allocation

page read and write

73E0000

heap

page read and write

D62000

heap

page read and write

6C30000

trusted library allocation

page read and write

67B0000

trusted library allocation

page execute and read and write

3091000

trusted library allocation

page read and write

66D0000

trusted library allocation

page read and write

7620000

trusted library allocation

page read and write

2CB0000

trusted library allocation

page read and write

3B87000

trusted library allocation

page read and write

66AB000

trusted library allocation

page read and write

3022000

trusted library allocation

page read and write

6629000

trusted library allocation

page read and write

D12000

trusted library allocation

page read and write

72E0000

heap

page read and write

7FD90000

trusted library allocation

page execute and read and write

2FD7000

trusted library allocation

page read and write

3B82000

trusted library allocation

page read and write

F90000

heap

page read and write

D06000

trusted library allocation

page execute and read and write

6666000

trusted library allocation

page read and write

62AC000

heap

page read and write

3C14000

trusted library allocation

page read and write

CE3000

trusted library allocation

page execute and read and write

5F4E000

stack

page read and write

6BCC000

stack

page read and write

113B000

trusted library allocation

page read and write

10E0000

trusted library allocation

page read and write

62A2000

heap

page read and write

2F4A000

trusted library allocation

page read and write

3B1B000

trusted library allocation

page read and write

6690000

trusted library allocation

page read and write

7C60000

trusted library allocation

page read and write

30E4000

trusted library allocation

page read and write

3BCC000

trusted library allocation

page read and write

6ACE000

stack

page read and write

CED000

trusted library allocation

page execute and read and write

2D29000

trusted library allocation

page read and write

3BF8000

trusted library allocation

page read and write

2EF7000

trusted library allocation

page read and write

6C10000

trusted library allocation

page read and write

CF0000

trusted library allocation

page read and write

1110000

trusted library allocation

page read and write

2F1A000

trusted library allocation

page read and write

748F000

heap

page read and write

3C69000

trusted library allocation

page read and write

D15000

trusted library allocation

page execute and read and write

6C34000

trusted library allocation

page read and write

2FCF000

trusted library allocation

page read and write

626F000

heap

page read and write

D47000

heap

page read and write

2CBB000

trusted library allocation

page read and write

73EE000

heap

page read and write

749B000

heap

page read and write

2F8F000

trusted library allocation

page read and write

F97000

heap

page read and write

6720000

trusted library allocation

page read and write

2A28000

trusted library allocation

page read and write

66E0000

trusted library allocation

page read and write

621A000

heap

page read and write

7DCE000

stack

page read and write

3E39000

trusted library allocation

page read and write

74B0000

heap

page read and write

3C09000

trusted library allocation

page read and write

F7E000

stack

page read and write

629E000

heap

page read and write

799000

stack

page read and write

66AE000

trusted library allocation

page read and write

CE4000

trusted library allocation

page read and write

D20000

heap

page read and write

30DF000

trusted library allocation

page read and write

3B8D000

trusted library allocation

page read and write

62BE000

heap

page read and write

3099000

trusted library allocation

page read and write

3BAC000

trusted library allocation

page read and write

1134000

trusted library allocation

page read and write

3BF2000

trusted library allocation

page read and write

760F000

trusted library allocation

page read and write

7700000

trusted library allocation

page read and write

75E0000

trusted library allocation

page read and write

3C05000

trusted library allocation

page read and write

2FC6000

trusted library allocation

page read and write

2D4C000

trusted library allocation

page read and write

B00000

heap

page read and write

6E2000

unkown

page readonly

D10000

trusted library allocation

page read and write

528E000

stack

page read and write

4BDB000

stack

page read and write

73E3000

heap

page read and write

6627000

trusted library allocation

page read and write

CFD000

trusted library allocation

page execute and read and write

2CA9000

trusted library allocation

page read and write

2AC0000

trusted library allocation

page read and write

6750000

trusted library allocation

page execute and read and write

3C0E000

trusted library allocation

page read and write

3AE1000

trusted library allocation

page read and write

5C8E000

stack

page read and write

2EEE000

trusted library allocation

page read and write

7E0E000

stack

page read and write

2C9C000

trusted library allocation

page read and write

51A0000

trusted library allocation

page read and write

740D000

heap

page read and write

7422000

heap

page read and write

5650000

heap

page read and write

3BDD000

trusted library allocation

page read and write

D0A000

trusted library allocation

page execute and read and write

3E13000

trusted library allocation

page read and write

3BC1000

trusted library allocation

page read and write

2AE1000

trusted library allocation

page read and write

D2B000

heap

page read and write

2CCD000

trusted library allocation

page read and write

4FA0000

trusted library allocation

page execute and read and write

7610000

trusted library allocation

page read and write

7C80000

heap

page read and write

AF7000

stack

page read and write

D02000

trusted library allocation

page read and write

3039000

trusted library allocation

page read and write

6B0000

unkown

page readonly

7C4B000

stack

page read and write

3B23000

trusted library allocation

page read and write

CE0000

trusted library allocation

page read and write

6661000

trusted library allocation

page read and write

6C20000

trusted library allocation

page execute and read and write

3006000

trusted library allocation

page read and write

3C17000

trusted library allocation

page read and write

2EB7000

trusted library allocation

page read and write

2AD0000

heap

page read and write

698C000

stack

page read and write

6C00000

trusted library allocation

page execute and read and write

D00000

trusted library allocation

page read and write

F1F000

stack

page read and write

6A8C000

stack

page read and write

768D000

stack

page read and write

74D1000

heap

page read and write

74DB000

heap

page read and write

7C50000

heap

page read and write

7487000

heap

page read and write

61CD000

heap

page read and write

B10000

heap

page read and write

109E000

stack

page read and write

7A7E000

stack

page read and write

51A8000

trusted library allocation

page read and write

73F1000

heap

page read and write

3B68000

trusted library allocation

page read and write

1130000

trusted library allocation

page read and write

2F55000

trusted library allocation

page read and write

6940000

trusted library allocation

page execute and read and write

DF6000

heap

page read and write

6C64000

trusted library allocation

page read and write

6E7000

unkown

page readonly

66C0000

trusted library allocation

page read and write

543E000

stack

page read and write

3E20000

trusted library allocation

page read and write

6910000

trusted library allocation

page read and write

2FE5000

trusted library allocation

page read and write

2CD8000

trusted library allocation

page read and write

3E43000

trusted library allocation

page read and write

1156000

trusted library allocation

page read and write

3087000

trusted library allocation

page read and write

6681000

trusted library allocation

page read and write

7AFE000

stack

page read and write

745F000

heap

page read and write

5468000

heap

page read and write

7D8D000

stack

page read and write

74A4000

heap

page read and write

76F0000

trusted library allocation

page execute and read and write

1176000

heap

page read and write

62AA000

heap

page read and write

665B000

trusted library allocation

page read and write

3DFA000

trusted library allocation

page read and write

744E000

heap

page read and write

6F6000

unkown

page readonly

2F45000

trusted library allocation

page read and write

74C0000

heap

page read and write

3BE8000

trusted library allocation

page read and write

BB0000

heap

page read and write

649E000

stack

page read and write

3B02000

trusted library allocation

page read and write

3E06000

trusted library allocation

page read and write

604E000

stack

page read and write

66F0000

trusted library allocation

page read and write

4F4E000

trusted library allocation

page read and write

74ED000

heap

page read and write

50A3000

heap

page read and write

73FB000

heap

page read and write

5451000

heap

page read and write

30A6000

trusted library allocation

page read and write

68F0000

trusted library allocation

page read and write

7458000

heap

page read and write

73E8000

heap

page read and write

1120000

heap

page execute and read and write

74CA000

heap

page read and write

3C1D000

trusted library allocation

page read and write

2EFF000

trusted library allocation

page read and write

83EC000

heap

page read and write

66B0000

trusted library allocation

page read and write

D1B000

trusted library allocation

page execute and read and write

2F27000

trusted library allocation

page read and write

2F61000

trusted library allocation

page read and write

4F80000

heap

page read and write

83F6000

heap

page read and write

779E000

stack

page read and write

67A0000

trusted library allocation

page execute and read and write

775E000

stack

page read and write

D2E000

heap

page read and write

3BFF000

trusted library allocation

page read and write

301D000

trusted library allocation

page read and write

66A5000

trusted library allocation

page read and write

61E4000

heap

page read and write

3BB9000

trusted library allocation

page read and write

2F01000

trusted library allocation

page read and write

2FFF000

trusted library allocation

page read and write

660E000

stack

page read and write

BB6000

heap

page read and write

2C0C000

trusted library allocation

page read and write

3B84000

trusted library allocation

page read and write

6620000

trusted library allocation

page read and write

302D000

trusted library allocation

page read and write

5C4E000

stack

page read and write

51D0000

heap

page execute and read and write

61C0000

heap

page read and write

3F58000

trusted library allocation

page read and write

6920000

trusted library allocation

page execute and read and write

7473000

heap

page read and write

3C31000

trusted library allocation

page read and write

3AEF000

trusted library allocation

page read and write

88DE000

stack

page read and write

62B0000

heap

page read and write

6C37000

trusted library allocation

page read and write

639D000

stack

page read and write

3B62000

trusted library allocation

page read and write

30D9000

trusted library allocation

page read and write

F30000

trusted library allocation

page read and write

6BE0000

trusted library allocation

page read and write

6740000

trusted library allocation

page execute and read and write

2A1F000

stack

page read and write

61B0000

trusted library allocation

page execute and read and write

2F2E000

trusted library allocation

page read and write

B5E000

stack

page read and write

2FF2000

trusted library allocation

page read and write

30EF000

trusted library allocation

page read and write

1170000

heap

page read and write

76D0000

trusted library allocation

page read and write

D17000

trusted library allocation

page execute and read and write

F80000

trusted library allocation

page execute and read and write

3E32000

trusted library allocation

page read and write

4058000

trusted library allocation

page read and write

6BE3000

trusted library allocation

page read and write

3B79000

trusted library allocation

page read and write

7C00000

trusted library allocation

page execute and read and write

75E5000

trusted library allocation

page read and write

3B75000

trusted library allocation

page read and write

There are 343 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
1692db4e522605d93551ddcabeffa92a2cd43e764a134833644808319784b955_dump.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report1692db4e522605d93551ddcabeffa92a2cd43e764a134833644808319784b955_dump.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
1692db4e522605d93551ddcabeffa92a2cd43e764a134833644808319784b955_dump.exe