Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

KBDFW9FTsq.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.083544131783037
Filename:	KBDFW9FTsq.exe
Filesize:	311296
MD5:	01995be1c953e0f7640f17b5c2247bc2
SHA1:	02abc4ef1134362ded897ebe2806d121522dbf65
SHA256:	732c3a097337212ea87c31a6df3e78790963f330c7c0318a5ddeec8576f83123
SHA512:	b9e92edafba6499a38c7c7b3ce1a315acf57e21d5f4ecf8a1d6e75c631088b070169cc9ada1d4ad3743f3259990a551e0bf4121da38fb642221bf53bddc38f7f
SSDEEP:	3072:5q6EgY6i1rUjphYowPel9o4TWLZTTAotA/iBMcZqf7D34leqiOLibBOZ:IqY6igwPWxKZTTA0AeMcZqf7DIvL
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............f.... ... ....@.. ....................... ............@................................

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information	Data from Local System
Installs new ROOT certificates	Persistence and Installation Behavior	Install Root Certificate
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation Security Software Discovery
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)	Malware Analysis System Evasion
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping
Tries to steal Crypto Currency Wallets	Stealing of Sensitive Information
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops certificate files (DER)	E-Banking Fraud
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities	Obfuscated Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\KBDFW9FTsq.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\KBDFW9FTsq.exe.log
Category:	dropped
Dump:	KBDFW9FTsq.exe.log.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Users\user\Desktop\KBDFW9FTsq.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.3318368586986695
Encrypted:	false
Ssdeep:	96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqc85VD:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlq0
Size:	3274
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\Public\Desktop\Google Chrome.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 13:16:56 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide

dropped

Details

File:	C:\Users\Public\Desktop\Google Chrome.lnk
Category:	dropped
Dump:	Google Chrome.lnk.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\KBDFW9FTsq.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 13:16:56 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
Entropy:	3.449633847939307
Encrypted:	false
Ssdeep:	48:8Sh9l2dfTXdARYrnvPdAKRkdAGdAKRFdAKRE:8Sh9lO7
Size:	2104
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\Tmp396C.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Tmp396C.tmp
Category:	dropped
Dump:	Tmp396C.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\KBDFW9FTsq.exe
Type:	data
Entropy:	7.8230547059446645
Encrypted:	false
Ssdeep:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
Size:	2662
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops certificate files (DER)	E-Banking Fraud
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\Tmp397D.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Tmp397D.tmp
Category:	dropped
Dump:	Tmp397D.tmp.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\KBDFW9FTsq.exe
Type:	data
Entropy:	7.8230547059446645
Encrypted:	false
Ssdeep:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
Size:	2662
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops certificate files (DER)	E-Banking Fraud

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06
Category:	dropped
Dump:	76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\KBDFW9FTsq.exe
Type:	data
Entropy:	0.0
Encrypted:	false
Ssdeep:	3::
Size:	2251
Whitelisted:	true
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\KBDFW9FTsq.exe

"C:\Users\user\Desktop\KBDFW9FTsq.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6504
Target ID:	0
Parent PID:	1028
Name:	KBDFW9FTsq.exe
Path:	C:\Users\user\Desktop\KBDFW9FTsq.exe
Commandline:	"C:\Users\user\Desktop\KBDFW9FTsq.exe"
Size:	311296
MD5:	01995BE1C953E0F7640F17B5C2247BC2
Time:	05:02:02
Date:	26/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x380000
Modulesize:	335872
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/sct

unknown

https://duckduckgo.com/chrome_newtab

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk

unknown

https://duckduckgo.com/ac/?q=

unknown

http://tempuri.org/Entity/Id14ResponseD

unknown

http://tempuri.org/Entity/Id23ResponseD

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary

unknown

http://tempuri.org/Entity/Id12Response

unknown

http://tempuri.org/

unknown

http://tempuri.org/Entity/Id2Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1

unknown

http://tempuri.org/Entity/Id21Response

unknown

http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap

unknown

http://tempuri.org/Entity/Id9

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID

unknown

http://tempuri.org/Entity/Id8

unknown

http://tempuri.org/Entity/Id6ResponseD

unknown

http://tempuri.org/Entity/Id5

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare

unknown

http://tempuri.org/Entity/Id4

unknown

http://tempuri.org/Entity/Id7

unknown

http://tempuri.org/Entity/Id6

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret

unknown

http://tempuri.org/Entity/Id19Response

unknown

http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence

unknown

http://tempuri.org/Entity/Id13ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/fault

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat

unknown

http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey

unknown

http://tempuri.org/Entity/Id15Response

unknown

http://tempuri.org/Entity/Id5ResponseD

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register

unknown

http://tempuri.org/Entity/Id6Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey

unknown

https://api.ip.sb/ip

unknown

http://schemas.xmlsoap.org/ws/2004/04/sc

unknown

http://tempuri.org/Entity/Id1ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel

unknown

http://tempuri.org/Entity/Id9Response

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

http://tempuri.org/Entity/Id20

unknown

http://tempuri.org/Entity/Id21

unknown

http://tempuri.org/Entity/Id22

unknown

http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1

unknown

http://tempuri.org/Entity/Id23

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1

unknown

http://tempuri.org/Entity/Id24

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue

unknown

http://tempuri.org/Entity/Id24Response

unknown

https://www.ecosia.org/newtab/

unknown

http://tempuri.org/Entity/Id1Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey

unknown

http://tempuri.org/Entity/Id21ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust

unknown

http://tempuri.org/Entity/Id10

unknown

http://tempuri.org/Entity/Id11

unknown

http://tempuri.org/Entity/Id12

unknown

http://tempuri.org/Entity/Id16Response

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel

unknown

http://tempuri.org/Entity/Id13

unknown

http://tempuri.org/Entity/Id14

unknown

http://tempuri.org/Entity/Id15

unknown

http://tempuri.org/Entity/Id16

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce

unknown

http://tempuri.org/Entity/Id17

unknown

http://tempuri.org/Entity/Id18

unknown

http://tempuri.org/Entity/Id5Response

unknown

http://tempuri.org/Entity/Id19

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns

unknown

http://tempuri.org/Entity/Id15ResponseD

unknown

http://tempuri.org/Entity/Id10Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Renew

unknown

http://tempuri.org/Entity/Id11ResponseD

unknown

http://tempuri.org/Entity/Id8Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT

unknown

http://schemas.xmlsoap.org/ws/2006/02/addressingidentity

unknown

http://tempuri.org/Entity/Id17ResponseD

unknown

http://schemas.xmlsoap.org/soap/envelope/

unknown

http://tempuri.org/Entity/Id8ResponseD

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey

unknown

There are 90 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

95.179.250.45

unknown

Netherlands

Details

IP:	95.179.250.45
TargetID:	0
Current Path:	C:\Users\user\Desktop\KBDFW9FTsq.exe
Country:	Netherlands
Countrycode:	NLD
ASN number:	20473
ASN name:	AS-CHOOPAUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Suricata IDS alerts for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064

Blob

Details

TargetID:	0
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064
Value name:	Blob
Value data:	0B 00 00 00 01 00 00 00 48 00 00 00 54 00 69 00 74 00 61 00 6E 00 69 00 75 00 6D 00 20 00 52 00 6F 00 6F 00 74 00 20 00 43 00 65 00 72 00 74 00 69 00 66 00 69 00 63 00 61 00 74 00 65 00 20 00 41 00 75 00 74 00 68 00 6F 00 72 00 69 00 74 00 79 00 00 00 02 00 00 00 01 00 00 00 CC 00 00 00 1C 00 00 00 6C 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 7B 00 34 00 31 00 37 00 34 00 34 00 42 00 45 00 34 00 2D 00 31 00 31 00 43 00 35 00 2D 00 34 00 39 00 34 00 43 00 2D 00 41 00 32 00 31 00 33 00 2D 00 42 00 41 00 30 00 43 00 45 00 39 00 34 00 34 00 39 00 33 00 38 00 45 00 7D 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 45 00 6E 00 68 00 61 00 6E 00 63 00 65 00 64 00 20 00 43 00 72 00 79 00 70 00 74 00 6F 00 67 00 72 00 61 00 70 00 68 00 69 00 63 00 20 00 50 00 72 00 6F 00 76 00 69 00 64 00 65 00 72 00 20 00 76 00 31 00 2E 00 30 00 00 00 00 00 03 00 00 00 01 00 00 00 14 00 00 00 F1 A5 78 C4 CB 5D E7 9A 37 08 93 98 3F D4 DA 8B 67 B2 B0 64 20 00 00 00 01 00 00 00 0A 03 00 00 30 82 03 06 30 82 01 EE A0 03 02 01 02 02 08 67 F7 BE B9 6A 4C 27 98 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30 2E 31 2C 30 2A 06 03 55 04 03 0C 23 54 69 74 61 6E 69 75 6D 20 52 6F 6F 74 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6F 72 69 74 79 30 1E 17 0D 32 33 30 33 31 34 31 30 33 35 32 30 5A 17 0D 32 36 30 36 31 37 31 30 33 35 32 30 5A 30 2E 31 2C 30 2A 06 03 55 04 03 0C 23 54 69 74 61 6E 69 75 6D 20 52 6F 6F 74 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6F 72 69 74 79 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 86 E4 57 7A 58 61 CE 81 91 77 D0 05 FA 51 D5 51 5A 93 6C 61 0C CF CB DE 53 32 CD 15 1D A6 47 EE 88 1A 24 5C 9B 02 83 3B 02 AF 3D 76 FE 20 BD 3B FA F7 A2 09 73 E7 2E BD 94 40 D0 9D 8C 3D 27 13 BD F0 D0 9F EB 95 32 AC D7 A4 2D A2 A9 52 DA A8 6A 2A 88 EE 42 7D 30 95 9D 90 BF BA 05 27 6A A0 29 98 A6 98 6F C0 13 06 62 9B 79 B8 40 5D 1F 1F A6 D9 A4 2F 82 7A FC 75 66 34 0D C2 DE 27 01 2B 94 BB 4A 27 B3 CB 1C 21 9A 3C B2 C1 42 03 F3 44 51 BD 62 65 20 ED D4 DB CC 41 4F 59 3F 2A CB C4 84 79 F7 14 3C BE 13 9C FD 12 9C 91 3E 53 03 DC 20 F9 4C 44 35 89 01 B6 9A 84 8D 7E A0 2E 30 8A 31 15 60 AC 00 AE 00 9A 29 10 9A EE D9 71 3D D8 91 9B 97 ED 59 80 58 E1 7F 07 26 C7 A0 20 F7 10 AB C0 62 91 DF AA F1 81 C6 BE 6A 76 C8 9C B6 8E B0 B0 EC 1C D9 5F 32 6C 7E 55 58 8B FD 76 C5 19 02 03 01 00 01 A3 28 30 26 30 13 06 03 55 1D 25 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 30 0F 06 03 55 1D 13 01 01 FF 04 05 30 03 01 01 FF 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 03 82 01 01 00 70 85 12 93 D7 57 E9 82 79 7D C5 F7 F2 7D A8 94 EF 0C DB 32 9F 06 A6 09 6E 0C F6 04 B0 E5 47 11 56 0E F4 0F 52 82 08 2E 21 0F 55 A3 DB 41 F3 12 54 8B 76 11 F5 F0 DA CE A3 C7 8B 13 F6 FC 24 3C 02 B1 06 66 5B E6 9E 18 40 88 41 5B 27 39 99 B8 77 BE E3 53 A2 48 CE C7 EE B5 A0 95 C2 17 4B C9 52 6C AF E3 37 2C 59 DB FB E7 58 13 4E D3 51 E5 14 72 73 FE C6 85 77 AE 45 52 A6 F9 9A C8 0C A8 D0 EE 42 2A F5 28 85 8C 6B E8 1C B0 A8 03 1A B0 AE 83 C0 EB 55 64 F4 E8 7A 5C 06 29 5D 39 03 EE E2 FD F9 2D 62 A7 F4 D4 05 4D EA A7 9B CA EB DA 4E 8B 1A 6E FD 42 AE F9 D0 1C 70 75 72 8C B1 3A A8 55 7C 85 A7 25 32 B5 E2 D6 C3 E5 50 41 C9 86 7C A8 F5 62 BB D2 AB 0C 37 10 D8 31 73 EC 37 81 D1 DC AA C5 C6 E0 7E E7 26 62 4D FD C5 81 4C FF D3 36 E1 79 32 F8 9B EB 9C F7 FD BE E9 BE BF 61

Signature Hits	Behavior Group	Mitre Attack
Installs new ROOT certificates	Persistence and Installation Behavior	Install Root Certificate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Owner

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

SessionHash

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Sequence

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFiles0000

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFilesHash

Memdumps

Base Address

Regiontype

Protect

Malicious

382000

unkown

page readonly

3B48000

trusted library allocation

page read and write

6C9F000

trusted library allocation

page read and write

3851000

trusted library allocation

page read and write

4BF0000

trusted library allocation

page read and write

4CEE000

stack

page read and write

59AF000

stack

page read and write

57DE000

heap

page read and write

2CAB000

trusted library allocation

page read and write

3838000

trusted library allocation

page read and write

8890000

trusted library allocation

page read and write

2B84000

trusted library allocation

page read and write

60A8000

heap

page read and write

381E000

trusted library allocation

page read and write

921E000

heap

page read and write

97B0000

heap

page read and write

3B15000

trusted library allocation

page read and write

6DC0000

trusted library allocation

page execute and read and write

3782000

trusted library allocation

page read and write

67F0000

trusted library allocation

page read and write

38D8000

trusted library allocation

page read and write

4F20000

heap

page execute and read and write

6C88000

trusted library allocation

page read and write

9223000

heap

page read and write

2761000

trusted library allocation

page read and write

5EF8000

trusted library allocation

page read and write

B57000

heap

page read and write

AD2000

heap

page read and write

86B0000

trusted library allocation

page read and write

6C8A000

trusted library allocation

page read and write

2D7F000

trusted library allocation

page read and write

602C000

heap

page read and write

9110000

trusted library allocation

page execute and read and write

6CB0000

trusted library allocation

page read and write

6C95000

trusted library allocation

page read and write

4C70000

trusted library allocation

page read and write

289D000

trusted library allocation

page read and write

2C62000

trusted library allocation

page read and write

68C0000

trusted library allocation

page read and write

6B17000

trusted library allocation

page read and write

6045000

heap

page read and write

6C79000

trusted library allocation

page read and write

8680000

trusted library allocation

page execute and read and write

91A6000

heap

page read and write

6435000

trusted library allocation

page read and write

82E000

stack

page read and write

2CB7000

trusted library allocation

page read and write

92A1000

heap

page read and write

607A000

heap

page read and write

5FA0000

heap

page read and write

6420000

trusted library allocation

page read and write

4BAB000

trusted library allocation

page read and write

62AE000

stack

page read and write

A90000

heap

page read and write

CB6000

trusted library allocation

page execute and read and write

5A2E000

stack

page read and write

6830000

trusted library allocation

page read and write

273C000

stack

page read and write

3803000

trusted library allocation

page read and write

67AF000

stack

page read and write

2B86000

trusted library allocation

page read and write

3ACF000

trusted library allocation

page read and write

9288000

heap

page read and write

385C000

trusted library allocation

page read and write

90CF000

stack

page read and write

A28D000

stack

page read and write

59EE000

stack

page read and write

4BCD000

trusted library allocation

page read and write

6CB8000

trusted library allocation

page read and write

AE8E000

stack

page read and write

8665000

trusted library allocation

page read and write

5FC0000

trusted library allocation

page execute and read and write

3896000

trusted library allocation

page read and write

950E000

stack

page read and write

6B20000

heap

page read and write

37EE000

trusted library allocation

page read and write

C90000

trusted library allocation

page read and write

4C43000

heap

page read and write

8760000

trusted library allocation

page read and write

CF0000

heap

page read and write

910E000

stack

page read and write

3AE7000

trusted library allocation

page read and write

387E000

trusted library allocation

page read and write

380000

unkown

page readonly

380C000

trusted library allocation

page read and write

4BE0000

trusted library allocation

page read and write

940E000

stack

page read and write

2892000

trusted library allocation

page read and write

2D9F000

trusted library allocation

page read and write

2B80000

trusted library allocation

page read and write

91B5000

heap

page read and write

93CE000

stack

page read and write

91F8000

heap

page read and write

6610000

trusted library allocation

page execute and read and write

3B52000

trusted library allocation

page read and write

608E000

heap

page read and write

6D07000

trusted library allocation

page read and write

37F8000

trusted library allocation

page read and write

51AE000

stack

page read and write

AC4000

heap

page read and write

3891000

trusted library allocation

page read and write

A6E000

stack

page read and write

4BE5000

trusted library allocation

page read and write

285F000

trusted library allocation

page read and write

5FB0000

trusted library allocation

page execute and read and write

60BE000

heap

page read and write

3AC8000

trusted library allocation

page read and write

9190000

heap

page read and write

2C8E000

trusted library allocation

page read and write

D40000

trusted library allocation

page read and write

2548000

trusted library allocation

page read and write

516F000

stack

page read and write

6810000

trusted library allocation

page execute and read and write

631E000

stack

page read and write

6D05000

trusted library allocation

page read and write

3877000

trusted library allocation

page read and write

3AD9000

trusted library allocation

page read and write

6B1A000

trusted library allocation

page read and write

4C1E000

trusted library allocation

page read and write

6C75000

trusted library allocation

page read and write

6CD0000

trusted library allocation

page execute and read and write

3812000

trusted library allocation

page read and write

64E9000

stack

page read and write

485C000

stack

page read and write

3D10000

trusted library allocation

page read and write

86B4000

trusted library allocation

page read and write

6CA0000

trusted library allocation

page read and write

6A0D000

stack

page read and write

3AEC000

trusted library allocation

page read and write

25E0000

trusted library allocation

page read and write

866E000

trusted library allocation

page read and write

A9E000

heap

page read and write

86AD000

trusted library allocation

page read and write

2C4A000

trusted library allocation

page read and write

6820000

trusted library allocation

page read and write

3AD5000

trusted library allocation

page read and write

28A7000

trusted library allocation

page read and write

92C0000

heap

page read and write

2809000

trusted library allocation

page read and write

CE0000

trusted library allocation

page read and write

91C8000

heap

page read and write

3C6000

unkown

page readonly

6CA4000

trusted library allocation

page read and write

28EE000

trusted library allocation

page read and write

384A000

trusted library allocation

page read and write

3884000

trusted library allocation

page read and write

4BD2000

trusted library allocation

page read and write

57D5000

heap

page read and write

5FEE000

heap

page read and write

502E000

stack

page read and write

3ADE000

trusted library allocation

page read and write

2C9A000

trusted library allocation

page read and write

37E7000

trusted library allocation

page read and write

895000

heap

page read and write

253E000

stack

page read and write

288F000

trusted library allocation

page read and write

2970000

trusted library allocation

page read and write

3B09000

trusted library allocation

page read and write

CB0000

trusted library allocation

page read and write

66AE000

stack

page read and write

2C54000

trusted library allocation

page read and write

389C000

trusted library allocation

page read and write

C9D000

trusted library allocation

page execute and read and write

CBA000

trusted library allocation

page execute and read and write

8690000

trusted library allocation

page read and write

38B0000

trusted library allocation

page read and write

C93000

trusted library allocation

page execute and read and write

296A000

trusted library allocation

page read and write

CC2000

trusted library allocation

page read and write

6C72000

trusted library allocation

page read and write

3761000

trusted library allocation

page read and write

B72000

heap

page read and write

6D00000

trusted library allocation

page read and write

609A000

heap

page read and write

3857000

trusted library allocation

page read and write

506E000

stack

page read and write

37E1000

trusted library allocation

page read and write

5FDF000

heap

page read and write

D2A000

heap

page read and write

2C7C000

trusted library allocation

page read and write

69CC000

stack

page read and write

4BC1000

trusted library allocation

page read and write

5F10000

trusted library allocation

page read and write

D10000

trusted library allocation

page execute and read and write

92AC000

heap

page read and write

9250000

heap

page read and write

3B36000

trusted library allocation

page read and write

D57000

heap

page read and write

2D8D000

trusted library allocation

page read and write

67C1000

trusted library allocation

page read and write

91DB000

heap

page read and write

3867000

trusted library allocation

page read and write

3871000

trusted library allocation

page read and write

925E000

heap

page read and write

4EF0000

heap

page read and write

86E000

stack

page read and write

A38D000

stack

page read and write

289A000

trusted library allocation

page read and write

6CE0000

trusted library allocation

page read and write

91CE000

heap

page read and write

67D2000

trusted library allocation

page read and write

37F4000

trusted library allocation

page read and write

6800000

trusted library allocation

page read and write

5FFA000

heap

page read and write

6B0C000

stack

page read and write

296E000

trusted library allocation

page read and write

6C8F000

trusted library allocation

page read and write

B85000

heap

page read and write

91B9000

heap

page read and write

2740000

trusted library allocation

page read and write

67C6000

trusted library allocation

page read and write

D20000

heap

page read and write

7D0000

heap

page read and write

67DE000

trusted library allocation

page read and write

2750000

heap

page execute and read and write

4BBE000

trusted library allocation

page read and write

9800000

heap

page read and write

3B22000

trusted library allocation

page read and write

4C72000

trusted library allocation

page read and write

91A0000

heap

page read and write

D26000

heap

page read and write

2C9F000

trusted library allocation

page read and write

3B2F000

trusted library allocation

page read and write

5EEE000

stack

page read and write

3B67000

trusted library allocation

page read and write

67BB000

trusted library allocation

page read and write

6850000

trusted library allocation

page execute and read and write

6880000

trusted library allocation

page read and write

8650000

trusted library allocation

page read and write

4BA4000

trusted library allocation

page read and write

9248000

heap

page read and write

28BB000

trusted library allocation

page read and write

6C70000

trusted library allocation

page read and write

6430000

trusted library allocation

page read and write

37FD000

trusted library allocation

page read and write

2C6F000

trusted library allocation

page read and write

65EC000

stack

page read and write

2964000

trusted library allocation

page read and write

97AE000

stack

page read and write

9205000

heap

page read and write

6B10000

trusted library allocation

page read and write

3AE4000

trusted library allocation

page read and write

376F000

trusted library allocation

page read and write

51FE000

stack

page read and write

CAD000

trusted library allocation

page execute and read and write

8660000

trusted library allocation

page read and write

2962000

trusted library allocation

page read and write

9229000

heap

page read and write

CC0000

trusted library allocation

page read and write

37A3000

trusted library allocation

page read and write

929C000

heap

page read and write

6860000

trusted library allocation

page execute and read and write

4C80000

trusted library allocation

page execute and read and write

68A0000

trusted library allocation

page read and write

923A000

heap

page read and write

4C10000

trusted library allocation

page read and write

7E0000

heap

page read and write

382B000

trusted library allocation

page read and write

6620000

trusted library allocation

page read and write

920F000

heap

page read and write

D30000

trusted library allocation

page read and write

4C40000

heap

page read and write

D50000

heap

page read and write

67B0000

trusted library allocation

page read and write

2D98000

trusted library allocation

page read and write

CC7000

trusted library allocation

page execute and read and write

91D7000

heap

page read and write

5EF0000

trusted library allocation

page read and write

3B2000

unkown

page readonly

3806000

trusted library allocation

page read and write

65F0000

trusted library allocation

page read and write

3AF1000

trusted library allocation

page read and write

CB2000

trusted library allocation

page read and write

4BA0000

trusted library allocation

page read and write

86A0000

trusted library allocation

page read and write

6840000

trusted library allocation

page read and write

643A000

trusted library allocation

page read and write

3B7000

unkown

page readonly

2D6A000

trusted library allocation

page read and write

61AD000

stack

page read and write

6C60000

trusted library allocation

page read and write

871D000

stack

page read and write

3801000

trusted library allocation

page read and write

2982000

trusted library allocation

page read and write

3B41000

trusted library allocation

page read and write

976B000

stack

page read and write

26FF000

stack

page read and write

3AE2000

trusted library allocation

page read and write

388D000

trusted library allocation

page read and write

890000

heap

page read and write

6006000

heap

page read and write

CA0000

trusted library allocation

page read and write

2C83000

trusted library allocation

page read and write

A80000

trusted library allocation

page read and write

3893000

trusted library allocation

page read and write

7F470000

trusted library allocation

page execute and read and write

6D09000

trusted library allocation

page read and write

866B000

trusted library allocation

page read and write

5CEF000

stack

page read and write

9170000

trusted library allocation

page read and write

2857000

trusted library allocation

page read and write

666C000

stack

page read and write

5FD0000

heap

page read and write

6438000

trusted library allocation

page read and write

5FD6000

heap

page read and write

4C60000

heap

page read and write

383F000

trusted library allocation

page read and write

CCB000

trusted library allocation

page execute and read and write

28CA000

trusted library allocation

page read and write

91EB000

heap

page read and write

91E7000

heap

page read and write

2968000

trusted library allocation

page read and write

8670000

trusted library allocation

page read and write

5DEE000

stack

page read and write

954E000

stack

page read and write

9285000

heap

page read and write

2B10000

trusted library allocation

page read and write

2D74000

trusted library allocation

page read and write

920C000

heap

page read and write

51B0000

heap

page read and write

91F0000

heap

page read and write

2C95000

trusted library allocation

page read and write

3B5D000

trusted library allocation

page read and write

603F000

heap

page read and write

57C1000

heap

page read and write

6890000

trusted library allocation

page read and write

B3D000

heap

page read and write

CC5000

trusted library allocation

page execute and read and write

669000

stack

page read and write

60CE000

heap

page read and write

3888000

trusted library allocation

page read and write

3B4D000

trusted library allocation

page read and write

5F00000

trusted library allocation

page read and write

4BC6000

trusted library allocation

page read and write

9279000

heap

page read and write

767000

stack

page read and write

2B88000

trusted library allocation

page read and write

C94000

trusted library allocation

page read and write

38E8000

trusted library allocation

page read and write

68B0000

trusted library allocation

page execute and read and write

92A3000

heap

page read and write

C8E000

stack

page read and write

6870000

trusted library allocation

page execute and read and write

2C56000

trusted library allocation

page read and write

6C9A000

trusted library allocation

page read and write

641E000

stack

page read and write

6CC0000

trusted library allocation

page read and write

9198000

heap

page read and write

25F0000

heap

page read and write

There are 339 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
KBDFW9FTsq.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportKBDFW9FTsq.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
KBDFW9FTsq.exe