Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.196723254801983
Filename:	file.exe
Filesize:	5202304
MD5:	9c8f9c16d9476e30711c92307ff98b99
SHA1:	dadce6f6fc960850127c7643948dd132fc60b569
SHA256:	e353a4c8c81c7815dc8a9ee01e23f6fa7d438c0b8f44ba952c7f2d00aa044899
SHA512:	b42e4b85e2a6bb69d511fdac0074f0813847eeb5eddb8297721fe894e7c3153ae46ab479f6639718a8226f06a945861d58e2e9fc8bec3d0b149a66dfd03109e4
SSDEEP:	49152:iHYqsRnsBi6+Opf/PdDS8DLRg42BjMedGcYvZRjIg+MaKU16ihEb1jVhGyIN+kJX:i4qs/T7XY7yKa6ihKjAn+Aee8NDSB
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................P...M..8........M.. ....M...@.. .......................@O.....&DP...@................................

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection	Process Injection
.NET source code contains method to dynamically call methods (often used by packers)	Data Obfuscation
.NET source code contains potential unpacker	Data Obfuscation	Software Packing
.NET source code contains very large array initializations	System Summary	Process Injection Disable or Modify Tools
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Process Injection Timestomp
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	Process Injection
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities
Found potential string decryption / allocating functions	System Summary
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
PE / OLE file has an invalid certificate	System Summary
PE file contains executable resources (Code or Archives)	System Summary	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Native API System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses 32bit PE files	Compliance, System Summary	Process Injection Masquerading
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	Process Injection
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary	Process Injection
.NET source code contains calls to encryption/decryption functions	System Summary	Process Injection Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
.NET source code contains many randomly named methods	Data Obfuscation	Process Injection Disable or Modify Tools
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging	Process Injection Disable or Modify Tools
Creates temporary files	System Summary	Process Injection
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Program exit points	Malware Analysis System Evasion
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	Process Injection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary
URLs found in memory or binary data	Networking	Process Injection
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary
Uses Microsoft Silverlight	System Summary	Process Injection

C:\Users\Public\Desktop\Google Chrome.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Thu Oct 5 05:47:13 2023, atime=Wed Sep 27 08:36:54 2023, length=3242272, window=hide

dropped

Details

File:	C:\Users\Public\Desktop\Google Chrome.lnk
Category:	dropped
Dump:	Google Chrome.lnk.2.dr
ID:	dr_5
Target ID:	2
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Thu Oct 5 05:47:13 2023, atime=Wed Sep 27 08:36:54 2023, length=3242272, window=hide
Entropy:	3.466649109477021
Encrypted:	false
Ssdeep:	48:8S/ATd5TvGk0lRYrnvPdAKRkdAs6IdAKRFdAKR6P:8S/AHbH7
Size:	2106
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MsBuild.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MsBuild.exe.log
Category:	dropped
Dump:	MsBuild.exe.log.2.dr
ID:	dr_6
Target ID:	2
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.342376182732888
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4xLE4qE4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0H6
Size:	1299
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log
Category:	dropped
Dump:	file.exe.log.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.358731107079437
Encrypted:	false
Ssdeep:	12:Q3La/hz92n4M9tDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:MLU84qpE4KlKDE4KhKiKhk
Size:	522
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
PE / OLE file has an invalid certificate	System Summary
PE file contains executable resources (Code or Archives)	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll
Category:	dropped
Dump:	Protect544cd51a.dll.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.561572491684602
Encrypted:	false
Ssdeep:	12288:wCMz4nuvURpZ4jR1b2Ag+dQMWCD8iN2+OeO+OeNhBBhhBBgoo+A1AW8JwkaCZ+36:wCs4uvW4jfb2K90oo+C8JwUZc0
Size:	760320
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\Tmp7B9B.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Tmp7B9B.tmp
Category:	dropped
Dump:	Tmp7B9B.tmp.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Type:	data
Entropy:	7.8230547059446645
Encrypted:	false
Ssdeep:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
Size:	2662
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops certificate files (DER)	E-Banking Fraud

C:\Users\user\AppData\Local\Temp\Tmp7BEA.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Tmp7BEA.tmp
Category:	dropped
Dump:	Tmp7BEA.tmp.2.dr
ID:	dr_3
Target ID:	2
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Type:	data
Entropy:	7.8230547059446645
Encrypted:	false
Ssdeep:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
Size:	2662
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Drops certificate files (DER)	E-Banking Fraud

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06
Category:	dropped
Dump:	76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06.2.dr
ID:	dr_4
Target ID:	2
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Type:	data
Entropy:	0.0
Encrypted:	false
Ssdeep:	3::
Size:	2251
Whitelisted:	true
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2444
Target ID:	0
Parent PID:	4004
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	5202304
MD5:	9C8F9C16D9476E30711C92307FF98B99
Time:	15:51:47
Date:	28/03/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x720000
Modulesize:	5193728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected zgRAT	Stealing of Sensitive Information, Remote Access Functionality
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
PE / OLE file has an invalid certificate	System Summary
PE file contains executable resources (Code or Archives)	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

Details

Is windows:	true
Is dropped:	false
PID:	5580
Target ID:	2
Parent PID:	2444
Name:	MSBuild.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
Size:	262432
MD5:	8FDF47E0FF70C40ED3A17014AEEA4232
Time:	15:51:48
Date:	28/03/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xc10000
Modulesize:	262144
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected zgRAT	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	796
Target ID:	3
Parent PID:	5580
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	15:51:48
Date:	28/03/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff66e660000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://namespace.google.com/openid/xmlns

unknown

http://www.idmanagement.gov/schema/2009/05/icam/no-pii.pdf

unknown

https://api.ip.sb/ip

unknown

https://sectigo.com/CPS0

unknown

http://ocsp.sectigo.com0

unknown

http://openid.net/extensions/sreg/1.1

unknown

http://axschema.org/person/genderFhttp://axschema.org/media/biographyBhttp://axschema.org/pref/langu

unknown

http://specs.openid.net/extensions/ui/icon

unknown

http://axschema.org/namePersonJhttp://axschema.org/namePerson/prefixHhttp://axschema.org/namePerson/

unknown

http://openid.net/xmlns/1.09http://openid.net/signon/1.0

unknown

https://api.ip.s

unknown

http://www.idmanagement.gov/schema/2009/05/icam/openid-trust-level1.pdfthttp://www.idmanagement.gov/

unknown

http://axschema.org/company/nameBhttp://axschema.org/company/title:http://axschema.org/birthDateNhtt

unknown

http://schemas.openid.net/pape/policies/2007/06/phishing-resistantxhttp://schemas.openid.net/pape/po

unknown

http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical

unknown

http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf

unknown

http://specs.openid.net/extensions/ui/1.0ghttp://specs.openid.net/extensions/ui/1.0/lang-prefihttp:/

unknown

http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t

unknown

http://openid.net/srv/ax/1.0

unknown

http://specs.openid.net/auth/2.0

unknown

http://axschema.org/contact/postalCode/businessDhttp://axschema.org/contact/IM/AIMDhttp://axschema.o

unknown

http://openid.net/sreg/1.05http://openid.net/sreg/1.1

unknown

http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#

unknown

http://specs.openid.net/extensions/oauth/1.0

unknown

https://discord.com/api/v9/users/

unknown

http://axschema.org/contact/postalAddress/homephttp://axschema.org/contact/postalAddressAdditional/h

unknown

http://axschema.org/3http://schema.openid.net/3http://openid.net/schema/

unknown

http://openid.net/signon/1.1

unknown

http://schemas.openid.net/pape/policies/2007/06/none

unknown

http://specs.openid.net/extensions/pape/1.0

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier

unknown

http://specs.openid.net/auth/2.0/signonOhttp://specs.openid.net/auth/2.0/serverehttp://specs.openid.

unknown

http://specs.openid.net/extensions/ui/1.0/icon

unknown

There are 23 hidden URLs, click here to show them.

Domains

Name

Malicious

fp2e7a.wpc.phicdn.net

192.229.211.108

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064

Blob

Details

TargetID:	2
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064
Value name:	Blob
Value data:	0B 00 00 00 01 00 00 00 48 00 00 00 54 00 69 00 74 00 61 00 6E 00 69 00 75 00 6D 00 20 00 52 00 6F 00 6F 00 74 00 20 00 43 00 65 00 72 00 74 00 69 00 66 00 69 00 63 00 61 00 74 00 65 00 20 00 41 00 75 00 74 00 68 00 6F 00 72 00 69 00 74 00 79 00 00 00 02 00 00 00 01 00 00 00 CC 00 00 00 1C 00 00 00 6C 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 7B 00 34 00 31 00 37 00 34 00 34 00 42 00 45 00 34 00 2D 00 31 00 31 00 43 00 35 00 2D 00 34 00 39 00 34 00 43 00 2D 00 41 00 32 00 31 00 33 00 2D 00 42 00 41 00 30 00 43 00 45 00 39 00 34 00 34 00 39 00 33 00 38 00 45 00 7D 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 45 00 6E 00 68 00 61 00 6E 00 63 00 65 00 64 00 20 00 43 00 72 00 79 00 70 00 74 00 6F 00 67 00 72 00 61 00 70 00 68 00 69 00 63 00 20 00 50 00 72 00 6F 00 76 00 69 00 64 00 65 00 72 00 20 00 76 00 31 00 2E 00 30 00 00 00 00 00 03 00 00 00 01 00 00 00 14 00 00 00 F1 A5 78 C4 CB 5D E7 9A 37 08 93 98 3F D4 DA 8B 67 B2 B0 64 20 00 00 00 01 00 00 00 0A 03 00 00 30 82 03 06 30 82 01 EE A0 03 02 01 02 02 08 67 F7 BE B9 6A 4C 27 98 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30 2E 31 2C 30 2A 06 03 55 04 03 0C 23 54 69 74 61 6E 69 75 6D 20 52 6F 6F 74 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6F 72 69 74 79 30 1E 17 0D 32 33 30 33 31 34 31 30 33 35 32 30 5A 17 0D 32 36 30 36 31 37 31 30 33 35 32 30 5A 30 2E 31 2C 30 2A 06 03 55 04 03 0C 23 54 69 74 61 6E 69 75 6D 20 52 6F 6F 74 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6F 72 69 74 79 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 86 E4 57 7A 58 61 CE 81 91 77 D0 05 FA 51 D5 51 5A 93 6C 61 0C CF CB DE 53 32 CD 15 1D A6 47 EE 88 1A 24 5C 9B 02 83 3B 02 AF 3D 76 FE 20 BD 3B FA F7 A2 09 73 E7 2E BD 94 40 D0 9D 8C 3D 27 13 BD F0 D0 9F EB 95 32 AC D7 A4 2D A2 A9 52 DA A8 6A 2A 88 EE 42 7D 30 95 9D 90 BF BA 05 27 6A A0 29 98 A6 98 6F C0 13 06 62 9B 79 B8 40 5D 1F 1F A6 D9 A4 2F 82 7A FC 75 66 34 0D C2 DE 27 01 2B 94 BB 4A 27 B3 CB 1C 21 9A 3C B2 C1 42 03 F3 44 51 BD 62 65 20 ED D4 DB CC 41 4F 59 3F 2A CB C4 84 79 F7 14 3C BE 13 9C FD 12 9C 91 3E 53 03 DC 20 F9 4C 44 35 89 01 B6 9A 84 8D 7E A0 2E 30 8A 31 15 60 AC 00 AE 00 9A 29 10 9A EE D9 71 3D D8 91 9B 97 ED 59 80 58 E1 7F 07 26 C7 A0 20 F7 10 AB C0 62 91 DF AA F1 81 C6 BE 6A 76 C8 9C B6 8E B0 B0 EC 1C D9 5F 32 6C 7E 55 58 8B FD 76 C5 19 02 03 01 00 01 A3 28 30 26 30 13 06 03 55 1D 25 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 30 0F 06 03 55 1D 13 01 01 FF 04 05 30 03 01 01 FF 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 03 82 01 01 00 70 85 12 93 D7 57 E9 82 79 7D C5 F7 F2 7D A8 94 EF 0C DB 32 9F 06 A6 09 6E 0C F6 04 B0 E5 47 11 56 0E F4 0F 52 82 08 2E 21 0F 55 A3 DB 41 F3 12 54 8B 76 11 F5 F0 DA CE A3 C7 8B 13 F6 FC 24 3C 02 B1 06 66 5B E6 9E 18 40 88 41 5B 27 39 99 B8 77 BE E3 53 A2 48 CE C7 EE B5 A0 95 C2 17 4B C9 52 6C AF E3 37 2C 59 DB FB E7 58 13 4E D3 51 E5 14 72 73 FE C6 85 77 AE 45 52 A6 F9 9A C8 0C A8 D0 EE 42 2A F5 28 85 8C 6B E8 1C B0 A8 03 1A B0 AE 83 C0 EB 55 64 F4 E8 7A 5C 06 29 5D 39 03 EE E2 FD F9 2D 62 A7 F4 D4 05 4D EA A7 9B CA EB DA 4E 8B 1A 6E FD 42 AE F9 D0 1C 70 75 72 8C B1 3A A8 55 7C 85 A7 25 32 B5 E2 D6 C3 E5 50 41 C9 86 7C A8 F5 62 BB D2 AB 0C 37 10 D8 31 73 EC 37 81 D1 DC AA C5 C6 E0 7E E7 26 62 4D FD C5 81 4C FF D3 36 E1 79 32 F8 9B EB 9C F7 FD BE E9 BE BF 61

Signature Hits	Behavior Group	Mitre Attack
Installs new ROOT certificates	Persistence and Installation Behavior	Install Root Certificate

Memdumps

Base Address

Regiontype

Protect

Malicious

42BF000

trusted library allocation

page read and write

4364000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

3116000

trusted library allocation

page read and write

2F6E000

trusted library allocation

page read and write

12D0000

heap

page read and write

6E580000

unkown

page readonly

57BA000

heap

page execute and read and write

5740000

heap

page read and write

1216000

trusted library allocation

page execute and read and write

6130000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

1450000

trusted library allocation

page read and write

74D0000

trusted library allocation

page execute and read and write

4A4000

remote allocation

page execute and read and write

543E000

trusted library allocation

page read and write

14A0000

heap

page read and write

5550000

heap

page execute and read and write

5B4E000

stack

page read and write

31C1000

trusted library allocation

page read and write

11C5000

heap

page read and write

31F6000

trusted library allocation

page read and write

2F7E000

stack

page read and write

5F90000

heap

page read and write

54FE000

stack

page read and write

320A000

trusted library allocation

page read and write

144A000

trusted library allocation

page execute and read and write

32E3000

trusted library allocation

page read and write

5490000

trusted library allocation

page execute and read and write

118E000

stack

page read and write

5560000

heap

page read and write

30E6000

trusted library allocation

page read and write

3141000

trusted library allocation

page read and write

13B1000

heap

page read and write

122E000

heap

page read and write

7BCA000

heap

page read and write

3060000

trusted library allocation

page read and write

329D000

trusted library allocation

page read and write

3130000

heap

page execute and read and write

3105000

trusted library allocation

page read and write

4998000

trusted library allocation

page read and write

115E000

stack

page read and write

5855000

heap

page read and write

3290000

trusted library allocation

page read and write

1390000

heap

page read and write

6020000

heap

page execute and read and write

1440000

trusted library allocation

page read and write

43E5000

trusted library allocation

page read and write

1680000

trusted library allocation

page read and write

5850000

heap

page read and write

58BE000

stack

page read and write

31A4000

trusted library allocation

page read and write

5640000

heap

page execute and read and write

3252000

trusted library allocation

page read and write

307C000

trusted library allocation

page read and write

12D1000

heap

page read and write

30BB000

trusted library allocation

page read and write

13A7000

heap

page read and write

1480000

heap

page read and write

31BD000

trusted library allocation

page read and write

2EF0000

trusted library allocation

page read and write

CD9000

stack

page read and write

6E62A000

unkown

page read and write

2F11000

trusted library allocation

page read and write

1470000

trusted library allocation

page read and write

468000

remote allocation

page execute and read and write

CAB000

stack

page read and write

1040000

heap

page read and write

3212000

trusted library allocation

page read and write

3254000

trusted library allocation

page read and write

114D000

stack

page read and write

3107000

trusted library allocation

page read and write

7792000

trusted library allocation

page read and write

5F20000

heap

page read and write

31DE000

trusted library allocation

page read and write

6E620000

unkown

page write copy

30BF000

trusted library allocation

page read and write

5A48000

trusted library section

page read and write

11E0000

trusted library allocation

page read and write

6E581000

unkown

page execute read

1025000

heap

page read and write

30D1000

trusted library allocation

page read and write

30EC000

trusted library allocation

page read and write

317F000

trusted library allocation

page read and write

3109000

trusted library allocation

page read and write

59B0000

trusted library allocation

page read and write

30E4000

trusted library allocation

page read and write

5D8E000

stack

page read and write

1220000

heap

page read and write

30FB000

trusted library allocation

page read and write

30E0000

trusted library allocation

page read and write

3074000

trusted library allocation

page read and write

1450000

trusted library allocation

page execute and read and write

3197000

trusted library allocation

page read and write

48DB000

trusted library allocation

page read and write

2DDF000

trusted library allocation

page read and write

31F7000

trusted library allocation

page read and write

322E000

trusted library allocation

page read and write

30AA000

trusted library allocation

page read and write

147F000

trusted library allocation

page read and write

3279000

trusted library allocation

page read and write

3174000

trusted library allocation

page read and write

13D2000

heap

page read and write

4FEB000

stack

page read and write

2DC0000

trusted library allocation

page read and write

545D000

trusted library allocation

page read and write

317D000

trusted library allocation

page read and write

11FD000

trusted library allocation

page execute and read and write

142B000

trusted library allocation

page execute and read and write

133E000

heap

page read and write

143D000

trusted library allocation

page execute and read and write

145B000

trusted library allocation

page execute and read and write

544E000

trusted library allocation

page read and write

2F1E000

trusted library allocation

page read and write

DD7000

stack

page read and write

595E000

stack

page read and write

2F3E000

stack

page read and write

15D0000

heap

page read and write

311C000

trusted library allocation

page read and write

12CF000

stack

page read and write

DA8000

stack

page read and write

309D000

stack

page read and write

121A000

trusted library allocation

page execute and read and write

30E2000

trusted library allocation

page read and write

31AE000

trusted library allocation

page read and write

13DD000

heap

page read and write

30FD000

trusted library allocation

page read and write

1442000

trusted library allocation

page read and write

13CD000

heap

page read and write

31EF000

trusted library allocation

page read and write

3097000

trusted library allocation

page read and write

5E21000

heap

page read and write

5750000

heap

page read and write

1670000

trusted library allocation

page read and write

323F000

trusted library allocation

page read and write

329F000

trusted library allocation

page read and write

733E000

stack

page read and write

955E000

stack

page read and write

5470000

trusted library allocation

page read and write

134A000

heap

page read and write

3258000

trusted library allocation

page read and write

2F9B000

heap

page read and write

307E000

trusted library allocation

page read and write

582F000

trusted library allocation

page read and write

914E000

stack

page read and write

5451000

trusted library allocation

page read and write

3078000

trusted library allocation

page read and write

709E000

heap

page read and write

3080000

trusted library allocation

page read and write

141E000

stack

page read and write

1452000

trusted library allocation

page read and write

1320000

heap

page read and write

1480000

heap

page read and write

30E8000

trusted library allocation

page read and write

31FC000

trusted library allocation

page read and write

3286000

trusted library allocation

page read and write

321B000

trusted library allocation

page read and write

578E000

stack

page read and write

32A1000

trusted library allocation

page read and write

54C0000

trusted library allocation

page read and write

30F7000

trusted library allocation

page read and write

3095000

trusted library allocation

page read and write

562C000

stack

page read and write

15CE000

stack

page read and write

904E000

stack

page read and write

720000

unkown

page readonly

30FF000

trusted library allocation

page read and write

13B8000

heap

page read and write

3178000

trusted library allocation

page read and write

3064000

trusted library allocation

page read and write

574E000

stack

page read and write

4A67000

trusted library allocation

page read and write

93F0000

trusted library allocation

page execute and read and write

2EEE000

stack

page read and write

3277000

trusted library allocation

page read and write

325A000

trusted library allocation

page read and write

3225000

trusted library allocation

page read and write

3273000

trusted library allocation

page read and write

309E000

trusted library allocation

page read and write

322B000

trusted library allocation

page read and write

3250000

trusted library allocation

page read and write

301A000

trusted library allocation

page read and write

55D0000

trusted library allocation

page read and write

1440000

trusted library allocation

page read and write

5C4E000

stack

page read and write

15B0000

trusted library allocation

page read and write

1010000

heap

page read and write

3210000

trusted library allocation

page read and write

5800000

trusted library allocation

page execute and read and write

945E000

stack

page read and write

6E623000

unkown

page write copy

4206000

trusted library allocation

page read and write

74F0000

trusted library allocation

page read and write

31AA000

trusted library allocation

page read and write

5960000

heap

page execute and read and write

7BC4000

heap

page read and write

3282000

trusted library allocation

page read and write

31AC000

trusted library allocation

page read and write

15C0000

trusted library allocation

page read and write

13D7000

heap

page read and write

3243000

trusted library allocation

page read and write

1255000

heap

page read and write

13C1000

heap

page read and write

5643000

heap

page execute and read and write

3F11000

trusted library allocation

page read and write

54BE000

stack

page read and write

1427000

trusted library allocation

page execute and read and write

1479000

trusted library allocation

page read and write

4A7000

remote allocation

page execute and read and write

326D000

trusted library allocation

page read and write

158E000

stack

page read and write

315D000

trusted library allocation

page read and write

3170000

trusted library allocation

page read and write

4361000

trusted library allocation

page read and write

7B88000

heap

page read and write

320C000

trusted library allocation

page read and write

328C000

trusted library allocation

page read and write

5630000

trusted library section

page readonly

11F3000

trusted library allocation

page execute and read and write

3256000

trusted library allocation

page read and write

3241000

trusted library allocation

page read and write

308B000

trusted library allocation

page read and write

30B7000

trusted library allocation

page read and write

31E1000

trusted library allocation

page read and write

2F9E000

trusted library allocation

page read and write

14A7000

heap

page read and write

5766000

trusted library allocation

page read and write

306C000

trusted library allocation

page read and write

918E000

stack

page read and write

1455000

trusted library allocation

page execute and read and write

5FC0000

heap

page read and write

5456000

trusted library allocation

page read and write

31A2000

trusted library allocation

page read and write

309B000

trusted library allocation

page read and write

74CE000

stack

page read and write

3118000

trusted library allocation

page read and write

1420000

trusted library allocation

page read and write

7BF4000

heap

page read and write

31B0000

trusted library allocation

page read and write

1356000

heap

page read and write

31A6000

trusted library allocation

page read and write

1310000

trusted library allocation

page read and write

7BC2000

heap

page read and write

31F9000

trusted library allocation

page read and write

1020000

heap

page read and write

31D8000

trusted library allocation

page read and write

31BF000

trusted library allocation

page read and write

30CF000

trusted library allocation

page read and write

3082000

trusted library allocation

page read and write

31A2000

trusted library allocation

page read and write

5770000

heap

page read and write

31F1000

trusted library allocation

page read and write

2DE0000

heap

page execute and read and write

307A000

trusted library allocation

page read and write

3176000

trusted library allocation

page read and write

318F000

trusted library allocation

page read and write

5462000

trusted library allocation

page read and write

5E16000

heap

page read and write

140B000

heap

page read and write

54F0000

heap

page read and write

5430000

trusted library allocation

page read and write

5E10000

heap

page read and write

6E61E000

unkown

page read and write

3091000

trusted library allocation

page read and write

50EC000

stack

page read and write

311A000

trusted library allocation

page read and write

3191000

trusted library allocation

page read and write

5510000

trusted library allocation

page read and write

1685000

trusted library allocation

page read and write

2DD0000

trusted library allocation

page read and write

57B0000

heap

page execute and read and write

543B000

trusted library allocation

page read and write

6E604000

unkown

page readonly

6E621000

unkown

page read and write

30B0000

trusted library allocation

page read and write

30B2000

trusted library allocation

page read and write

3195000

trusted library allocation

page read and write

3172000

trusted library allocation

page read and write

318B000

trusted library allocation

page read and write

5500000

trusted library allocation

page read and write

737E000

stack

page read and write

3215000

trusted library allocation

page read and write

1422000

trusted library allocation

page read and write

325C000

trusted library allocation

page read and write

13E1000

heap

page read and write

4421000

trusted library allocation

page read and write

1100000

heap

page read and write

7C16000

heap

page read and write

6140000

trusted library allocation

page execute and read and write

31BB000

trusted library allocation

page read and write

30CB000

trusted library allocation

page read and write

11A0000

heap

page read and write

5520000

trusted library allocation

page read and write

767E000

stack

page read and write

7BC7000

heap

page read and write

1483000

heap

page read and write

328E000

trusted library allocation

page read and write

1264000

heap

page read and write

1690000

heap

page read and write

31A8000

trusted library allocation

page read and write

31DC000

trusted library allocation

page read and write

3039000

trusted library allocation

page read and write

3103000

trusted library allocation

page read and write

2F00000

heap

page read and write

328A000

trusted library allocation

page read and write

7B78000

heap

page read and write

3227000

trusted library allocation

page read and write

31CA000

trusted library allocation

page read and write

570F000

stack

page read and write

1328000

heap

page read and write

1433000

trusted library allocation

page read and write

13C6000

heap

page read and write

3288000

trusted library allocation

page read and write

3099000

trusted library allocation

page read and write

1457000

trusted library allocation

page execute and read and write

58C0000

trusted library section

page read and write

325F000

trusted library allocation

page read and write

2EF5000

trusted library allocation

page read and write

2F90000

heap

page read and write

7BB6000

heap

page read and write

7BB2000

heap

page read and write

3229000

trusted library allocation

page read and write

326F000

trusted library allocation

page read and write

5790000

trusted library section

page read and write

1423000

trusted library allocation

page execute and read and write

3275000

trusted library allocation

page read and write

7090000

heap

page read and write

5C8E000

stack

page read and write

13A1000

heap

page read and write

30C9000

trusted library allocation

page read and write

723E000

stack

page read and write

30EE000

trusted library allocation

page read and write

74E0000

trusted library allocation

page read and write

5760000

trusted library allocation

page read and write

11AE000

stack

page read and write

480D000

trusted library allocation

page read and write

6E62E000

unkown

page readonly

1203000

trusted library allocation

page read and write

311E000

trusted library allocation

page read and write

3193000

trusted library allocation

page read and write

5540000

heap

page read and write

31F5000

trusted library allocation

page read and write

4144000

trusted library allocation

page read and write

31DA000

trusted library allocation

page read and write

3269000

trusted library allocation

page read and write

3299000

trusted library allocation

page read and write

15AF000

stack

page read and write

1425000

trusted library allocation

page execute and read and write

3101000

trusted library allocation

page read and write

7B8C000

heap

page read and write

3271000

trusted library allocation

page read and write

31CC000

trusted library allocation

page read and write

55C0000

trusted library allocation

page execute and read and write

11F0000

trusted library allocation

page read and write

318D000

trusted library allocation

page read and write

1490000

trusted library allocation

page execute and read and write

928E000

stack

page read and write

722000

unkown

page readonly

5434000

trusted library allocation

page read and write

2DBE000

stack

page read and write

597A000

trusted library section

page read and write

3076000

trusted library allocation

page read and write

57A0000

heap

page read and write

142D000

trusted library allocation

page execute and read and write

628E000

stack

page read and write

3114000

trusted library allocation

page read and write

31EB000

trusted library allocation

page read and write

3161000

trusted library allocation

page read and write

1210000

trusted library allocation

page read and write

11C0000

heap

page read and write

7C0A000

heap

page read and write

11F4000

trusted library allocation

page read and write

4141000

trusted library allocation

page read and write

120D000

trusted library allocation

page execute and read and write

30CD000

trusted library allocation

page read and write

31C3000

trusted library allocation

page read and write

6E62C000

unkown

page read and write

5500000

trusted library allocation

page execute and read and write

618E000

stack

page read and write

1420000

trusted library allocation

page read and write

1160000

heap

page read and write

31B3000

trusted library allocation

page read and write

30A0000

trusted library allocation

page read and write

168E000

trusted library allocation

page read and write

30EA000

trusted library allocation

page read and write

7B70000

heap

page read and write

323D000

trusted library allocation

page read and write

321F000

trusted library allocation

page read and write

3223000

trusted library allocation

page read and write

4325000

trusted library allocation

page read and write

6120000

trusted library allocation

page execute and read and write

317A000

trusted library allocation

page read and write

31D6000

trusted library allocation

page read and write

3197000

trusted library allocation

page read and write

54B0000

trusted library allocation

page read and write

120A000

trusted library allocation

page read and write

2F80000

trusted library allocation

page read and write

747E000

stack

page read and write

1446000

trusted library allocation

page execute and read and write

1462000

trusted library allocation

page read and write

5FA0000

heap

page read and write

1399000

heap

page read and write

31D4000

trusted library allocation

page read and write

3110000

trusted library allocation

page read and write

1424000

trusted library allocation

page read and write

30B4000

trusted library allocation

page read and write

120C000

trusted library allocation

page read and write

315F000

trusted library allocation

page read and write

30AC000

trusted library allocation

page read and write

323B000

trusted library allocation

page read and write

1228000

heap

page read and write

13A4000

heap

page read and write

31FC000

trusted library allocation

page read and write

5820000

trusted library allocation

page read and write

There are 404 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

Domains

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

Domains

Registry

Memdumps

IOC Report
file.exe