Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\ibk0BQaWAo.exe

"C:\Users\user\Desktop\ibk0BQaWAo.exe"

Details

Is windows:	true
Is dropped:	false
PID:	3548
Target ID:	0
Parent PID:	1244
Name:	ibk0BQaWAo.exe
Path:	C:\Users\user\Desktop\ibk0BQaWAo.exe
Commandline:	"C:\Users\user\Desktop\ibk0BQaWAo.exe"
Size:	2674456
MD5:	236F518655EB360A64181235531D8556
Time:	23:58:20
Date:	20/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	2699264
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
PE / OLE file has an invalid certificate	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Startup Folder File Write	System Summary
Uses 32bit PE files	Compliance, System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sigma detected: Modification of IE Registry Settings	System Summary
URLs found in memory or binary data	Networking
Windows shortcut file (LNK) contains relative path	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
PE file has a big raw section	System Summary
PE file contains a mix of resources often seen in goodware	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

http://obupdate.orbitdownloader.com/updataAd.php

188.114.96.6

https://orbitdownloader.com/

188.114.96.6

http://obupdate.orbitdownloader.com/update/myinfo.php

188.114.96.6

http://orbitdownloader.com/

188.114.96.6

http://obupdate.orbitdownloader.com/update/autoup.php?version=4.1.1.19&guid=C34B8125B23A4CE5B6DCAAC768A52F4B84DA&vendor=ORBITDMX&language=USA

188.114.96.6

http://obupdate.orbitdownloader.com/updataGv.php

188.114.96.6

http://oblogin.rep.orbitdownloader.com/login/login.html?version=4.1.1.19&guid=C34B8125B23A4CE5B6DCAAC768A52F4B84DA&vendor=ORBITDMX&showcnt=0&lastlogin=0&lastexit=0&dltimes=0&ntdlgshowtimes=0&dlsuctipscnt=0&grabpro=0&obproxyrun=0&pcode=&sm=0.9.1033

188.114.96.6

http://oblogin.rep.orbitdownloader.com/login/login.html?version=4.1.1.19&guid=C34B8125B23A4CE5B6DCAA

unknown

http://www.orbitdownloader.com/link.php?type=2

unknown

https://orbitdownloader.co

unknown

https://orbitdownloader.com/comments/feed/

unknown

https://orbitdownloader.com/wp-content/themes/raft/assets/fonts/spline-sans-mono/SplineSansMono-Ital

unknown

http://orbit.brothersoft.com/get.phpAdConfig.xmlhttp://orbit.brothersoft.com/show.phphttp://obupdate

unknown

http://www.orbitdownloader.com/link.php?type=1

unknown

http://obbug.rep.orbitdownloader.com/bugreport/report_bug.php

unknown

http://www.orbitdownloader.com/support.htm

unknown

http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0

unknown

http://www.orbitdownloader.com/link.php?type=20

unknown

http://www.diginotar.nl/cps/pkioverheid0

unknown

https://orbitdownloader.com/wp-content/uploads/2024/07/cropped-orbitdownloader-270x270.jpg

unknown

https://orbitdownloader.com/#bread

unknown

https://orbitdownloader.com/wp-content/themes/raft/assets/fonts/gloock/Gloock-Regular.ttf

unknown

http://www.freevideozilla.com/

unknown

http://www.orbitdownloader.com/faq.htmhttp://www.orbitdownloader.com/index.htmhttp://www.orbitdownlo

unknown

ftp://https://http://ehrmfkEHRMFKaAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ0123456789-_.%0

unknown

http://oblogin.rep.orbitdownloader.com/login/login.html?

unknown

http://obupdate.orbitdownloader.com/update/

unknown

https://orbitdownloader.com/wp-content/uploads/2024/07/cropped-orbitdownloader-300x300.jpg

unknown

http://obupdate.orbitdownloader.com/updataAd.phpesoft

unknown

https://orbitdownloader.com/#/schema/logo/image/

unknown

https://orbitdownloader.com/feed

unknown

https://orbitdownloader.com/category/downloaders/

unknown

https://orbitdownloader.com/feed/

unknown

https://orbitdownloader.com/wp-content/themes/raft/assets/fonts/figtree/Figtree-VariableFont_wght.tt

unknown

https://schema.org

unknown

http://obinstallup.rep.orbitdownloader.com/install/instupdate.html?

unknown

http://www.orbitdownloader.com/faq.htm

unknown

http://orbit.brothersoft.com/givesoft_get.phphttp://obupdate.orbitdownloader.com/updataGv.phpzipURLz

unknown

https://orbitdownloader.com/wp-content/uploads/2024/07/cropped-orbitdownloader.jpg

unknown

http://oblang.rep.orbitdownloader.com/lang.html?version=

unknown

http://www.orbitdownloader.com/file(

unknown

http://obvideo.orbitdownloader.com/orbit/getVideoUrl.php

unknown

https://yt4all.com

unknown

http://www.orbitdownloader.com0

unknown

http://www.orbitdownloader.com/

unknown

https://orbitdownloader.com/#website

unknown

https://orbitdownloader.com/er.com3g

unknown

http://crl.entrust.net/2048ca.crl0

unknown

http://obinstall.rep.orbitdownloader.com/install/install.html?http://obinstallup.rep.orbitdownloader

unknown

http://www.orbitdownloader.com/index.htm

unknown

http://search.orbitdownloader.com/osearch.php?q=%s&type=%s

unknown

https://orbitdownloader.com/xmlrpc.php?rsd

unknown

http://ocsp.entrust.net03

unknown

http://www.orbitdownloader.com/link.php?type=1se

unknown

https://yoast.com/wordpress/plugins/seo/

unknown

http://orbit.brothersoft.com/givesoft_get.php:bottom

unknown

https://orbitdownloader.com/wp-content/uploads/2024/07/cropped-orbitdownloader-192x192.jpg

unknown

http://obuninstall.rep.orbitdownloader.com/install/uninstall.html?

unknown

http://orbit.brothersoft.com/get.php

unknown

http://www.ie7pro.com

unknown

http://www.freemusiczilla.com/

unknown

http://obupdate.orbitdownloader.com/updataGv.php&

unknown

https://orbitdownloader.com/wp-content/uploads/2024/07/cropped-orbitdownloader-32x32.jpg

unknown

http://orbit.brothersoft.com/show.php

unknown

https://orbitdownloader.com/wp-content/themes/raft/assets/fonts/spline-sans-mono/SplineSansMono-Vari

unknown

https://orbitdownloader.com/wp-content/themes/raft/assets/fonts/geologica/Geologica-VariableFont_CRS

unknown

https://orbitdownloader.com/wp-content/themes/raft/assets/fonts/source-serif-pro/SourceSerif4Variabl

unknown

http://ocsp.entrust.net0D

unknown

https://orbitdownloader.com/#organization

unknown

https://orbitdownloader.cob

unknown

http://obupdate.orbitdownloader.com/update/autoup.php?version=4.1.1.19&guid=C34B8125B23A4CE5B6DCAAC7

unknown

http://orbit.brothersoft.com/givesoft_get.php

unknown

http://obvideo.orbitdownloader.com/orbit/getVideoUrl.php%s

unknown

https://orbitdownloader.com/#breadcrumb

unknown

http://crl.entrust.net/server1.crl0

unknown

http://obupdate.orbitdownloader.com/update/myinfo.phpABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstu

unknown

https://orbitdownloader.com/wp-content/uploads/2024/07/cropped-orbitdownloader-150x150.jpg

unknown

https://orbitdownloader.com/0

unknown

http://www.orbitdownloader.com/freeware-download/

unknown

https://orbitdownloader.com/wp-content/themes/raft/assets/fonts/lora/Lora-Italic-VariableFont_wght.t

unknown

https://api.w.org/

unknown

https://orbitdownloader.com/wp-content/themes/raft/assets/css/build/style.css?ver=1.1.5

unknown

https://orbitdownloader.com/wp-json/

unknown

https://orbitdownloader.com/#brea

unknown

http://oblogin.rep.orbitdownloader.com/login/login.html?DLSUCTIPSNTDLGSHOWTIMESDLTIMESSHOWFRAMELOGOU

unknown

https://orbitdownloader.com/#/sche

unknown

https://orbitdownloader.com/wp-content/themes/raft/assets/fonts/figtree/Figtree-Italic-VariableFont_

unknown

https://orbitdownloader.com/?s=

unknown

https://orbitdownloader.com/wp-content/themes/raft/assets/fonts/spline-sans/SplineSans-VariableFont_

unknown

http://forum.orbitdownloader.com/

unknown

https://orbitdownloader.com/wp-content/themes/raft/assets/fonts/outfit/Outfit-VariableFont_wght.ttf

unknown

https://orbitdownloader.com/wp-includes/blocks/navigation/style.min.css?ver=6.6.1

unknown

http://crl.pkioverheid.nl/DomOvLatestCRL.crl0

unknown

http://www.orbitdownloader.com/donation.htm

unknown

https://orbitdownloader.com/wp-content/uploads/2024/07/Orbit-Downloader-new.webp

unknown

https://orbitdownloader.com/wp-includes/blocks/

unknown

http://obinstall.rep.orbitdownloader.com/install/install.html?

unknown

http://www.orbitdownloader.com/update.php

unknown

https://orbitdownloader.com/er.com/g

unknown

http://www.orbitdownloader.com/link.php?type=10

unknown

There are 90 hidden URLs, click here to show them.

Domains

Name

Malicious

oblogin.rep.orbitdownloader.com

188.114.96.6

Details

Name:	oblogin.rep.orbitdownloader.com
IP:	188.114.96.6
TargetID:	0
Current Path:	C:\Users\user\Desktop\ibk0BQaWAo.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

obupdate.orbitdownloader.com

188.114.96.6

Details

Name:	obupdate.orbitdownloader.com
IP:	188.114.96.6
TargetID:	0
Current Path:	C:\Users\user\Desktop\ibk0BQaWAo.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
HTTP GET or POST without a user agent	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

bg.microsoft.map.fastly.net

199.232.210.172

orbitdownloader.com

188.114.96.6

Details

Name:	orbitdownloader.com
IP:	188.114.96.6
TargetID:	0
Current Path:	C:\Users\user\Desktop\ibk0BQaWAo.exe
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
HTTP GET or POST without a user agent	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

188.114.96.6

oblogin.rep.orbitdownloader.com

European Union

Details

IP:	188.114.96.6
TargetID:	0
Current Path:	C:\Users\user\Desktop\ibk0BQaWAo.exe
Country:	European Union
Countrycode:	EU
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	oblogin.rep.orbitdownloader.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

188.114.97.6

unknown

European Union

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

Details

TargetID:	0
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8
Value name:	Blob
Value data:	04 00 00 00 01 00 00 00 10 00 00 00 0A 0A 18 29 36 E6 C3 DF 7F A3 4D 0F FD 41 5E 22 14 00 00 00 01 00 00 00 14 00 00 00 BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 F6 11 6B 3A 03 00 00 00 01 00 00 00 14 00 00 00 3F 72 8A 35 DE 52 B2 C8 99 4A 4F B1 01 A0 3B 95 E8 7B 06 C8 0F 00 00 00 01 00 00 00 14 00 00 00 71 75 75 34 54 C2 98 2E 84 ED 48 F5 B4 EE 52 48 7F 4A 37 CD 19 00 00 00 01 00 00 00 10 00 00 00 49 50 8B 6C BE 29 D8 39 31 16 93 FA 24 E5 8D 98 20 00 00 00 01 00 00 00 FD 05 00 00 30 82 05 F9 30 82 03 E1 A0 03 02 01 02 02 09 00 D2 1E F1 F6 E3 4F 6B B8 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 30 81 92 31 0B 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 0C 0A 43 61 6C 69 66 6F 72 6E 69 61 31 16 30 14 06 03 55 04 07 0C 0D 53 61 6E 20 46 72 61 6E 63 69 73 63 6F 31 2A 30 28 06 03 55 04 0A 0C 21 54 68 65 20 55 6E 69 76 65 72 73 65 20 53 65 63 75 72 69 74 79 20 43 6F 6D 70 61 6E 79 20 4C 74 64 31 2A 30 28 06 03 55 04 03 0C 21 54 68 65 20 55 6E 69 76 65 72 73 65 20 53 65 63 75 72 69 74 79 20 43 6F 6D 70 61 6E 79 20 4C 74 64 30 1E 17 0D 31 35 30 33 31 37 31 34 31 36 33 38 5A 17 0D 34 35 30 33 30 39 31 34 31 36 33 38 5A 30 81 92 31 0B 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 0C 0A 43 61 6C 69 66 6F 72 6E 69 61 31 16 30 14 06 03 55 04 07 0C 0D 53 61 6E 20 46 72 61 6E 63 69 73 63 6F 31 2A 30 28 06 03 55 04 0A 0C 21 54 68 65 20 55 6E 69 76 65 72 73 65 20 53 65 63 75 72 69 74 79 20 43 6F 6D 70 61 6E 79 20 4C 74 64 31 2A 30 28 06 03 55 04 03 0C 21 54 68 65 20 55 6E 69 76 65 72 73 65 20 53 65 63 75 72 69 74 79 20 43 6F 6D 70 61 6E 79 20 4C 74 64 30 82 02 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 02 0F 00 30 82 02 0A 02 82 02 01 00 AE 85 81 A8 AB 4F 18 6F B8 FF D9 66 4D B0 3F E7 A3 06 9B 8D 6E 32 30 46 84 32 00 D0 A2 58 15 E3 83 1A 98 23 89 66 FA DC CF E9 B3 3F 7A 15 85 38 42 6D A3 6A 64 14 CB 41 56 ED FE 59 95 38 F1 FA AB E9 4B 06 52 B7 83 58 97 69 5A 3D 75 98 98 9F CE ED 1D 79 20 30 90 20 F1 57 23 2F 00 62 F2 FE BD 48 D8 62 D9 25 72 A2 12 C8 7A 04 2F A5 E3 74 75 DD 7A 1C 60 40 6B 37 C3 D8 4F 7D C1 E7 68 97 5E 36 08 A8 1C 35 78 81 AF A7 4E B4 88 D0 AB 10 74 03 CB 8C 9B AC 63 27 B9 DC 75 E6 6B 5D 32 18 95 0B FD 03 C5 66 DF C6 57 65 56 E9 77 31 59 42 23 46 2D 2A 03 7B 32 C5 3B AB C6 6A 2F B5 48 7F 9E 7A 61 60 40 DA AA 16 B4 38 26 8D B3 71 4A 6D 28 4A 21 0E 26 DA D0 30 B3 FA 74 3E CF EF 28 24 47 39 B8 EE 10 06 5A 65 67 F2 37 66 D9 57 26 A4 2A 9B DF A0 37 5D C0 ED 65 59 F9 E9 E6 F8 8E A7 AE 3A F4 72 E5 F8 62 BB B5 97 A7 A0 1C 32 5B 35 14 43 53 6B C4 C9 E8 3E 21 61 8C 3C 3F CE 4A 14 8B DA 41 39 D1 C5 E3 34 A3 C4 44 0C 5D BB 0D 78 E8 31 BE 4A A9 CF B3 D5 12 21 AE 6D 28 4C 86 98 E4 0A 99 81 BF 98 11 99 86 28 AB EB 15 EF A9 50 B9 43 AE B1 03 69 06 63 6D 11 93 D9 C0 FB 97 FE 0A F5 CD 4F 10 90 9E 19 FB 6F 66 44 0C 50 20 B1 A3 A7 27 45 15 FA C9 45 20 EA B9 DF CE C6 E4 61 4F 08 09 FA 5D 13 8F 03 FB DA 95 85 E0 5C BC 2D A9 CC 8E BA 76 B9 6A 80 2E 69 74 62 19 28 02 EC 60 11 A6 0F 64 C2 FF 9B 5E 7D 0F F1 D4 6B 4D FD 99 BB C1 3D 05 DE 6E F2 B2 CE 1F 51 A5 E3 43 D1 E7 24 76 36 2F 9A 02 0D DA 34 A6 2D E0 1D 22 14 C5 7E FD B7 0F 31 B1 4A D0 AA A7 73 57 C5 C2 63 D8 C3 2F 37 39 12 BF C0 91 F7 AC A6 AB 48 ED 82 4B C7 4D 30 06 EA 6C A7 C2 B1 A1 09 02 96 6A 3D 02 03 01 00 01 A3 50 30 4E 30 1D 06 03 55 1D 0E 04 16 04 14 BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 F6 11 6B 3A 30 1F 06 03 55 1D 23 04 18 30 16 80 14 BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 F6 11 6B 3A 30 0C 06 03 55 1D 13 04 05 30 03 01 01 FF 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 03 82 02 01 00 48 3C 18 2B 72 E4 57 52 A8 95 35 C6 A1 73 71 20 85 20 94 FF 55 E7 1B 02 9C 05 C8 31 F8 85 B2 79 BE B2 47 55 74 E0 55 70 6B 17 24 9F 0B 6A 92 FE 41 04 22 4F 25 F4 5C DA 25 EF A9 32 CD CC 57 AD 88 5B 56 14 5F 7A 38 02 D3 18 23 8D A5 D8 FB 9F 43 A3 1A 68 2E 42 06 72 26 01 A2 EB DB AF 70 2E 57 12 35 7C B2 A1 EF AB 12 E0 81 55 84 37 C8 FD 95 AE DE 58 60 40 52 A1 C7 75 18 A1 2F 92 5A C0 AB C9 1B A7 17 19 4E 4D D8 53 FB C6 C3 7C 33 53 51 5B 3A 64 31 60 A4 B3 07 72 D7 39 1A F9 8A A2 70 E4 B4 D6 BF 6A AD 24 76 74 CE C7 EA 87 3E 28 6C EF 08 09 4F 79 FB CF 77 FF FA F8 77 04 4A 30 90 5B 27 11 5C 79 60 60 64 1A CB 6E 2C 5E 1C B0 53 AC 28 4A 8B 8B DF AE 01 41 D2 12 3F 7B 22 54 D2 8E 3C C4 A1 FF 4A 6C D3 1B EB 1D 35 94 14 F5 79 44 BE C2 E6 93 9B BA 4D D0 81 94 E9 25 BE 43 FC 2C 92 E5 CA DC 5D 9D CF CA 8B CF 0C E0 3D 29 21 44 4A C0 19 F4 F3 D5 7E F5 74 35 2B FC DF A3 F7 3C C5 D6 7A 7A 0B B6 2B C7 BF F9 8F 6E B5 56 44 0F A9 45 80 9F 88 21 82 99 2C DC 85 DA 25 65 55 ED D3 1C 36 4E D6 63 46 68 AF 6C 87 5C C5 F6 89 C2 E1 70 F4 87 0F F1 DE F0 8E 72 E4 CA CB 83 2B CD B1 7A 54 41 AF 97 38 DF F7 EA 8C 7A B2 D1 1B E9 E9 D3 BF 41 0F 21 F0 AA 8D 95 B6 CD 91 90 DF 71 E7 72 96 9D 3F 18 B9 98 8C CE 15 45 99 83 FB BD 61 4E AD 63 36 71 86 5D BD A3 17 61 6F 31 57 A4 25 3D ED 24 6A 9E 94 E0 D8 67 F0 17 12 86 B7 4E 65 93 A6 BD 8A 2A 06 6B EC 0F DE E0 B5 9C A0 AF D5 A4 32 A2 70 75 A1 02 A9 7F 85 D9 39 38 80 BB 41 A6 0F A3 8D 1F F1 66 E0 04 B3 A2 88 03 8B A7 AF E1 A1 60 95 F6 CB 76 12 C8 51 83 1E 14 E2 0B B5 6C F1 4B 96 21 F9 DE AA B2 CD 71 B8 63

Signature Hits	Behavior Group	Mitre Attack
Installs new ROOT certificates	Persistence and Installation Behavior	Install Root Certificate
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8

Blob

Details

TargetID:	0
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8
Value name:	Blob
Value data:	5C 00 00 00 01 00 00 00 04 00 00 00 00 10 00 00 19 00 00 00 01 00 00 00 10 00 00 00 49 50 8B 6C BE 29 D8 39 31 16 93 FA 24 E5 8D 98 0F 00 00 00 01 00 00 00 14 00 00 00 71 75 75 34 54 C2 98 2E 84 ED 48 F5 B4 EE 52 48 7F 4A 37 CD 03 00 00 00 01 00 00 00 14 00 00 00 3F 72 8A 35 DE 52 B2 C8 99 4A 4F B1 01 A0 3B 95 E8 7B 06 C8 14 00 00 00 01 00 00 00 14 00 00 00 BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 F6 11 6B 3A 04 00 00 00 01 00 00 00 10 00 00 00 0A 0A 18 29 36 E6 C3 DF 7F A3 4D 0F FD 41 5E 22 20 00 00 00 01 00 00 00 FD 05 00 00 30 82 05 F9 30 82 03 E1 A0 03 02 01 02 02 09 00 D2 1E F1 F6 E3 4F 6B B8 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 30 81 92 31 0B 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 0C 0A 43 61 6C 69 66 6F 72 6E 69 61 31 16 30 14 06 03 55 04 07 0C 0D 53 61 6E 20 46 72 61 6E 63 69 73 63 6F 31 2A 30 28 06 03 55 04 0A 0C 21 54 68 65 20 55 6E 69 76 65 72 73 65 20 53 65 63 75 72 69 74 79 20 43 6F 6D 70 61 6E 79 20 4C 74 64 31 2A 30 28 06 03 55 04 03 0C 21 54 68 65 20 55 6E 69 76 65 72 73 65 20 53 65 63 75 72 69 74 79 20 43 6F 6D 70 61 6E 79 20 4C 74 64 30 1E 17 0D 31 35 30 33 31 37 31 34 31 36 33 38 5A 17 0D 34 35 30 33 30 39 31 34 31 36 33 38 5A 30 81 92 31 0B 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 0C 0A 43 61 6C 69 66 6F 72 6E 69 61 31 16 30 14 06 03 55 04 07 0C 0D 53 61 6E 20 46 72 61 6E 63 69 73 63 6F 31 2A 30 28 06 03 55 04 0A 0C 21 54 68 65 20 55 6E 69 76 65 72 73 65 20 53 65 63 75 72 69 74 79 20 43 6F 6D 70 61 6E 79 20 4C 74 64 31 2A 30 28 06 03 55 04 03 0C 21 54 68 65 20 55 6E 69 76 65 72 73 65 20 53 65 63 75 72 69 74 79 20 43 6F 6D 70 61 6E 79 20 4C 74 64 30 82 02 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 02 0F 00 30 82 02 0A 02 82 02 01 00 AE 85 81 A8 AB 4F 18 6F B8 FF D9 66 4D B0 3F E7 A3 06 9B 8D 6E 32 30 46 84 32 00 D0 A2 58 15 E3 83 1A 98 23 89 66 FA DC CF E9 B3 3F 7A 15 85 38 42 6D A3 6A 64 14 CB 41 56 ED FE 59 95 38 F1 FA AB E9 4B 06 52 B7 83 58 97 69 5A 3D 75 98 98 9F CE ED 1D 79 20 30 90 20 F1 57 23 2F 00 62 F2 FE BD 48 D8 62 D9 25 72 A2 12 C8 7A 04 2F A5 E3 74 75 DD 7A 1C 60 40 6B 37 C3 D8 4F 7D C1 E7 68 97 5E 36 08 A8 1C 35 78 81 AF A7 4E B4 88 D0 AB 10 74 03 CB 8C 9B AC 63 27 B9 DC 75 E6 6B 5D 32 18 95 0B FD 03 C5 66 DF C6 57 65 56 E9 77 31 59 42 23 46 2D 2A 03 7B 32 C5 3B AB C6 6A 2F B5 48 7F 9E 7A 61 60 40 DA AA 16 B4 38 26 8D B3 71 4A 6D 28 4A 21 0E 26 DA D0 30 B3 FA 74 3E CF EF 28 24 47 39 B8 EE 10 06 5A 65 67 F2 37 66 D9 57 26 A4 2A 9B DF A0 37 5D C0 ED 65 59 F9 E9 E6 F8 8E A7 AE 3A F4 72 E5 F8 62 BB B5 97 A7 A0 1C 32 5B 35 14 43 53 6B C4 C9 E8 3E 21 61 8C 3C 3F CE 4A 14 8B DA 41 39 D1 C5 E3 34 A3 C4 44 0C 5D BB 0D 78 E8 31 BE 4A A9 CF B3 D5 12 21 AE 6D 28 4C 86 98 E4 0A 99 81 BF 98 11 99 86 28 AB EB 15 EF A9 50 B9 43 AE B1 03 69 06 63 6D 11 93 D9 C0 FB 97 FE 0A F5 CD 4F 10 90 9E 19 FB 6F 66 44 0C 50 20 B1 A3 A7 27 45 15 FA C9 45 20 EA B9 DF CE C6 E4 61 4F 08 09 FA 5D 13 8F 03 FB DA 95 85 E0 5C BC 2D A9 CC 8E BA 76 B9 6A 80 2E 69 74 62 19 28 02 EC 60 11 A6 0F 64 C2 FF 9B 5E 7D 0F F1 D4 6B 4D FD 99 BB C1 3D 05 DE 6E F2 B2 CE 1F 51 A5 E3 43 D1 E7 24 76 36 2F 9A 02 0D DA 34 A6 2D E0 1D 22 14 C5 7E FD B7 0F 31 B1 4A D0 AA A7 73 57 C5 C2 63 D8 C3 2F 37 39 12 BF C0 91 F7 AC A6 AB 48 ED 82 4B C7 4D 30 06 EA 6C A7 C2 B1 A1 09 02 96 6A 3D 02 03 01 00 01 A3 50 30 4E 30 1D 06 03 55 1D 0E 04 16 04 14 BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 F6 11 6B 3A 30 1F 06 03 55 1D 23 04 18 30 16 80 14 BB 3B 3F AA 10 70 C8 55 F7 24 E9 3B FD 32 19 F4 F6 11 6B 3A 30 0C 06 03 55 1D 13 04 05 30 03 01 01 FF 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 03 82 02 01 00 48 3C 18 2B 72 E4 57 52 A8 95 35 C6 A1 73 71 20 85 20 94 FF 55 E7 1B 02 9C 05 C8 31 F8 85 B2 79 BE B2 47 55 74 E0 55 70 6B 17 24 9F 0B 6A 92 FE 41 04 22 4F 25 F4 5C DA 25 EF A9 32 CD CC 57 AD 88 5B 56 14 5F 7A 38 02 D3 18 23 8D A5 D8 FB 9F 43 A3 1A 68 2E 42 06 72 26 01 A2 EB DB AF 70 2E 57 12 35 7C B2 A1 EF AB 12 E0 81 55 84 37 C8 FD 95 AE DE 58 60 40 52 A1 C7 75 18 A1 2F 92 5A C0 AB C9 1B A7 17 19 4E 4D D8 53 FB C6 C3 7C 33 53 51 5B 3A 64 31 60 A4 B3 07 72 D7 39 1A F9 8A A2 70 E4 B4 D6 BF 6A AD 24 76 74 CE C7 EA 87 3E 28 6C EF 08 09 4F 79 FB CF 77 FF FA F8 77 04 4A 30 90 5B 27 11 5C 79 60 60 64 1A CB 6E 2C 5E 1C B0 53 AC 28 4A 8B 8B DF AE 01 41 D2 12 3F 7B 22 54 D2 8E 3C C4 A1 FF 4A 6C D3 1B EB 1D 35 94 14 F5 79 44 BE C2 E6 93 9B BA 4D D0 81 94 E9 25 BE 43 FC 2C 92 E5 CA DC 5D 9D CF CA 8B CF 0C E0 3D 29 21 44 4A C0 19 F4 F3 D5 7E F5 74 35 2B FC DF A3 F7 3C C5 D6 7A 7A 0B B6 2B C7 BF F9 8F 6E B5 56 44 0F A9 45 80 9F 88 21 82 99 2C DC 85 DA 25 65 55 ED D3 1C 36 4E D6 63 46 68 AF 6C 87 5C C5 F6 89 C2 E1 70 F4 87 0F F1 DE F0 8E 72 E4 CA CB 83 2B CD B1 7A 54 41 AF 97 38 DF F7 EA 8C 7A B2 D1 1B E9 E9 D3 BF 41 0F 21 F0 AA 8D 95 B6 CD 91 90 DF 71 E7 72 96 9D 3F 18 B9 98 8C CE 15 45 99 83 FB BD 61 4E AD 63 36 71 86 5D BD A3 17 61 6F 31 57 A4 25 3D ED 24 6A 9E 94 E0 D8 67 F0 17 12 86 B7 4E 65 93 A6 BD 8A 2A 06 6B EC 0F DE E0 B5 9C A0 AF D5 A4 32 A2 70 75 A1 02 A9 7F 85 D9 39 38 80 BB 41 A6 0F A3 8D 1F F1 66 E0 04 B3 A2 88 03 8B A7 AF E1 A1 60 95 F6 CB 76 12 C8 51 83 1E 14 E2 0B B5 6C F1 4B 96 21 F9 DE AA B2 CD 71 B8 63

Signature Hits	Behavior Group	Mitre Attack
Installs new ROOT certificates	Persistence and Installation Behavior	Install Root Certificate
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\orbit

updatetime

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

SavedLegacySettings

Details

TargetID:	0
Path:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Value name:	SavedLegacySettings
Value data:	46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Modification of IE Registry Settings	System Summary

Memdumps

Base Address

Regiontype

Protect

Malicious

740000

heap

page read and write

70B000

heap

page read and write

740000

heap

page read and write

755000

heap

page read and write

3691000

heap

page read and write

4080000

remote allocation

page read and write

7D0000

heap

page read and write

220A000

heap

page read and write

20DF000

stack

page read and write

3F30000

trusted library allocation

page read and write

701000

heap

page read and write

3F30000

trusted library allocation

page read and write

3F30000

trusted library allocation

page read and write

844000

heap

page read and write

5A0000

unkown

page readonly

28FF000

stack

page read and write

71A000

heap

page read and write

724000

heap

page read and write

633000

unkown

page readonly

755000

heap

page read and write

3F30000

trusted library allocation

page read and write

3F30000

trusted library allocation

page read and write

620000

unkown

page readonly

2200000

heap

page read and write

3F30000

trusted library allocation

page read and write

56F000

unkown

page readonly

36A3000

heap

page read and write

3B8C000

stack

page read and write

3F30000

trusted library allocation

page read and write

3EED000

stack

page read and write

3F30000

trusted library allocation

page read and write

7DA000

heap

page read and write

765000

heap

page read and write

712000

heap

page read and write

6FB000

heap

page read and write

5A0000

unkown

page readonly

6FB000

heap

page read and write

667000

unkown

page readonly

755000

heap

page read and write

340000

heap

page read and write

664000

unkown

page readonly

6FB000

heap

page read and write

3F30000

trusted library allocation

page read and write

7DE000

heap

page read and write

6DF000

heap

page read and write

614000

unkown

page readonly

701000

heap

page read and write

3F30000

trusted library allocation

page read and write

3F30000

trusted library allocation

page read and write

3DAC000

stack

page read and write

35EF000

stack

page read and write

36B3000

heap

page read and write

747000

heap

page read and write

401000

unkown

page execute read

61E000

unkown

page readonly

58D000

unkown

page write copy

6CA000

heap

page read and write

73D000

heap

page read and write

85D000

heap

page read and write

747000

heap

page read and write

65D000

unkown

page readonly

474E000

stack

page read and write

2227000

heap

page read and write

3F30000

trusted library allocation

page read and write

614000

unkown

page readonly

879000

heap

page read and write

717000

heap

page read and write

747000

heap

page read and write

3ABD000

stack

page read and write

3F30000

trusted library allocation

page read and write

6FE000

heap

page read and write

66A000

unkown

page readonly

61B000

unkown

page readonly

593000

unkown

page read and write

58D000

unkown

page read and write

8E8000

heap

page read and write

671000

unkown

page readonly

484F000

stack

page read and write

6CA000

heap

page read and write

733000

heap

page read and write

3F30000

trusted library allocation

page read and write

740000

heap

page read and write

90B000

heap

page read and write

65F000

unkown

page readonly

747000

heap

page read and write

7D6000

heap

page read and write

4080000

remote allocation

page read and write

701000

heap

page read and write

332F000

stack

page read and write

715000

heap

page read and write

82E000

heap

page read and write

671000

unkown

page readonly

4510000

heap

page read and write

76D000

heap

page read and write

70B000

heap

page read and write

720000

heap

page read and write

755000

heap

page read and write

27CB000

heap

page read and write

65A000

unkown

page readonly

732000

heap

page read and write

773000

heap

page read and write

773000

heap

page read and write

400000

unkown

page readonly

3FE000

stack

page read and write

66C000

unkown

page readonly

260F000

stack

page read and write

4523000

heap

page read and write

8AE000

heap

page read and write

598000

unkown

page read and write

36B3000

heap

page read and write

8C0000

heap

page read and write

8B6000

heap

page read and write

3F30000

trusted library allocation

page read and write

3F30000

trusted library allocation

page read and write

623000

unkown

page readonly

457B000

heap

page read and write

270F000

stack

page read and write

6A0000

heap

page read and write

747000

heap

page read and write

739000

heap

page read and write

3DEC000

stack

page read and write

3F30000

trusted library allocation

page read and write

10000

heap

page read and write

709000

heap

page read and write

740000

heap

page read and write

6BD000

heap

page read and write

362C000

stack

page read and write

56F000

unkown

page readonly

592000

unkown

page write copy

635000

unkown

page readonly

8EC000

heap

page read and write

594000

unkown

page write copy

71A000

heap

page read and write

732000

heap

page read and write

740000

heap

page read and write

3AC0000

trusted library allocation

page read and write

336E000

stack

page read and write

3F30000

trusted library allocation

page read and write

33AC000

stack

page read and write

623000

unkown

page readonly

27C4000

heap

page read and write

715000

heap

page read and write

274E000

stack

page read and write

82A000

heap

page read and write

611000

unkown

page readonly

65D000

unkown

page readonly

738000

heap

page read and write

3F6F000

stack

page read and write

635000

unkown

page readonly

732000

heap

page read and write

430F000

stack

page read and write

3F30000

trusted library allocation

page read and write

662000

unkown

page readonly

747000

heap

page read and write

616000

unkown

page readonly

4517000

heap

page read and write

65A000

unkown

page readonly

3F30000

trusted library allocation

page read and write

27C0000

heap

page read and write

2132000

heap

page read and write

773000

heap

page read and write

33B0000

heap

page read and write

3F30000

trusted library allocation

page read and write

6E4000

heap

page read and write

3F30000

trusted library allocation

page read and write

3692000

heap

page read and write

3F30000

trusted library allocation

page read and write

732000

heap

page read and write

740000

heap

page read and write

6BF000

heap

page read and write

619000

unkown

page readonly

86000

stack

page read and write

740000

heap

page read and write

4090000

heap

page read and write

2114000

heap

page read and write

3F30000

trusted library allocation

page read and write

667000

unkown

page readonly

701000

heap

page read and write

705000

heap

page read and write

620000

unkown

page readonly

732000

heap

page read and write

611000

unkown

page readonly

4050000

heap

page read and write

420F000

stack

page read and write

400000

unkown

page readonly

86F000

heap

page read and write

767000

heap

page read and write

734000

heap

page read and write

747000

heap

page read and write

66A000

unkown

page readonly

38BE000

stack

page read and write

27C8000

heap

page read and write

820000

heap

page read and write

740000

heap

page read and write

81F000

stack

page read and write

2110000

heap

page read and write

8EF000

heap

page read and write

827000

heap

page read and write

755000

heap

page read and write

61E000

unkown

page readonly

61B000

unkown

page readonly

616000

unkown

page readonly

662000

unkown

page readonly

218E000

stack

page read and write

701000

heap

page read and write

664000

unkown

page readonly

4539000

heap

page read and write

748000

heap

page read and write

6FB000

heap

page read and write

3F30000

trusted library allocation

page read and write

3F30000

trusted library allocation

page read and write

701000

heap

page read and write

3F30000

trusted library allocation

page read and write

709000

heap

page read and write

66C000

unkown

page readonly

619000

unkown

page readonly

65F000

unkown

page readonly

6CE000

heap

page read and write

755000

heap

page read and write

70B000

heap

page read and write

701000

heap

page read and write

39BD000

stack

page read and write

3680000

heap

page read and write

452B000

heap

page read and write

71E000

heap

page read and write

3BA0000

heap

page read and write

773000

heap

page read and write

747000

heap

page read and write

36A2000

heap

page read and write

3F30000

trusted library allocation

page read and write

401000

unkown

page execute read

410E000

stack

page read and write

186000

stack

page read and write

633000

unkown

page readonly

762000

heap

page read and write

747000

heap

page read and write

There are 226 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
ibk0BQaWAo

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportibk0BQaWAo

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
ibk0BQaWAo