Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

xXQ39a5f9EJP.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.615876081246294
Filename:	xXQ39a5f9EJP.exe
Filesize:	48640
MD5:	b385264019d78c7225e7e088d5ad6042
SHA1:	544ef98e04e0218af42302970199dd1f66182118
SHA256:	4eb22bcde9c1f6978506647ab39e9e4245cb4bde3a359c0348e37ec3f9c12116
SHA512:	2a7b118a8c7c9e38884d884891c9342fafa80ec65a6f54c1ac7daefd23c33aada89250e2fbaa3507e802440c9bcbc9288bf0fd8391dabd3587e140330d7e1587
SSDEEP:	768:4q+s3pUtDILNCCa+DiptelDSN+iV08YbygeiOOW1tWtirvEgK/JvZVc6KN:4q+AGtQOptKDs4zb13OOW1tWErnkJvZI
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`................................. ........@.. ....................... ............@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary	Security Software Discovery
.NET source code contains potential unpacker	Data Obfuscation	Software Packing
.NET source code references suspicious native API functions	HIPS / PFW / Operating System Protection Evasion	Native API Security Software Discovery
Machine Learning detection for sample	AV Detection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings	Security Software Discovery
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings	Windows Management Instrumentation
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection Security Software Discovery
Detected potential crypto function	System Summary	Security Software Discovery Archive Collected Data Encrypted Channel
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Security Software Discovery
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Security Software Discovery
Sample file is different than original file name gathered from version info	System Summary	Security Software Discovery
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry Security Software Discovery
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
.NET source code contains functionality to register a task	System Summary	Scheduled Task/Job Disable or Modify Tools
.NET source code contains long base64-encoded strings	System Summary	Disable or Modify Tools
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
Checks the free space of harddrives	Malware Analysis System Evasion
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary	Security Software Discovery
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Security Software Discovery
Executes batch files	System Summary	Scripting
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads software policies	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking	Security Software Discovery
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression

dropped

Details

File:	C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Category:	dropped
Dump:	77EC63BDA74BD0D0E0426DC8F8008506.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\xXQ39a5f9EJP.exe
Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Entropy:	7.99584879649948
Encrypted:	true
Ssdeep:	1536:iMveRG6BWC7T2g1wGUa5QUoaIB9ttiFJG+AOQOXl0Usvwr:feRG6BX6gUaHo9tkBHiUewr
Size:	69993
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

data

dropped

Details

File:	C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Category:	dropped
Dump:	77EC63BDA74BD0D0E0426DC8F80085060.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\xXQ39a5f9EJP.exe
Type:	data
Entropy:	3.141494007698779
Encrypted:	false
Ssdeep:	6:kK9ZlDN+SkQlPlEGYRMY9z+4KlDA3RUeVlWI/Vt:zlMkPlE99SNxAhUeVLVt
Size:	330
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\xXQ39a5f9EJP.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\xXQ39a5f9EJP.exe.log
Category:	dropped
Dump:	xXQ39a5f9EJP.exe.log.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\xXQ39a5f9EJP.exe
Type:	CSV text
Entropy:	5.375380268342155
Encrypted:	false
Ssdeep:	48:MxHKQwYHKGSI6oPtHTHhAHKKkl+vxp3/ell1qHGIs0HKJHNptLHqHj:iqbYqGSI6oPtzHeqKksZp/ellwmj0qJi
Size:	1907
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Machine Learning detection for sample	AV Detection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
Sample file is different than original file name gathered from version info	System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Temp\tmp679F.tmp.bat

DOS batch file, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\tmp679F.tmp.bat
Category:	dropped
Dump:	tmp679F.tmp.bat.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\xXQ39a5f9EJP.exe
Type:	DOS batch file, ASCII text, with CRLF line terminators
Entropy:	5.139737252440667
Encrypted:	false
Ssdeep:	3:mKDDCMNqTtv3Dt+WfHvhs9d9E5Dcq10d9DwU1hGDt+kiE2J5xAInTRI5iL1ZPy:hWKqTtLwQO9/iDc5DNewkn23fT1k
Size:	153
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Executes batch files	System Summary	Scripting
Spawns processes	System Summary	Process Injection

\Device\Null

ASCII text, with CRLF line terminators, with overstriking

dropped

Details

File:	\Device\Null
Category:	dropped
Dump:	Null.7.dr
ID:	dr_4
Target ID:	7
Process:	C:\Windows\System32\timeout.exe
Type:	ASCII text, with CRLF line terminators, with overstriking
Entropy:	4.643906340459884
Encrypted:	false
Ssdeep:	3:hYFqdLGAR+mQRKVxLZXt04hovn:hYFqGaNZK4Qn
Size:	69
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\xXQ39a5f9EJP.exe

"C:\Users\user\Desktop\xXQ39a5f9EJP.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6860
Target ID:	0
Parent PID:	2580
Name:	xXQ39a5f9EJP.exe
Path:	C:\Users\user\Desktop\xXQ39a5f9EJP.exe
Commandline:	"C:\Users\user\Desktop\xXQ39a5f9EJP.exe"
Size:	48640
MD5:	B385264019D78C7225E7E088D5AD6042
Time:	00:20:51
Date:	19/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x470000
Modulesize:	73728
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Yara detected AsyncRAT	Key, Mouse, Clipboard, Microphone and Screen Capturing, Boot Survival, Malware Analysis System Evasion, Lowering of HIPS / PFW / Operating System Security Settings	Scheduled Task/Job Obfuscated Files or Information
Yara detected DcRat	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp679F.tmp.bat""

Details

Is windows:	true
Is dropped:	false
PID:	3164
Target ID:	5
Parent PID:	6860
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp679F.tmp.bat""
Size:	289792
MD5:	8A2122E8162DBEF04694B9C3E0B6CDEE
Time:	00:22:40
Date:	19/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7a4100000
Modulesize:	421888
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Executes batch files	System Summary	Scripting
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	3396
Target ID:	6
Parent PID:	3164
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	00:22:40
Date:	19/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\timeout.exe

timeout 3

Details

Is windows:	true
Is dropped:	false
PID:	6032
Target ID:	7
Parent PID:	3164
Name:	timeout.exe
Path:	C:\Windows\System32\timeout.exe
Commandline:	timeout 3
Size:	32768
MD5:	100065E21CFBBDE57CBA2838921F84D6
Time:	00:22:40
Date:	19/04/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7291b0000
Modulesize:	53248
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\xXQ39a5f9EJP.exe
Source:	xXQ39a5f9EJP.exe, 00000000.00000002.2722186865.00000000029C8000.00000004.00000800.00020000.00000000.sdmp, xXQ39a5f9EJP.exe, 00000000.00000002.2722186865.0000000002751000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

liverpool777.duckdns.org

179.13.0.175

Details

Name:	liverpool777.duckdns.org
IP:	179.13.0.175
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
Uses dynamic DNS services	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

179.13.0.175

liverpool777.duckdns.org

Colombia

Details

IP:	179.13.0.175
TargetID:	0
Current Path:	C:\Users\user\Desktop\xXQ39a5f9EJP.exe
Country:	Colombia
Countrycode:	COL
ASN number:	27831
ASN name:	ColombiaMovilCO
Private:	false
Domain:	liverpool777.duckdns.org

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit

Version

HKEY_CURRENT_USER\SOFTWARE\F723E1B88FDFE54EEC0E

F7A2CF016280A5E7A24A46D6E81A704BFCCD6486B35AFEFC4601A8330895F85F

Details

TargetID:	0
Path:	HKEY_CURRENT_USER\SOFTWARE\F723E1B88FDFE54EEC0E
Value name:	F7A2CF016280A5E7A24A46D6E81A704BFCCD6486B35AFEFC4601A8330895F85F
Value data:	00 D4 05 00 1F 8B 08 00 00 00 00 00 04 00 BC 7D 09 9C 14 C5 F5 7F 4F F7 4C F7 EC EC 01 B3 3B 3B B3 07 B0 0B B8 6B 3B 0B 08 2B E0 1E 1C 2B 97 82 17 A0 22 68 14 0F 44 41 A5 71 06 D0 B8 EE 8A 88 37 A2 26 DE D1 C4 A0 98 CB 2B DE 57 BC EF 13 F0 8A C7 AA 31 9E D1 24 26 F1 97 E4 97 FC B2 FE EB FB 5E 55 57 CF B1 40 7E FF FC FF 7C D8 E9 EA AA 57 AF 5E 55 BD 7A F5 EA D5 AB EA FD 0F BB D4 B0 0C C3 08 8B BF 6F BF 35 8C FB 0D FE D7 65 EC F8 DF 5A F1 57 D1 F0 60 85 71 77 C9 CB C3 EF 0F ED F7 F2 F0 83 4F 58 96 6D 5C 99 F1 8E CF 1C 7D 72 E3 B1 47 AF 58 E1 AD 6A 3C E6 B8 C6 CC EA 15 8D CB 56 34 CE 38 F0 A0 C6 93 BD 25 C7 8D 29 2F 8F ED 22 71 CC 9D 69 18 FB 85 2C A3 2C F6 FD A3 14 DE 0F 0D B3 B1 34 14 35 8C 97 22 86 61 73 5C FA 4B 11 6E 44 C8 66 EA 10 36 99 6E C3 D0 4F A3 CB A6 78 FC B3 8C AE 73 0C 63 30 FD D7 4F FF 41 FF DE FB 5D C4 D8 CF 60 BC A3 AC 22 95 6C B4 8D B2 9D 68 8B FC 7F 6D 82 DE 68 0E 1E C3 D8 27 F0 3A 66 D5 71 A7 AD 02 B9 2F CA 7A A1 AE 66 5E D1 86 71 D4 98 4C 36 73 AC 08 33 6D 36 57 F4 95 48 0E 5C 97 F8 3F 26 73 DC 49 9E 00 2C 93 34 13 AE 6D 05 70 D3 F2 E9 04 4D A6 11 31 16 A6 4D 63 DD 63 96 11 92 F1 47 55 99 C6 DF 93 3B 5F DF BA 5E 91 33 9C 36 86 99 6B 29 50 D7 6B AA 77 93 DF 2D F5 6E F1 7B 58 BD 87 F9 3D A2 DE 23 FC 6E AB 77 9B DF 1D F5 EE F0 7B 54 BD 47 F9 BD 84 DE EB 7A 63 2A 9E 02 F5 63 1B 8D 5F 08 8A C4 FF 78 76 74 89 61 C7 6C B3 E7 63 D3 08 D7 A4 86 64 45 64 AC A9 D1 78 CE 30 3C 53 07 05 7D 31 57 BC DB AE 48 B7 7B CB 05 1A 4F D0 18 F3 04 61 B1 D4 C5 82 9C 50 53 B2 A1 E3 7A 4F 84 62 C9 1B 05 39 A1 1D 00 A5 08 C8 75 90 1E 05 76 20 F6 04 C1 B1 F6 7F 8A B6 4B B9 83 55 69 A9 6C 0C 48 13 FD 76 B5 78 CB 96 8A 97 6C 19 72 84 01 61 29 B0 1D D1 93 68 7C 4C E0 4D 7A 82 AC 58 DD 72 37 86 7C A2 38 FB F5 8B 4B 41 88 A0 C1 4E 2E 77 05 62 5B 94 54 8B 92 2A 04 64 22 3B 48 FC 36 5E DD 21 38 68 EC 6A D1 12 83 51 7C B1 B8 38 48 AA F0 49 72 80 8F 7E 37 2E 13 08 53 40 58 09 84 5E 95 F8 6D B6 FB ED 31 A2 E5 B3 09 64 AD 46 56 C1 58 B1 36 0C E4 24 55 BD 0F 5C DB 2C C3 E0 A6 B4 B1 D7 10 E6 2B 51 03 E3 32 51 E5 1F 86 98 B7 05 C2 50 AB 0B B9 60 79 A2 9C 58 5A C4 D5 8F 8D 18 8B 24 1F 32 12 57 64 B3 9B 3A 50 42 73 1B 06 81 5B 83 62 AD FC D8 5A D5 19 39 B1 75 88 AD 17 3F 7D 14 29 29 12 05 4B C1 31 7F BE 61 83 8E FA B1 A5 C6 83 21 1A 6A F1 40 97 C6 80 43 B4 9A DD 51 AA 6B 78 85 48 A7 F2 4D 4F D4 2C 16 B3 93 53 4E 44 94 00 B1 ED E5 0B A9 2F A8 8B EC E5 8B 74 7F 75 98 80 E1 E6 1D 2A B2 05 BA 32 B9 7C CA 13 40 BF 5C 67 0D F4 6E DB 62 43 96 47 B9 A9 98 65 04 B4 CC 1B 26 10 95 3A C9 C9 01 EA FE 66 48 52 9C 20 29 4E 90 94 E4 F2 49 81 0C CF 20 03 47 8F BD 5A 74 F9 70 74 79 03 FA B7 11 8D 87 32 BD E1 60 47 26 6F 00 1E 6C EB 80 E4 D8 2E 7F B6 A5 74 49 41 02 66 0E 58 BF 22 0C B8 7D 56 F3 79 0D FF 6E 0D F1 9F E2 B5 FA B1 15 C6 5F 0C CC 25 A2 8F 05 DB DB B1 64 A9 5D 19 72 47 A0 9A E8 E4 76 E0 36 3B C0 38 7D 2F 23 B8 71 99 3B 52 24 96 11 47 54 A7 BC 5D 40 01 91 1A 4D 46 37 2E F3 9A C4 BB 00 6A EC 9A 36 C8 98 B2 04 39 B2 CD 22 AA 3C 59 15 2E 49 2E F7 76 C5 70 9B FB A4 61 50 53 54 45 DA 40 5C 21 AE 78 24 19 0F 13 AE 12 04 23 1B B9 5F 9B AA C2 C9 B1 5B FB 04 42 A3 84 28 2B F1 5C 11 FD 1E B3 5E D2 94 E5 D3 AB B7 1B 58 BC 36 D0 1E 18 6C 0E 65 B3 DD 34 B2 A5 45 67 80 BF 8F 34 E6 DE 46 43 D1 C0 EC F9 FC DB 46 19 DA C6 14 33 5C DF 27 1C FF F3 EC 99 18 46 19 41 E8 4A 6F B9 08 66 E2 08 9D 8A 72 56 01 5F 0D 7E EA 69 C4 8E C9 B6 88 E7 DA 12 96 CF 11 63 89 6C FB 5E 41 44 D8 1D 85 31 34 08 95 1E 82 E6 A5 11 D9 80 CC 43 95 BC 09 0E 56 6F 74 D1 21 3C 06 55 03 12 6F 77 A4 8F F0 7B 5B 8D E1 83 0F 36 06 09 84 A1 05 EE 58 70 ED 38 B4 7A A3 18 C8 5E 2B 0B 95 15 BD 42 BC 85 DB 01 4D 21 6F 0F B0 D3 5A 04 D3 BD DB 27 54 D4 C9 32 EA 95 3C 4A 26 DD 46 D5 B6 CD 8D 37 9C 1B 32 DC F1 22 63 CB 37 69 5F 9E 94 97 1B E5 CC 6B C3 8C 93 C2 34 C5 C7 A9 39 C5 5C B5 4A 54 AD DE 3B 05 82 41 B7 AD B7 46 FC 94 3A EE 14 F1 28 8B 36 BE DE F3 D6 25 D3 2E 16 88 A2 8D 23 3B 5F DC 75 DA 5E 14 FC 62 FF 2F EA A7 D5 53 70 C1 7E 5F D4 75 8E 0C A9 D8 CE D1 22 D8 F6 27 0B EF 6B A3 77 37 75 BE EF E7 ED BC 14 49 6F 52 D2 F7 77 3B F8 44 89 E0 1F 1B 37 2C EC BC 3B A4 62 3B 3F 07 D4 1D 04 F5 9D 51 1B CE EE BC 8D 92 40 47 E7 FD 48 BA 82 92 AE B9 FB C8 AD 92 98 C6 C1 5F 5F 21 71 55 3D F5 BB 4B 3A 1F F3 63 3B 45 5D 8C B6 25 94 E1 E3 DF AC 79 BE F3 BF 0D 95 97 E9 9C 4D 49 C3 C7 79 7F 97 08 2A EF AD FC 5B E7 CF 0C 15 DB 79 17 10 8C 24 A8 F5 AD E6 3F 3B BF 4B 49 5F C5 AF EB EF 7C 0B 49 51 91 E4 64 44 CF AC 74 27 88 96 EF E8 02 D6 BF 98 88 DC D5 8F EC 44 E4 FB 14 D9 E9 47 4E 44 E4 F3 14 39 CF 8F 1C 87 C8 BB 29 F2 78 3F 72 14 22 7F 44 91 E7 F8 91 C3 11 79 21 45 FE C2 8F 6C 44 E4 6A 8A 7C D9 8F AC 46 E4 51 14 F9 85 1F 19 43 E4 BE 14 59 12 52 91 DF A2 46 13 29 B2 DA 8F FC 07 22 87 53 64 93 1F F9 08 B2 97 51 64 BB 1F 89 3E 6C FB 5B 08 91 FB FB 91 98 C3 DA 3E A2 C8 63 FD C8 3B 10 F9 32 45 9E E5 47 DE 8B 48 F4 70 76 4F C1 7A CD 98 C7 ED B6 9F E2 BD 4D BF 5F 8D F7 0E FD 7E 3E DE 27 E9 F7 D3 30 A7 ED 86 D0 0A 84 5A 30 CF 2D F1 E3 0E 43 28 8D D0 DC 10 0F 64 BB 6D 16 42 BB 23 34 09 A1 7A 9A 0F 27 42 87 18 A5 DE 5D 41 50 2C F3 03 50 DA 06 69 5A 92 6D 17 8F AA 70 3C 9C D9 2C 22 3D 41 4F 4C 84 1F 08 84 DF 06 70 27 14 A9 49 F8 99 0C 04 7F 44 DC 14 BC 4A A0 BF 20 62 2A 64 48 5B 20 F6 9F 22 B6 C4 ED 42 0E C7 0C E6 20 99 13 0F B7 3B F4 60 D9 9B DD 0B 82 B9 C4 9B 86 47 CA 9B 8E 47 D2 9B C1 8F 99 1C 39 0B 25 EC 0D E9 2E 2B 76 90 40 90 9D 8C 46 6B 83 8A 6E 67 52 66 70 F0 67 5B 29 69 34 A0 26 52 70 04 24 95 98 B5 C2 4A 0E C6 21 8F F6 01 2E 10 63 67 F7 00 58 51 99 B8 D7 78 5E 2E EC 23 06 0A D6 24 0F 8B E7 20 23 F7 DF 77 C2 FC 87 78 C8 CD 2A A1 FB 4C 94 69 05 A2 BF C9 94 A2 BF 89 83 CB 49 EF C9 9D 0B 44 17 87 04 BE AA B1 61 E3 78 85 67 77 A1 25 36 55 84 7B 3E 11 FA 79 45 84 84 6D 85 BD 76 10 1E CE 5A C8 DC 8A E8 5A 51 AD B0 B5 16 FA 76 D8 15 15 B5 23 AE 10 9D 42 C3 1C 5B 44 C3 84 26 D6 F8 B9 A8 0D 89 5C 9A AE 47 FF 31 4D E5 0E 33 C1 78 B1 B4 7A 3E D8 2B D0 84 3B C4 1C 6A 64 C6 09 9A B7 60 09 E5 CE 46 BF CE 01 D2 7D 31 63 01 84 E0 B0 CE 48 A8 75 46 82 E7 B1 89 06 58 37 02 3D 81 98 6A 3F 70 C7 32 53 32 64 AC A1 CE DD 5F 3C 6D F7 00 A8 5F 79 7C E7 A4 DC 03 C1 3D 2E 7A 8E D8 8D E1 CA F2 E0 A2 12 8E 5A EB 8D B0 68 2D CF 8A 18 76 79 89 27 A4 A4 DD 9B C4 44 B5 51 84 E4 7B 35 DE 2F 14 A1 EC FB 02 0A 83 C1 9D 8B 51 11 A9 8C 64 B2 A0 6C 1E 9A 65 3E B0 A7 05 80 60 D8 5D C5 63 24 F7 46 A2 CB 3D 08 29 4F 44 80 6F A6 45 E9 A2 86 2D CD 25 DE 1C F1 96 F4 EE A4 92 10 4E 79 CF FB E1 A4 F7 74 20 CC 30 7B 89 DF 9C 06 C8 FC 40 14 9F C8 56 98 82 25 4C E0 F4 3E 16 B5 E9 15 8A 5B B8 C4 DB 18 1E 88 53 85 AE 36 9E A9 13 55 33 84 BC 30 A6 80 CB A5 AE A6 78 75 4E 88 FF 14 AF D6 8F 8D 12 9C 8D 79 15 AD 16 B3 75 71 49 6F 5D 58 4E CF AC CB D9 3C 6A 07 28 3F 34 04 63 C5 36 92 43 94 3E 24 D6 F2 63 58 97 40 39 87 89 77 A7 58 39 D9 05 68 CC 8B C4 6B 69 61 61 8E F7 8D 68 21 92 1A A9 B2 BE 1A E8 0D 65 7D F1 1C 02 44 04 CA 8A 06 68 A8 1F AE 69 D8 7B 6F 23 0E 1A 14 3F F7 66 AE 17 2D BC 16 1C 90 F9 15 42 E0 8D CC CF 2D 11 4A 31 BF D6 1B 47 62 D6 FE 8F F2 EB 40 70 86 AF 25 9D 0B CE 85 40 2C 8B 66 DE 17 D4 90 54 8C 0E B9 D8 A1 55 AC 7B 28 88 F8 54 C4 BB 0B 81 43 AC EA 62 9B 9A 52 24 96 37 35 D5 E4 61 77 0F A3 E4 DA CC 29 61 24 D7 39 9B 9A EA 33 67 23 EC 1E 0E 98 EF D0 88 21 D9 1A 65 B9 1B 65 19 DB F6 1D 08 CB 23 80 82 0A BC 2A 1C 2C B0 C6 3B 92 66 90 62 A5 11 25 4E 60 9A 58 8C EA A1 17 72 D4 ED DC 85 E3 5E FB 0D CC B3 90 BB 49 D1 0F A2 9F 8D 99 21 43 77 A8 FC 77 68 88 FF 6C 9F 97 2B 8D 6B 50 50 1E 8F 15 23 76 20 D6 DE 41 CD 85 62 59 04 99 77 94 AA 29 AF 10 9C ED 0E 13 B9 6E B0 8D A6 16 AE 92 69 2C 34 1A 4E D5 D5 BB E0 02 35 66 2A 8D 3B C5 7B 6C 27 EA F3 6F 0C A1 A3 FF B7 1D EC 89 9C B1 44 BF 55 D6 37 2C BF 53 8B 8F 45 59 CF F4 58 55 4F CF 18 F9 3D 5D CF 1F FD 28 77 5C 56 89 71 F7 37 99 C6 51 56 40 91 13 4B 66 C3 CA D4 45 D4 FB 3C 7A 1F E5 BF 9F 85 D6 25 7D 27 7B 0C 14 07 56 2D F4 40 6A CA 88 85 E8 4A 62 7C A9 54 48 85 03 A6 C1 98 B7 04 CC BF FD FC CB FF 2F F3 5F BB E3 FC 34 FF D6 8F 8D 93 C4 16 8B DC B8 6A 87 5C 15 27 66 67 1E F1 2B 0E 59 68 67 9E F1 DF 6F 25 36 33 2D 4C EC 76 C3 B0 D2 B6 75 18 53 C7 41 AE 24 CB DB D0 FB D1 92 1B 77 85 9E 22 26 3D 6F 29 3A EE 78 E4 9B 8E 66 EF 16 02 56 45 7B 27 88 9F 7E 7B 19 D8 6B B9 C1 2B E3 96 76 AC B9 9D 86 61 53 12 18 9D A5 66 10 16 E5 DB 25 A9 85 E5 25 62 31 DF 7A 8D 93 5A 58 AA 55 8C DE 52 CC B8 27 89 50 BB F7 ED B7 DF F6 0D 27 31 80 65 0B A5 E4 2C 51 A1 9A 91 42 2C D7 A4 ED C6 E6 F7 D9 AE 54 35 B6 DA B8 C9 20 1B 44 BC 78 BE EC C9 E2 67 2D 92 0A 74 AF 2D 91 82 65 B7 99 5D 21 C0 7B 50 6B 2B F3 55 24 D8 C8 54 A5 94 94 BE 99 BF 8B B4 4D 49 CF 83 FC 4F 96 B6 0D 45 A3 3B 64 50 2C E3 46 8B 7A 2B D1 0E A7 90 68 5F 58 EA D8 A2 09 FA D2 AC C7 6D 47 1F C4 02 42 EA 83 FF A3 8A B7 8A EB 83 F5 63 87 1B EB 58 0E 4A BE C8 51 6A F3 5A 00 49 6D 58 25 B2 95 F2 29 21 15 1B 17 D6 4B 2B 25 2B 7D 19 10 9C 45 8D 2A 0D 77 55 41 CC 6A E0 5A C3 52 EF 54 B0 4F F6 34 C8 86 68 12 0B F7 1C C8 EF E2 E5 74 D4 BC 11 8C 4B 3F BD 9F 99 A0 0D 36 AA E6 DE 4F 45 B8 DF DE 03 7A 68 37 38 7F 2D 12 7B CF 40 B6 1E BC 97 B8 BD 08 9F 89 12 F3 5B 68 7F DD 42 31 5B 46 BA 95 68 20 8E 4C A8 C8 12 6F AD 1C 49 81 B6 F3 CE 2A 3E 0B 21 26 4A 31 51 25 24 01 C9 76 2B 08 6E 6A 5B E6 D7 07 FB 05 BF F2 B4 45 8D 9C E4 3E C1 DC 85 39 4A D4 88 F6 86 F6 08 CC 51 88 17 ED 67 6C 29 32 77 01 D3 4A 11 B7 46 CE 5D 6C DF A8 36 CE CB 91 7D AC 13 84 68 30 0F 24 51 1A ED C2 65 DA 24 5B CD BF 41 51 93 39 00 AD B4 8E 63 66 E6 4A 9D C0 A2 31 67 72 E6 B1 57 69 AC 58 AB 6C BA 49 E3 B2 01 69 A4 29 25 73 18 8A 39 9B 4A CC 88 60 66 6D 11 0A 6F B2 83 1A 82 B7 1E 9D 4E 15 F4 CE 41 F2 DD B6 AA 1F BF BF 62 4B B1 B9 7D 6A 0D 9F DE D3 2E 54 F4 0E 36 7E 2C 62 2A FC F1 52 40 6F 53 A6 CB 91 04 37 73 38 E5 9D 6B 48 1D 3C 8F 6E 4D 6D C3 2E A4 FF 65 AE 76 94 46 48 F5 B4 29 9C 74 DB B1 9A 4C D2 10 0B AC B0 02 64 0F A4 17 48 FA CF BC 4C CF FF 3F 31 48 57 1F 98 FE 37 03 F4 BF E9 D3 DF 34 60 05 32 13 A3 A2 5B 90 5A 58 9F 05 D1 A2 F5 E9 D4 F5 D9 61 2D 54 1D CE B9 4A D5 A1 D9 B8 33 44 FB 8A 4A 66 C5 7D 03 E1 A5 86 54 7D 3B C6 28 9D 24 73 AE A0 A1 C6 3B 0F 68 07 D2 B4 DA F6 37 A4 A2 9C 33 18 3E 8A 16 D4 58 EB A5 85 23 82 27 5F 56 7A 03 8C 24 C9 18 56 E2 93 41 A2 E6 FC 5C 76 CB 33 A9 C4 6C 32 A9 94 3A DA A0 E2 68 7B 8A C3 96 92 0B 8C A0 A5 C4 21 43 49 3E BD 5D 46 81 D9 C4 29 66 67 E1 DC 76 51 33 4B 81 1E CA 4D 65 EF A4 91 25 D0 C5 52 87 83 76 7E E1 8F 78 4C 19 C6 CD 46 C3 D3 1C 36 8D 8F 8C 0B 4E 0C 91 68 AB 1A 1B 31 5A C5 33 8E 7E 6E 07 37 37 3E 7D FD 90 B3 30 55 42 51 30 1D EF 42 81 D0 3E BA F1 FB 21 23 74 18 CF 90 A6 77 91 88 6B FD AD 9A DF 5A 7B 6B 05 6B 98 DE 06 2E DA 7F 5F 24 DF 51 46 27 71 97 D0 87 2F 46 B3 9B A5 C9 B2 B6 06 D4 34 7A 59 B9 9D 69 15 9D 56 B2 81 B6 49 36 A2 39 2E 41 7D A2 A9 85 65 51 47 4C C6 EF DA B4 2B 98 96 B6 15 C6 55 35 10 AE 69 FF 0E AE B0 21 F8 D9 48 A0 EE 1B 97 D1 E6 04 B6 31 52 8B 80 B2 02 12 3F 6A 3A 97 5D E7 88 08 C2 00 D5 E0 2B 9B 74 83 56 D3 BD 14 4D 3F 9D A7 14 63 63 1D 65 6F AA 35 B7 5D D7 54 63 0E 3B 56 3C 52 66 C3 60 3C 93 66 43 8D 78 A6 0F A8 61 98 94 49 91 80 49 0B 3C 97 05 F1 28 9D 7A 4C F6 7B E2 B1 16 0D 99 5E 60 56 F7 D4 A3 45 29 C9 B4 7A EA C8 4C 63 CC 31 BB 11 32 BB 91 E8 7D 9F EA 75 A1 C9 AF A9 85 9C A5 9B 7F 01 E7 5D 2E 20 FA 45 C6 11 12 1F CA 5B E0 23 1D 0A C0 70 CF 10 4E 68 35 BB 11 81 91 47 74 1D 10 78 6F 62 3D 27 9D 17 B7 B8 48 DC 4A C4 4D 34 BB 81 D5 92 24 02 F7 10 45 0F 70 2F 15 A5 0F 43 E9 66 37 1E A4 BF F5 34 30 1D 55 63 A3 A4 83 89 75 66 3C 19 6B AB 26 5D 77 A4 48 B3 09 9B B7 00 BB 08 A9 85 31 9B 63 09 67 6B 9F 7C B9 42 8E 05 EA 6B DE BF 48 06 F6 21 7A 46 50 DB 30 B6 2B C1 E6 4A 8F 2F 31 84 BC 32 84 0A 14 AF 8E 55 97 5A 44 51 99 44 7A 95 08 97 B7 61 37 AA D2 72 AF 36 60 90 05 01 D1 78 B8 1B 34 7B D7 40 42 92 79 B2 B4 6F 08 43 5D 2B A2 46 6F ED AB A0 B7 FE 64 04 DB 1F AC BB 90 9E 6C 8A 92 DA E7 62 BA 63 FE C6 2A AD 06 3C 69 61 7D 27 28 AD EE 82 5A 92 48 07 6B 2E EB B5 CE EC 16 0A 79 B8 A6 B3 9C 26 77 34 87 59 D3 33 9C B8 E5 50 D9 77 12 A6 36 08 53 9B 07 23 F8 EE 70 04 AB C6 56 18 0F 8B F7 5A 94 AF 9B 34 66 37 0C 9A 0C D7 89 C6 B5 A8 D9 B6 85 DB 4A 2D C7 FB 01 84 3A 76 A9 ED 46 F8 D9 4C 26 F1 81 8D 17 95 68 9F E0 5E A7 B8 BB CC D2 7B 85 6D 70 95 69 FC 20 08 49 1B 8C 05 80 62 E1 03 7B B0 C5 A4 94 50 CD 89 49 DC 73 50 8B 40 AC E5 AD 56 8B 18 BB F5 55 A9 BF 97 1B 9B 45 EE BA 81 EA 72 E9 8E EA F2 DE 4E D7 A5 6F A7 EA 92 F4 D9 B7 08 D1 9F 92 2E 21 E8 9E 6F 5A 1B 84 48 0F F5 34 A2 8B EA A9 A7 90 86 F8 7D FC F8 21 7E 3C 78 06 F6

Signature Hits	Behavior Group	Mitre Attack
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry

Memdumps

Base Address

Regiontype

Protect

Malicious

472000

unkown

page readonly

2A44000

trusted library allocation

page read and write

2751000

trusted library allocation

page read and write

7FFD9B76D000

trusted library allocation

page execute and read and write

1B202000

heap

page read and write

1A633130000

heap

page read and write

3FA0DEC000

stack

page read and write

1A634CF5000

heap

page read and write

8F6000

heap

page read and write

29B1000

trusted library allocation

page read and write

29C8000

trusted library allocation

page read and write

CB0000

trusted library allocation

page read and write

19A1E540000

heap

page read and write

1B054000

heap

page read and write

A60000

heap

page read and write

7FFD9B78D000

trusted library allocation

page execute and read and write

2849000

trusted library allocation

page read and write

7FFD9B910000

trusted library allocation

page read and write

635EBFF000

stack

page read and write

7FFD9B960000

trusted library allocation

page read and write

19A1E660000

heap

page read and write

D70000

heap

page execute and read and write

7FFD9B880000

trusted library allocation

page execute and read and write

7FF4AC300000

trusted library allocation

page execute and read and write

1BC5A000

stack

page read and write

1B30A000

heap

page read and write

1BD5C000

stack

page read and write

1B81D000

stack

page read and write

1B61F000

stack

page read and write

19A1E653000

heap

page read and write

635EAFF000

unkown

page read and write

1BE55000

stack

page read and write

26BF000

stack

page read and write

1A750000

trusted library allocation

page read and write

2974000

trusted library allocation

page read and write

292B000

trusted library allocation

page read and write

7FFD9B950000

trusted library allocation

page read and write

1C15C000

stack

page read and write

1B120000

heap

page read and write

95D000

heap

page read and write

19A1E620000

heap

page read and write

2740000

heap

page read and write

7FFD9B9B0000

trusted library allocation

page read and write

1B41E000

stack

page read and write

7FFD9B9C4000

trusted library allocation

page read and write

D20000

heap

page execute and read and write

7FFD9B77D000

trusted library allocation

page execute and read and write

635E73B000

stack

page read and write

7FFD9B760000

trusted library allocation

page read and write

1B91C000

stack

page read and write

B6D000

stack

page read and write

2954000

trusted library allocation

page read and write

19A1E7A0000

heap

page read and write

A65000

heap

page read and write

1B51E000

stack

page read and write

19A1E661000

heap

page read and write

2A90000

trusted library allocation

page read and write

7FFD9B780000

trusted library allocation

page read and write

19A1E661000

heap

page read and write

963000

heap

page read and write

DD0000

heap

page read and write

1B71F000

stack

page read and write

2A8E000

trusted library allocation

page read and write

7FFD9B947000

trusted library allocation

page read and write

19A1E62A000

heap

page read and write

1B036000

heap

page read and write

7FFD9B763000

trusted library allocation

page execute and read and write

29BC000

trusted library allocation

page read and write

1A6332E0000

heap

page read and write

19A1E661000

heap

page read and write

930000

heap

page read and write

1B1FC000

heap

page read and write

7FFD9B9A0000

trusted library allocation

page read and write

1A633250000

heap

page read and write

2A73000

trusted library allocation

page read and write

2A81000

trusted library allocation

page read and write

19A1E7B0000

heap

page read and write

7FFD9B980000

trusted library allocation

page read and write

19A1E650000

heap

page read and write

1B113000

heap

page read and write

19A1E720000

heap

page read and write

1BF57000

stack

page read and write

2A40000

trusted library allocation

page read and write

1A634CF0000

heap

page read and write

12751000

trusted library allocation

page read and write

7FFD9B9C0000

trusted library allocation

page read and write

1B1C3000

heap

page read and write

7FFD9B990000

trusted library allocation

page read and write

1A633210000

heap

page read and write

1275E000

trusted library allocation

page read and write

19A1E661000

heap

page read and write

7FFD9B816000

trusted library allocation

page read and write

C90000

trusted library allocation

page read and write

2886000

trusted library allocation

page read and write

7FFD9B820000

trusted library allocation

page execute and read and write

2A6C000

trusted library allocation

page read and write

1AAD5000

heap

page read and write

7FFD9B920000

trusted library allocation

page execute and read and write

7FFD9B770000

trusted library allocation

page read and write

1C257000

stack

page read and write

1B020000

heap

page read and write

7FFD9B784000

trusted library allocation

page read and write

7FFD9B967000

trusted library allocation

page read and write

7FFD9B970000

trusted library allocation

page read and write

7FFD9B81C000

trusted library allocation

page execute and read and write

470000

unkown

page readonly

7FFD9B940000

trusted library allocation

page read and write

A30000

heap

page read and write

2889000

trusted library allocation

page read and write

9F0000

heap

page read and write

19A1E652000

heap

page read and write

470000

unkown

page readonly

810000

heap

page read and write

3FA107E000

stack

page read and write

7FFD9B949000

trusted library allocation

page read and write

7FFD9B930000

trusted library allocation

page read and write

5C4000

stack

page read and write

19A1E663000

heap

page read and write

19A1E740000

heap

page read and write

933000

heap

page read and write

7FFD9B78B000

trusted library allocation

page execute and read and write

BB0000

trusted library section

page read and write

267F000

stack

page read and write

27AA000

trusted library allocation

page read and write

7FFD9B9D0000

trusted library allocation

page execute and read and write

19A1E661000

heap

page read and write

BAF000

unkown

page read and write

7FFD9B773000

trusted library allocation

page read and write

DD5000

heap

page read and write

1A6332E8000

heap

page read and write

95F000

heap

page read and write

A10000

heap

page read and write

7FFD9B764000

trusted library allocation

page read and write

1ACDD000

stack

page read and write

7FFD9B7BC000

trusted library allocation

page execute and read and write

91B000

heap

page read and write

3FA10FE000

stack

page read and write

7FFD9B810000

trusted library allocation

page read and write

7FFD9B94E000

trusted library allocation

page read and write

1B04B000

heap

page read and write

1BA1D000

stack

page read and write

1A780000

trusted library allocation

page read and write

7FFD9B900000

trusted library allocation

page read and write

7FFD9B846000

trusted library allocation

page execute and read and write

12761000

trusted library allocation

page read and write

8F0000

heap

page read and write

19A1E650000

heap

page read and write

47E000

unkown

page readonly

There are 138 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
xXQ39a5f9EJP.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportxXQ39a5f9EJP.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
xXQ39a5f9EJP.exe