Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.081927371705491
Filename:	file.exe
Filesize:	311296
MD5:	a9a37926c6d3ab63e00b12760fae1e73
SHA1:	944d6044e111bbad742d06852c3ed2945dc9e051
SHA256:	27955c80c620c31df686ccd2a92bce1d07e97c16fda6bd141812e9b0bdd7b06b
SHA512:	575485d1c53b1bf145c7385940423b16089cf9ab75404e2e9c7af42b594480470f0e28dadcddbd66e4cd469e45326a6eb4eb2362ccc37edb2a956d224e04cf97
SSDEEP:	3072:aq6EgY6iQrUjGk14lwPK4qw9LwwPITAztASKwlcZqf7D34leqiOLibBOh:ZqY6iwwPIknATAZA+lcZqf7DIvL
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B.................0.................. ... ....@.. ....................... ............@................................

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information	Data from Local System
Installs new ROOT certificates	Persistence and Installation Behavior	Install Root Certificate
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)	Malware Analysis System Evasion
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping
Tries to steal Crypto Currency Wallets	Stealing of Sensitive Information	Windows Management Instrumentation Security Software Discovery
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings	Windows Management Instrumentation Security Software Discovery
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops certificate files (DER)	E-Banking Fraud
Enables debug privileges	Anti Debugging
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities	Obfuscated Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log
Category:	dropped
Dump:	file.exe.log.5.dr
ID:	dr_4
Target ID:	5
Process:	C:\Users\user\Desktop\file.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.3318368586986695
Encrypted:	false
Ssdeep:	96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqc85VD:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlq0
Size:	3274
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\Public\Desktop\Google Chrome.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Thu Oct 5 10:09:14 2023, atime=Mon Oct 2 20:46:56 2023, length=3242272, window=hide

dropped

Details

File:	C:\Users\Public\Desktop\Google Chrome.lnk
Category:	dropped
Dump:	Google Chrome.lnk.5.dr
ID:	dr_3
Target ID:	5
Process:	C:\Users\user\Desktop\file.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Thu Oct 5 10:09:14 2023, atime=Mon Oct 2 20:46:56 2023, length=3242272, window=hide
Entropy:	3.465084577299074
Encrypted:	false
Ssdeep:	48:8Sqd4TUCr5RYrnvPdAKRkdAGdAKRFdAKRN:8S9i
Size:	2104
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\Tmp49EB.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Tmp49EB.tmp
Category:	dropped
Dump:	Tmp49EB.tmp.5.dr
ID:	dr_0
Target ID:	5
Process:	C:\Users\user\Desktop\file.exe
Type:	data
Entropy:	7.8230547059446645
Encrypted:	false
Ssdeep:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
Size:	2662
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops certificate files (DER)	E-Banking Fraud
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\Tmp49EC.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Tmp49EC.tmp
Category:	dropped
Dump:	Tmp49EC.tmp.5.dr
ID:	dr_1
Target ID:	5
Process:	C:\Users\user\Desktop\file.exe
Type:	data
Entropy:	7.8230547059446645
Encrypted:	false
Ssdeep:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
Size:	2662
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops certificate files (DER)	E-Banking Fraud

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06
Category:	dropped
Dump:	76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06.5.dr
ID:	dr_2
Target ID:	5
Process:	C:\Users\user\Desktop\file.exe
Type:	data
Entropy:	0.0
Encrypted:	false
Ssdeep:	3::
Size:	2251
Whitelisted:	true
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3956
Target ID:	5
Parent PID:	2592
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	311296
MD5:	A9A37926C6D3AB63E00B12760FAE1E73
Time:	19:04:30
Date:	25/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x100000
Modulesize:	335872
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/sct

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk

unknown

http://tempuri.org/Entity/Id14ResponseD

unknown

http://tempuri.org/Entity/Id23ResponseD

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary

unknown

http://tempuri.org/Entity/Id12Response

unknown

http://tempuri.org/

unknown

http://tempuri.org/Entity/Id2Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1

unknown

http://tempuri.org/Entity/Id21Response

unknown

http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap

unknown

http://tempuri.org/Entity/Id9

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID

unknown

http://tempuri.org/Entity/Id8

unknown

http://tempuri.org/Entity/Id6ResponseD

unknown

http://tempuri.org/Entity/Id5

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare

unknown

http://tempuri.org/Entity/Id4

unknown

http://tempuri.org/Entity/Id7

unknown

http://purl.oen

unknown

http://tempuri.org/Entity/Id6

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret

unknown

http://tempuri.org/Entity/Id19Response

unknown

http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence

unknown

http://tempuri.org/Entity/Id13ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/fault

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat

unknown

http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey

unknown

http://tempuri.org/Entity/Id15Response

unknown

http://tempuri.org/Entity/Id5ResponseD

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register

unknown

http://tempuri.org/Entity/Id6Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey

unknown

https://api.ip.sb/ip

unknown

http://schemas.xmlsoap.org/ws/2004/04/sc

unknown

http://tempuri.org/Entity/Id1ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel

unknown

http://tempuri.org/Entity/Id9Response

unknown

http://tempuri.org/Entity/Id20

unknown

http://tempuri.org/Entity/Id21

unknown

http://tempuri.org/Entity/Id22

unknown

http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1

unknown

http://tempuri.org/Entity/Id23

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1

unknown

http://tempuri.org/Entity/Id24

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue

unknown

http://tempuri.org/Entity/Id24Response

unknown

http://tempuri.org/Entity/Id1Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey

unknown

http://tempuri.org/Entity/Id21ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust

unknown

http://tempuri.org/Entity/Id10

unknown

http://tempuri.org/Entity/Id11

unknown

http://tempuri.org/Entity/Id10ResponseD

unknown

http://tempuri.org/Entity/Id12

unknown

http://tempuri.org/Entity/Id16Response

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel

unknown

http://tempuri.org/Entity/Id13

unknown

http://tempuri.org/Entity/Id14

unknown

http://tempuri.org/Entity/Id15

unknown

http://tempuri.org/Entity/Id16

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce

unknown

http://tempuri.org/Entity/Id17

unknown

http://tempuri.org/Entity/Id18

unknown

http://tempuri.org/Entity/Id5Response

unknown

http://tempuri.org/Entity/Id19

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns

unknown

http://tempuri.org/Entity/Id15ResponseD

unknown

http://tempuri.org/Entity/Id10Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Renew

unknown

http://tempuri.org/Entity/Id11ResponseD

unknown

http://tempuri.org/Entity/Id8Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT

unknown

http://schemas.xmlsoap.org/ws/2006/02/addressingidentity

unknown

http://tempuri.org/Entity/Id17ResponseD

unknown

http://schemas.xmlsoap.org/soap/envelope/

unknown

http://tempuri.org/Entity/Id8ResponseD

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey

unknown

http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust

unknown

There are 90 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

185.215.113.67

unknown

Portugal

Details

IP:	185.215.113.67
TargetID:	5
Current Path:	C:\Users\user\Desktop\file.exe
Country:	Portugal
Countrycode:	PRT
ASN number:	206894
ASN name:	WHOLESALECONNECTIONSNL
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064

Blob

Details

TargetID:	5
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064
Value name:	Blob
Value data:	0B 00 00 00 01 00 00 00 48 00 00 00 54 00 69 00 74 00 61 00 6E 00 69 00 75 00 6D 00 20 00 52 00 6F 00 6F 00 74 00 20 00 43 00 65 00 72 00 74 00 69 00 66 00 69 00 63 00 61 00 74 00 65 00 20 00 41 00 75 00 74 00 68 00 6F 00 72 00 69 00 74 00 79 00 00 00 02 00 00 00 01 00 00 00 CC 00 00 00 1C 00 00 00 6C 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 7B 00 34 00 31 00 37 00 34 00 34 00 42 00 45 00 34 00 2D 00 31 00 31 00 43 00 35 00 2D 00 34 00 39 00 34 00 43 00 2D 00 41 00 32 00 31 00 33 00 2D 00 42 00 41 00 30 00 43 00 45 00 39 00 34 00 34 00 39 00 33 00 38 00 45 00 7D 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 45 00 6E 00 68 00 61 00 6E 00 63 00 65 00 64 00 20 00 43 00 72 00 79 00 70 00 74 00 6F 00 67 00 72 00 61 00 70 00 68 00 69 00 63 00 20 00 50 00 72 00 6F 00 76 00 69 00 64 00 65 00 72 00 20 00 76 00 31 00 2E 00 30 00 00 00 00 00 03 00 00 00 01 00 00 00 14 00 00 00 F1 A5 78 C4 CB 5D E7 9A 37 08 93 98 3F D4 DA 8B 67 B2 B0 64 20 00 00 00 01 00 00 00 0A 03 00 00 30 82 03 06 30 82 01 EE A0 03 02 01 02 02 08 67 F7 BE B9 6A 4C 27 98 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30 2E 31 2C 30 2A 06 03 55 04 03 0C 23 54 69 74 61 6E 69 75 6D 20 52 6F 6F 74 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6F 72 69 74 79 30 1E 17 0D 32 33 30 33 31 34 31 30 33 35 32 30 5A 17 0D 32 36 30 36 31 37 31 30 33 35 32 30 5A 30 2E 31 2C 30 2A 06 03 55 04 03 0C 23 54 69 74 61 6E 69 75 6D 20 52 6F 6F 74 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6F 72 69 74 79 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 86 E4 57 7A 58 61 CE 81 91 77 D0 05 FA 51 D5 51 5A 93 6C 61 0C CF CB DE 53 32 CD 15 1D A6 47 EE 88 1A 24 5C 9B 02 83 3B 02 AF 3D 76 FE 20 BD 3B FA F7 A2 09 73 E7 2E BD 94 40 D0 9D 8C 3D 27 13 BD F0 D0 9F EB 95 32 AC D7 A4 2D A2 A9 52 DA A8 6A 2A 88 EE 42 7D 30 95 9D 90 BF BA 05 27 6A A0 29 98 A6 98 6F C0 13 06 62 9B 79 B8 40 5D 1F 1F A6 D9 A4 2F 82 7A FC 75 66 34 0D C2 DE 27 01 2B 94 BB 4A 27 B3 CB 1C 21 9A 3C B2 C1 42 03 F3 44 51 BD 62 65 20 ED D4 DB CC 41 4F 59 3F 2A CB C4 84 79 F7 14 3C BE 13 9C FD 12 9C 91 3E 53 03 DC 20 F9 4C 44 35 89 01 B6 9A 84 8D 7E A0 2E 30 8A 31 15 60 AC 00 AE 00 9A 29 10 9A EE D9 71 3D D8 91 9B 97 ED 59 80 58 E1 7F 07 26 C7 A0 20 F7 10 AB C0 62 91 DF AA F1 81 C6 BE 6A 76 C8 9C B6 8E B0 B0 EC 1C D9 5F 32 6C 7E 55 58 8B FD 76 C5 19 02 03 01 00 01 A3 28 30 26 30 13 06 03 55 1D 25 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 30 0F 06 03 55 1D 13 01 01 FF 04 05 30 03 01 01 FF 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 03 82 01 01 00 70 85 12 93 D7 57 E9 82 79 7D C5 F7 F2 7D A8 94 EF 0C DB 32 9F 06 A6 09 6E 0C F6 04 B0 E5 47 11 56 0E F4 0F 52 82 08 2E 21 0F 55 A3 DB 41 F3 12 54 8B 76 11 F5 F0 DA CE A3 C7 8B 13 F6 FC 24 3C 02 B1 06 66 5B E6 9E 18 40 88 41 5B 27 39 99 B8 77 BE E3 53 A2 48 CE C7 EE B5 A0 95 C2 17 4B C9 52 6C AF E3 37 2C 59 DB FB E7 58 13 4E D3 51 E5 14 72 73 FE C6 85 77 AE 45 52 A6 F9 9A C8 0C A8 D0 EE 42 2A F5 28 85 8C 6B E8 1C B0 A8 03 1A B0 AE 83 C0 EB 55 64 F4 E8 7A 5C 06 29 5D 39 03 EE E2 FD F9 2D 62 A7 F4 D4 05 4D EA A7 9B CA EB DA 4E 8B 1A 6E FD 42 AE F9 D0 1C 70 75 72 8C B1 3A A8 55 7C 85 A7 25 32 B5 E2 D6 C3 E5 50 41 C9 86 7C A8 F5 62 BB D2 AB 0C 37 10 D8 31 73 EC 37 81 D1 DC AA C5 C6 E0 7E E7 26 62 4D FD C5 81 4C FF D3 36 E1 79 32 F8 9B EB 9C F7 FD BE E9 BE BF 61

Signature Hits	Behavior Group	Mitre Attack
Installs new ROOT certificates	Persistence and Installation Behavior	Install Root Certificate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Owner

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

SessionHash

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Sequence

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFiles0000

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFilesHash

Memdumps

Base Address

Regiontype

Protect

Malicious

102000

unkown

page readonly

76D0000

trusted library allocation

page read and write

73FB000

stack

page read and write

34A3000

trusted library allocation

page read and write

6211000

trusted library allocation

page read and write

785000

trusted library allocation

page execute and read and write

779000

heap

page read and write

5A2E000

stack

page read and write

6E20000

heap

page read and write

2573000

trusted library allocation

page read and write

257E000

trusted library allocation

page read and write

61A0000

heap

page read and write

26B4000

trusted library allocation

page read and write

4AD0000

heap

page read and write

62E0000

trusted library allocation

page execute and read and write

37E1000

trusted library allocation

page read and write

49E0000

heap

page execute and read and write

37CA000

trusted library allocation

page read and write

60E0000

heap

page read and write

3433000

trusted library allocation

page read and write

356F000

trusted library allocation

page read and write

37D5000

trusted library allocation

page read and write

35D2000

trusted library allocation

page read and write

7390000

heap

page read and write

7350000

trusted library allocation

page read and write

34EC000

trusted library allocation

page read and write

23DB000

stack

page read and write

5C70000

trusted library allocation

page read and write

7280000

trusted library allocation

page read and write

651C000

stack

page read and write

5C6F000

stack

page read and write

4931000

trusted library allocation

page read and write

7360000

trusted library allocation

page read and write

2698000

trusted library allocation

page read and write

6174000

heap

page read and write

5E2E000

stack

page read and write

4E7E000

stack

page read and write

3515000

trusted library allocation

page read and write

359D000

trusted library allocation

page read and write

6330000

trusted library allocation

page execute and read and write

458B000

stack

page read and write

7290000

trusted library allocation

page read and write

2788000

trusted library allocation

page read and write

70D5000

heap

page read and write

360F000

trusted library allocation

page read and write

5F6D000

stack

page read and write

4A02000

trusted library allocation

page read and write

740000

trusted library allocation

page read and write

5C80000

trusted library allocation

page read and write

6480000

trusted library allocation

page read and write

2711000

trusted library allocation

page read and write

3555000

trusted library allocation

page read and write

4E3B000

trusted library allocation

page read and write

725A000

trusted library allocation

page read and write

675C000

stack

page read and write

5D40000

trusted library allocation

page execute and read and write

61D5000

heap

page read and write

2A76000

trusted library allocation

page read and write

2591000

trusted library allocation

page read and write

2929000

trusted library allocation

page read and write

733F000

stack

page read and write

6165000

heap

page read and write

361F000

trusted library allocation

page read and write

2576000

trusted library allocation

page read and write

25AC000

trusted library allocation

page read and write

60A8000

trusted library allocation

page read and write

780000

trusted library allocation

page read and write

4950000

trusted library allocation

page read and write

606E000

stack

page read and write

3778000

trusted library allocation

page read and write

2661000

trusted library allocation

page read and write

61C3000

heap

page read and write

3502000

trusted library allocation

page read and write

5D30000

trusted library allocation

page execute and read and write

6270000

trusted library allocation

page read and write

7364000

trusted library allocation

page read and write

3740000

trusted library allocation

page read and write

8C2E000

stack

page read and write

4E30000

trusted library allocation

page read and write

7AE000

heap

page read and write

724F000

trusted library allocation

page read and write

2621000

trusted library allocation

page read and write

6460000

trusted library allocation

page read and write

6490000

trusted library allocation

page read and write

25DC000

trusted library allocation

page read and write

7A8000

heap

page read and write

6122000

heap

page read and write

35CC000

trusted library allocation

page read and write

617B000

heap

page read and write

2A24000

trusted library allocation

page read and write

23F1000

trusted library allocation

page read and write

49AE000

trusted library allocation

page read and write

6220000

trusted library allocation

page read and write

881000

heap

page read and write

702A000

heap

page read and write

25D2000

trusted library allocation

page read and write

2A5F000

trusted library allocation

page read and write

34BC000

trusted library allocation

page read and write

49A0000

trusted library allocation

page read and write

35A7000

trusted library allocation

page read and write

375C000

trusted library allocation

page read and write

35BE000

trusted library allocation

page read and write

2A43000

trusted library allocation

page read and write

724A000

trusted library allocation

page read and write

34E8000

trusted library allocation

page read and write

61BB000

heap

page read and write

A9E000

stack

page read and write

3497000

trusted library allocation

page read and write

37F1000

trusted library allocation

page read and write

62C0000

trusted library allocation

page read and write

25A1000

trusted library allocation

page read and write

5593000

heap

page read and write

35CA000

trusted library allocation

page read and write

2669000

trusted library allocation

page read and write

6340000

trusted library allocation

page execute and read and write

26BF000

trusted library allocation

page read and write

7EEE0000

trusted library allocation

page execute and read and write

4F7000

stack

page read and write

26A3000

trusted library allocation

page read and write

766000

trusted library allocation

page execute and read and write

4942000

trusted library allocation

page read and write

6186000

heap

page read and write

782000

trusted library allocation

page read and write

730000

trusted library allocation

page read and write

701D000

stack

page read and write

61E0000

trusted library allocation

page read and write

7076000

heap

page read and write

7069000

heap

page read and write

2240000

trusted library allocation

page read and write

48D0000

trusted library allocation

page execute and read and write

35BB000

trusted library allocation

page read and write

25D7000

trusted library allocation

page read and write

3508000

trusted library allocation

page read and write

7620000

trusted library allocation

page read and write

6250000

trusted library allocation

page read and write

64D0000

trusted library allocation

page execute and read and write

665E000

stack

page read and write

7260000

trusted library allocation

page read and write

4E0E000

stack

page read and write

48E0000

heap

page read and write

493D000

trusted library allocation

page read and write

7C8000

heap

page read and write

372F000

trusted library allocation

page read and write

4980000

trusted library allocation

page read and write

256B000

trusted library allocation

page read and write

2691000

trusted library allocation

page read and write

7020000

heap

page read and write

7052000

heap

page read and write

4A00000

trusted library allocation

page read and write

4960000

trusted library allocation

page read and write

37FB000

trusted library allocation

page read and write

74D000

trusted library allocation

page execute and read and write

60A0000

trusted library allocation

page read and write

377B000

trusted library allocation

page read and write

2558000

trusted library allocation

page read and write

743000

trusted library allocation

page execute and read and write

3588000

trusted library allocation

page read and write

7220000

trusted library allocation

page execute and read and write

6235000

trusted library allocation

page read and write

48F0000

trusted library allocation

page read and write

7248000

trusted library allocation

page read and write

7232000

trusted library allocation

page read and write

6769000

trusted library allocation

page read and write

776000

heap

page read and write

3592000

trusted library allocation

page read and write

707F000

heap

page read and write

6760000

trusted library allocation

page read and write

3494000

trusted library allocation

page read and write

61B7000

heap

page read and write

379D000

trusted library allocation

page read and write

760000

trusted library allocation

page read and write

35E7000

trusted library allocation

page read and write

100000

unkown

page readonly

3703000

trusted library allocation

page read and write

5598000

heap

page read and write

6260000

trusted library allocation

page read and write

374C000

trusted library allocation

page read and write

5B6E000

stack

page read and write

61C8000

heap

page read and write

3531000

trusted library allocation

page read and write

38FB000

trusted library allocation

page read and write

576E000

stack

page read and write

229E000

stack

page read and write

550000

heap

page read and write

7340000

trusted library allocation

page execute and read and write

61F6000

trusted library allocation

page read and write

7270000

trusted library allocation

page read and write

60B0000

trusted library allocation

page read and write

35C4000

trusted library allocation

page read and write

7062000

heap

page read and write

7380000

trusted library allocation

page execute and read and write

3581000

trusted library allocation

page read and write

37B6000

trusted library allocation

page read and write

7D5000

heap

page read and write

5D7000

heap

page read and write

350F000

trusted library allocation

page read and write

3710000

trusted library allocation

page read and write

64B0000

trusted library allocation

page execute and read and write

3756000

trusted library allocation

page read and write

5D0000

heap

page read and write

35B4000

trusted library allocation

page read and write

2A3C000

trusted library allocation

page read and write

560000

heap

page read and write

766E000

stack

page read and write

86C000

heap

page read and write

762000

trusted library allocation

page read and write

373B000

trusted library allocation

page read and write

60A5000

trusted library allocation

page read and write

2568000

trusted library allocation

page read and write

3576000

trusted library allocation

page read and write

492E000

trusted library allocation

page read and write

3772000

trusted library allocation

page read and write

5C78000

trusted library allocation

page read and write

3478000

trusted library allocation

page read and write

3769000

trusted library allocation

page read and write

34DB000

trusted library allocation

page read and write

2786000

trusted library allocation

page read and write

60B5000

trusted library allocation

page read and write

2A2F000

trusted library allocation

page read and write

352C000

trusted library allocation

page read and write

620E000

trusted library allocation

page read and write

76AD000

stack

page read and write

37C3000

trusted library allocation

page read and write

7255000

trusted library allocation

page read and write

61EB000

trusted library allocation

page read and write

77E000

heap

page read and write

72E000

stack

page read and write

708F000

heap

page read and write

7084000

heap

page read and write

3489000

trusted library allocation

page read and write

70B4000

heap

page read and write

623E000

trusted library allocation

page read and write

37A9000

trusted library allocation

page read and write

556F000

stack

page read and write

2A4E000

trusted library allocation

page read and write

3412000

trusted library allocation

page read and write

25E7000

trusted library allocation

page read and write

99E000

stack

page read and write

75D000

trusted library allocation

page execute and read and write

24EF000

trusted library allocation

page read and write

6280000

trusted library allocation

page read and write

7059000

heap

page read and write

750000

trusted library allocation

page read and write

615000

heap

page read and write

3519000

trusted library allocation

page read and write

26AA000

trusted library allocation

page read and write

912E000

stack

page read and write

5581000

heap

page read and write

787000

trusted library allocation

page execute and read and write

70B2000

heap

page read and write

60AA000

trusted library allocation

page read and write

60B9000

trusted library allocation

page read and write

76B0000

heap

page read and write

4975000

trusted library allocation

page read and write

2250000

heap

page read and write

3562000

trusted library allocation

page read and write

34D0000

trusted library allocation

page read and write

61F1000

trusted library allocation

page read and write

4AB0000

trusted library allocation

page execute and read and write

661C000

stack

page read and write

70F6000

heap

page read and write

348E000

trusted library allocation

page read and write

34C9000

trusted library allocation

page read and write

43F8000

trusted library allocation

page read and write

2734000

trusted library allocation

page read and write

26CB000

trusted library allocation

page read and write

4C1E000

stack

page read and write

60B7000

trusted library allocation

page read and write

25F2000

trusted library allocation

page read and write

4DCE000

stack

page read and write

3522000

trusted library allocation

page read and write

49F0000

heap

page read and write

3724000

trusted library allocation

page read and write

67CE000

stack

page read and write

349C000

trusted library allocation

page read and write

3785000

trusted library allocation

page read and write

4936000

trusted library allocation

page read and write

6182000

heap

page read and write

4900000

trusted library allocation

page read and write

73A0000

trusted library allocation

page execute and read and write

37DC000

trusted library allocation

page read and write

2701000

trusted library allocation

page read and write

610000

heap

page read and write

3780000

trusted library allocation

page read and write

37E6000

trusted library allocation

page read and write

7264000

trusted library allocation

page read and write

864000

heap

page read and write

491B000

trusted library allocation

page read and write

137000

unkown

page readonly

33FF000

trusted library allocation

page read and write

770000

heap

page read and write

4D1E000

stack

page read and write

70C9000

heap

page read and write

62D0000

trusted library allocation

page execute and read and write

706D000

heap

page read and write

2658000

trusted library allocation

page read and write

7230000

trusted library allocation

page read and write

6133000

heap

page read and write

298F000

trusted library allocation

page read and write

27A3000

trusted library allocation

page read and write

496E000

trusted library allocation

page read and write

3776000

trusted library allocation

page read and write

7370000

trusted library allocation

page read and write

3736000

trusted library allocation

page read and write

3763000

trusted library allocation

page read and write

6470000

trusted library allocation

page read and write

277E000

trusted library allocation

page read and write

256D000

trusted library allocation

page read and write

676C000

trusted library allocation

page read and write

2A5A000

trusted library allocation

page read and write

70E3000

heap

page read and write

34E2000

trusted library allocation

page read and write

5B2F000

stack

page read and write

257C000

trusted library allocation

page read and write

5E0000

heap

page read and write

2684000

trusted library allocation

page read and write

3485000

trusted library allocation

page read and write

25B9000

trusted library allocation

page read and write

76A000

trusted library allocation

page execute and read and write

3472000

trusted library allocation

page read and write

259E000

trusted library allocation

page read and write

35AE000

trusted library allocation

page read and write

72FD000

stack

page read and write

78B000

trusted library allocation

page execute and read and write

6240000

trusted library allocation

page read and write

725F000

trusted library allocation

page read and write

23E0000

heap

page execute and read and write

146000

unkown

page readonly

2570000

trusted library allocation

page read and write

2677000

trusted library allocation

page read and write

26AF000

trusted library allocation

page read and write

70A9000

heap

page read and write

64A0000

trusted library allocation

page read and write

4970000

trusted library allocation

page read and write

2A6B000

trusted library allocation

page read and write

278C000

trusted library allocation

page read and write

1EA000

stack

page read and write

25CB000

trusted library allocation

page read and write

6230000

trusted library allocation

page read and write

7103000

heap

page read and write

376D000

trusted library allocation

page read and write

255C000

trusted library allocation

page read and write

2A55000

trusted library allocation

page read and write

3527000

trusted library allocation

page read and write

2782000

trusted library allocation

page read and write

4914000

trusted library allocation

page read and write

266B000

trusted library allocation

page read and write

7030000

heap

page read and write

2780000

trusted library allocation

page read and write

67F2000

trusted library allocation

page read and write

358D000

trusted library allocation

page read and write

7E3000

heap

page read and write

7126000

heap

page read and write

7E7000

heap

page read and write

132000

unkown

page readonly

5C90000

trusted library allocation

page read and write

35C7000

trusted library allocation

page read and write

6202000

trusted library allocation

page read and write

25C0000

trusted library allocation

page read and write

3AA2000

trusted library allocation

page read and write

2554000

trusted library allocation

page read and write

24E7000

trusted library allocation

page read and write

34F8000

trusted library allocation

page read and write

7278000

trusted library allocation

page read and write

7239000

trusted library allocation

page read and write

7A0000

heap

page read and write

4910000

trusted library allocation

page read and write

2498000

trusted library allocation

page read and write

7235000

trusted library allocation

page read and write

623B000

trusted library allocation

page read and write

5F2E000

stack

page read and write

67F0000

trusted library allocation

page read and write

5AE000

stack

page read and write

62B0000

trusted library allocation

page read and write

347F000

trusted library allocation

page read and write

3492000

trusted library allocation

page read and write

33F1000

trusted library allocation

page read and write

704D000

heap

page read and write

5D20000

heap

page read and write

239F000

stack

page read and write

4EBE000

stack

page read and write

371D000

trusted library allocation

page read and write

2586000

trusted library allocation

page read and write

351E000

trusted library allocation

page read and write

744000

trusted library allocation

page read and write

3524000

trusted library allocation

page read and write

812E000

stack

page read and write

3549000

trusted library allocation

page read and write

48E3000

heap

page read and write

34AF000

trusted library allocation

page read and write

There are 380 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
file.exe