Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Wt3pGldAnr.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.319162531570145
Filename:	Wt3pGldAnr.exe
Filesize:	3218944
MD5:	0707cfd47743293d37378ee4465baf5c
SHA1:	3ec3e1da7ca748292eb3d0990a763d58e04ebb09
SHA256:	fb65c9da76587966b0fd53c34119aedd57e771899531146943b79bbb2cc129c3
SHA512:	b989b282d247b5f64b98d658524cc2ae9ec44b105b31b8654c6868c4a545fb6a59310ca6c3bb9613d4b02e64d6bdb5e322c0498ba8572eb58adabe08d25f25c0
SSDEEP:	98304:zIYSSR0z8vvZpdmI6RSTSGcNoIv0kGX4g7O9P9LfetG25NJn:zIdy0ohgBGImO9P9LfeHJ
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u..41.bg1.bg1.bg^..g..bg^..g..bg^..gI.bg8..g>.bg8..g..bg1.cg-.bg^..g?.bg^..g0.bg^..g0.bgRich1.bg........................PE..L..

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (creates a PE file in dynamic memory)	Compliance, Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Contains functionality to capture and log keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing	Access Token Manipulation
Contains functionality to inject code into remote processes	HIPS / PFW / Operating System Protection Evasion
Contains functionality to inject threads in other processes	HIPS / PFW / Operating System Protection Evasion
Found evasive API chain (may stop execution after checking mutex)	Malware Analysis System Evasion
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Application Window Discovery
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)	HIPS / PFW / Operating System Protection Evasion	Access Token Manipulation
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	Access Token Manipulation System Shutdown/Reboot
Contains functionality to read the clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Creates COM task schedule object (often to register a task for autostart)	Spreading	Scheduled Task/Job Access Token Manipulation
Creates a DirectInput object (often for capturing keystrokes)	Key, Mouse, Clipboard, Microphone and Screen Capturing	File and Directory Discovery
Detected potential crypto function	System Summary	Access Token Manipulation System Time Discovery Process Discovery Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior	Access Token Manipulation Process Discovery
Enables debug privileges	Anti Debugging
Enables driver privileges	System Summary	LSASS Driver
Enables security privileges	System Summary
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found decision node followed by non-executed suspicious APIs	Malware Analysis System Evasion	Access Token Manipulation System Time Discovery
Found evasive API chain (may stop execution after accessing registry keys)	Malware Analysis System Evasion	Access Token Manipulation System Time Discovery
Found evasive API chain (may stop execution after checking a module file name)	Malware Analysis System Evasion	Access Token Manipulation
Found evasive API chain checking for process token information	Malware Analysis System Evasion	Access Token Manipulation Process Discovery
Found large amount of non-executed APIs	Malware Analysis System Evasion	Access Token Manipulation System Time Discovery
Installs a global mouse hook	Key, Mouse, Clipboard, Microphone and Screen Capturing
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
PE file contains an invalid checksum	Data Obfuscation	File and Directory Discovery
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation System Shutdown/Reboot
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enum processes or threads	System Summary	Access Token Manipulation Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion
Contains functionality to instantiate COM classes	System Summary	Access Token Manipulation
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to modify the execution of threads in other processes		Access Token Manipulation
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation
Contains functionality to query local drives	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to query system information	Malware Analysis System Evasion	System Information Discovery
Contains functionality to query time zone information	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to register its own exception handler	Anti Debugging
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates mutexes	System Summary	Access Token Manipulation
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Program exit points	Malware Analysis System Evasion
Queries a list of all running processes	Malware Analysis System Evasion
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Sample reads its own file content	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
PE file contains a valid data directory to section mapping	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file imports many functions	System Summary
PE file has a big raw section	System Summary	Disable or Modify Tools
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\StartMenuExperienceHos.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\ProgramData\StartMenuExperienceHos.exe
Category:	dropped
Dump:	StartMenuExperienceHos.exe.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\Wt3pGldAnr.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.319162531570145
Encrypted:	false
Ssdeep:	98304:zIYSSR0z8vvZpdmI6RSTSGcNoIv0kGX4g7O9P9LfetG25NJn:zIdy0ohgBGImO9P9LfeHJ
Size:	3218944
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Found evasive API chain (may stop execution after checking a module file name)	Malware Analysis System Evasion	Native API
Found large amount of non-executed APIs	Malware Analysis System Evasion
Program exit points	Malware Analysis System Evasion
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\ProgramData\StartMenuExperienceHos.exe:Zone.Identifier

ASCII text, with CRLF line terminators

modified

Details

File:	C:\ProgramData\StartMenuExperienceHos.exe:Zone.Identifier
Category:	modified
Dump:	StartMenuExperienceHos.exe_Zone.Identifier.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Wt3pGldAnr.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found evasive API chain (may stop execution after checking a module file name)	Malware Analysis System Evasion	Native API
Found large amount of non-executed APIs	Malware Analysis System Evasion
Program exit points	Malware Analysis System Evasion
Tries to load missing DLLs	System Summary	DLL Side-Loading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Wt3pGldAnr.exe

"C:\Users\user\Desktop\Wt3pGldAnr.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5332
Target ID:	0
Parent PID:	2580
Name:	Wt3pGldAnr.exe
Path:	C:\Users\user\Desktop\Wt3pGldAnr.exe
Commandline:	"C:\Users\user\Desktop\Wt3pGldAnr.exe"
Size:	3218944
MD5:	0707CFD47743293D37378EE4465BAF5C
Time:	05:59:00
Date:	19/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xda0000
Modulesize:	3272704
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (creates a PE file in dynamic memory)	Compliance, Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings	Security Software Discovery
PE file contains an invalid checksum	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file imports many functions	System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\StartMenuExperienceHos.exe

"C:\ProgramData\StartMenuExperienceHos.exe"

Details

Is windows:	false
Is dropped:	true
PID:	6636
Target ID:	1
Parent PID:	5332
Name:	StartMenuExperienceHos.exe
Path:	C:\ProgramData\StartMenuExperienceHos.exe
Commandline:	"C:\ProgramData\StartMenuExperienceHos.exe"
Size:	3218944
MD5:	0707CFD47743293D37378EE4465BAF5C
Time:	05:59:09
Date:	19/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x5e0000
Modulesize:	3272704
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Spawns processes	System Summary	Process Injection

C:\Users\user\Desktop\Wt3pGldAnr.exe

Details

Is windows:	false
Is dropped:	false
PID:	6880
Target ID:	3
Parent PID:	1044
Name:	Wt3pGldAnr.exe
Path:	C:\Users\user\Desktop\Wt3pGldAnr.exe
Commandline:	C:\Users\user\Desktop\Wt3pGldAnr.exe
Size:	3218944
MD5:	0707CFD47743293D37378EE4465BAF5C
Time:	05:59:11
Date:	19/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xda0000
Modulesize:	3272704
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (creates a PE file in dynamic memory)	Compliance, Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings	Security Software Discovery
PE file contains an invalid checksum	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file imports many functions	System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

https://zh-hans.ipshu.com/my_infoInternetOpenUrl

unknown

Details

Name:	https://zh-hans.ipshu.com/my_infoInternetOpenUrl
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\Wt3pGldAnr.exe
Source:	Wt3pGldAnr.exe, 00000000.00000002.1788227901.00000000032E0000.00000040.00001000.00020000.00000000.sdmp, Wt3pGldAnr.exe, 00000000.00000002.1787973230.0000000002E00000.00000004.00001000.00020000.00000000.sdmp, Wt3pGldAnr.exe, 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Wt3pGldAnr.exe, 00000000.00000002.1788120725.00000000031C0000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://zh-hans.ipshu.com/my_info

unknown

IPs

Domain

Country

Malicious

156.255.0.191

unknown

Seychelles

Details

IP:	156.255.0.191
TargetID:	0
Current Path:	C:\Users\user\Desktop\Wt3pGldAnr.exe
Country:	Seychelles
Countrycode:	SYC
ASN number:	134548
ASN name:	DXTL-HKDXTLTseungKwanOServiceHK
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Console\0

d33f351a4aeea5e608853d1a56661059

Details

TargetID:	0
Path:	HKEY_CURRENT_USER\Console\0
Value name:	d33f351a4aeea5e608853d1a56661059
Value data:	00 00 00 00 7B 76 55 5F 21 6A 57 57 2E 00 64 00 6C 00 6C 00 5F 00 62 00 69 00 6E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 BF 09 05 00 35 00 38 00 33 00 64 00 66 00 34 00 33 00 38 00 35 00 30 00 36 00 31 00 36 00 31 00 37 00 34 00 32 00 31 00 39 00 65 00 62 00 63 00 61 00 66 00 37 00 36 00 32 00 35 00 63 00 64 00 30 00 63 00 00 00 89 7E 0C 89 BE A4 00 00 00 89 BE AC 00 00 00 89 BE A8 00 00 00 89 7E 2C 89 7E 28 89 7E 4C 89 7E 6C 89 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E9 92 04 00 00 55 8B EC 83 EC 18 53 56 8B 71 3C 57 89 55 F4 8B 44 0E 78 85 C0 74 6D 83 7C 0E 7C 00 74 66 8B 5C 08 18 89 5D F8 85 DB 74 5B 8B 54 08 1C 8B 74 08 20 03 D1 8B 44 08 24 03 F1 89 55 E8 03 C1 33 D2 89 75 F0 89 45 EC 85 DB 74 3A 8B 3C 96 33 F6 03 F9 89 7D FC 8A 07 84 C0 74 17 8B DF 69 F6 83 00 00 00 0F BE C0 03 F0 43 8A 03 84 C0 75 EE 8B 5D F8 81 E6 FF FF FF 7F 3B 75 F4 74 11 8B 75 F0 42 3B D3 72 C6 33 C0 5F 5E 5B 8B E5 5D C3 83 7D 08 00 75 11 8B 45 EC 0F B7 04 50 8B 55 E8 8B 04 82 03 C1 EB E2 57 51 FF 55 08 EB DB 55 8B EC 51 83 65 FC 00 E8 00 00 00 00 58 2D BD 10 BA 00 89 45 FC 8B 45 FC 8B E5 5D C3 55 8B EC 51 51 64 A1 30 00 00 00 53 56 57 8B 40 0C 8B D9 8B 50 14 EB 41 0F B7 72 24 33 C9 8B 7A 28 D1 EE 85 F6 7E 1E 0F B7 07 8D 7F 02 83 F8 61 72 05 05 E0 FF 00 00 69 C9 83 00 00 00 0F B7 C0 03 C8 4E 75 E2 81 E1 FF FF FF 7F 81 F9 E6 9C CA 1C 0F 84 9F 00 00 00 8B 12 85 D2 75 BB 33 F6 6A 00 BA 54 B8 B9 1A 8B CE E8 CB FE FF FF 50 BA 78 1F 20 7F 89 03 8B CE E8 BC FE FF FF FF 33 BA 62 34 89 5E 89 43 04 8B CE E8 AB FE FF FF FF 33 BA 73 80 48 06 89 43 08 8B CE E8 9A FE FF FF FF 33 BA A5 F2 5C 70 89 43 0C 8B CE E8 89 FE FF FF 83 C4 14 89 43 10 8D 45 F8 C7 45 F8 6E 74 64 6C 66 C7 45 FC 6C 00 50 FF 53 04 FF 33 8B F0 BA CB 79 B5 0D 8B CE E8 5F FE FF FF FF 33 BA C0 E9 18 15 89 43 14 8B CE E8 4E FE FF FF 59 59 5F 5E 89 43 18 5B 8B E5 5D C3 8B 72 10 E9 61 FF FF FF 55 8B EC 83 EC 18 8B C2 89 4D FC 89 45 F4 53 56 85 C0 75 07 33 C0 E9 92 02 00 00 BA 4D 5A 00 00 66 39 10 75 EF 57 8B 78 3C 03 F8 81 3F 50 45 00 00 0F 85 73 02 00 00 B8 4C 01 00 00 66 39 47 04 0F 85 64 02 00 00 83 C0 BF 66 39 47 18 0F 85 57 02 00 00 6A 40 68 00 10 00 00 FF 77 50 33 DB 53 FF 51 08 8B F0 85 F6 0F 84 3D 02 00 00 FF 77 54 8B 45 FC FF 75 F4 56 FF 50 18 8B 7E 3C 33 C0 03 FE 89 5D F0 89 7D EC 66 3B 47 06 73 58 8B 5D F4 8D 87 08 01 00 00 89 45 F8 8B 48 FC 85 C9 74 2B 03 CE 83 38 00 74 11 FF 30 8B 40 04 03 C3 50 8B 45 FC 51 FF 50 18 EB 10 83 7F 38 00 76 0D FF 77 38 8B 45 FC 51 FF 50 14 8B 45 F8 8B 4D F0 83 C0 28 89 45 F8 41 0F B7 47 06 3B C8 89 4D F0 8B 45 F8 7C B6 33 DB 8B 87 A0 00 00 00 85 C0 74 60 39 9F A4 00 00 00 74 58 8D 0C 30 EB 45 8D 42 F8 89 5D F4 D1 E8 89 45 F8 85 C0 7E 31 0F B7 54 59 08 8B C2 C7 45 F4 00 30 00 00 25 00 F0 00 00 66 3B 45 F4 75 10 81 E2 FF 0F 00 00 8B C6 03 11 2B 47 34 01 04 32 43 3B 5D F8 7C D1 33 DB 8B 45 F0 03 08 8D 41 04 8B 10 89 45 F0 8B 01 03 C2 75 AD 8B 87 80 00 00 00 85 C0 74 7F 39 9F 84 00 00 00 74 77 03 C6 EB 69 03 C6 50 8B 45 FC FF 50 04 89 45 E8 85 C0 0F 84 22 01 00 00 8B 45 F8 8B 08 85 C9 75 03 8B 48 10 8B 50 10 03 CE 89 4D F0 03 D6 89 55 F4 8B 09 85 C9 74 33 8B 5D FC 8B FA 79 05 0F B7 C1 EB 05 8D 46 02 03 C1 50 FF 75 E8 FF 13 89 07 83 C7 04 8B 45 F0 83 C0 04 89 45 F0 8B 08 85 C9 75 DA 8B 7D EC 33 DB 8B 45 F8 83 C0 14 89 45 F8 8B 40 0C 85 C0 75 8D 8B 8F C0 00 00 00 85 C9 74 3F 8B 4C 31 0C 33 D2 6A 03 58 2B C1 89 4D F0 C1 E8 02 85 C9 89 5D F4 0F 45 C2 89 45 E8 85 C0 74 1F 8B F8 53 6A 01 56 FF 11 8B 4D F0 8B 45 F4 83 C1 04 40 89 4D F0 89 45 F4 3B C7 75 E6 8B 7D EC 8B 47 28 03 C6 74 08 FF 75 08 6A 01 56 FF D0 83 7D 0C 00 0F 84 8D 00 00 00 8B 45 10 85 C0 0F 84 82 00 00 00 89 18 8B 47 78 85 C0 74 79 39 5F 7C 74 74 39 5C 30 18 74 6E 8B 4C 30 1C 8B 54 30 20 03 CE 89 4D F4 03 D6 8B 4C 30 24 03 CE 89 55 EC 89 4D F0 39 5C 30 14 76 4D 8B F8 8B 04 9A FF 75 0C 03 C6 50 8B 45 FC FF 50 10 85 C0 74 24 8B 55 EC 43 3B 5C 37 14 72 E3 EB 2C 8B 45 FC 68 00 40 00 00 FF 77 50 56 FF 50 0C 33 C0 5F 5E 5B 8B E5 5D C3 8B 45 F0 8B 4D F4 0F B7 04 58 8B 04 81 8B 4D 10 03 C6 89 01 33 C0 40 EB E0 55 8B EC 83 EC 24 53 56 57 8D 4D DC E8 25 FC FF FF E8 03 FC FF FF 83 65 FC 00 8B F0 81 C6 4A 15 BA 00 33 DB 8B 7E 0D 8B 46 01 03 FE 85 C0 74 3A 6A 04 68 00 10 00 00 FF 76 05 03 C6 53 89 45 F8 FF 55 E4 8B D8 85 DB 75 04 33 C0 EB 5F FF 76 05 53 FF 76 09 57 FF 55 F8 83 C4 10 83 F8 FF 74 20 3B 46 05 75 1B 8B FB 33 DB 43 80 3E 00 8D 45 FC 50 8B D7 8D 4D DC 8D 46 11 75 13 6A 00 50 EB 11 68 00 40 00 00 FF 76 05 53 FF 55 E8 EB BB 50 6A 00 E8 9E FC FF FF 83 C4 0C 85 DB 74 0C 68 00 40 00 00 FF 76 05 57 FF 55 E8 8B 45 FC 5F 5E 5B 8B E5 5D C3 00 00 00 00 00 00 04 05 00 00 04 05 00 75 00 00 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Signature Hits	Behavior Group	Mitre Attack
Stores large binary data to the registry	Hooking and other Techniques for Hiding and Protection	Modify Registry

HKEY_LOCAL_MACHINE\SOFTWARE

IpDates_info

Details

TargetID:	0
Path:	HKEY_LOCAL_MACHINE\SOFTWARE
Value name:	IpDates_info
Value data:	00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 31 00 35 00 36 00 2E 00 32 00 35 00 35 00 2E 00 30 00 2E 00 31 00 39 00 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 31 00 33 00 38 00 36 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 31 00 35 00 36 00 2E 00 32 00 35 00 35 00 2E 00 30 00 2E 00 31 00 39 00 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 31 00 33 00 38 00 36 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 31 00 35 00 36 00 2E 00 32 00 35 00 35 00 2E 00 30 00 2E 00 31 00 39 00 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Signature Hits	Behavior Group	Mitre Attack
Creates COM task schedule object (often to register a task for autostart)	Spreading	Scheduled Task/Job
Uses an in-process (OLE) Automation server	System Summary

Memdumps

Base Address

Regiontype

Protect

Malicious

AFC000

stack

page read and write

2DB3000

heap

page read and write

166F000

stack

page read and write

2DB0000

heap

page read and write

ECA000

unkown

page readonly

C60000

heap

page read and write

F10000

unkown

page write copy

361E000

stack

page read and write

F21000

unkown

page readonly

F18000

unkown

page read and write

70A000

unkown

page readonly

1093000

unkown

page readonly

30C0000

heap

page read and write

152E000

stack

page read and write

1090000

unkown

page readonly

136E000

stack

page read and write

ECA000

unkown

page readonly

145C000

heap

page read and write

C27000

heap

page read and write

2B50000

direct allocation

page read and write

12F0000

heap

page read and write

2DFE000

stack

page read and write

337B000

stack

page read and write

4376000

heap

page read and write

317F000

stack

page read and write

145F000

heap

page read and write

1237000

heap

page read and write

2B70000

direct allocation

page read and write

C10000

heap

page read and write

C6E000

stack

page read and write

C20000

heap

page read and write

30C3000

heap

page read and write

142E000

stack

page read and write

1427000

heap

page read and write

133B000

heap

page read and write

1295000

heap

page read and write

43C9000

heap

page read and write

2D90000

direct allocation

page read and write

3710000

heap

page read and write

117E000

heap

page read and write

1130000

heap

page read and write

43F1000

heap

page read and write

32E0000

direct allocation

page execute and read and write

147D000

heap

page read and write

ECA000

unkown

page readonly

ECA000

unkown

page readonly

347E000

stack

page read and write

4360000

trusted library allocation

page read and write

1338000

heap

page read and write

4360000

trusted library allocation

page read and write

761000

unkown

page readonly

4360000

trusted library allocation

page read and write

DA1000

unkown

page execute read

3920000

trusted library allocation

page read and write

8D0000

unkown

page readonly

2C40000

heap

page read and write

2B8A000

heap

page read and write

381D000

stack

page read and write

12D0000

heap

page read and write

2E00000

direct allocation

page read and write

1090000

unkown

page readonly

2E00000

direct allocation

page read and write

43CC000

heap

page read and write

DA1000

unkown

page execute read

1260000

heap

page read and write

1170000

heap

page read and write

1140000

heap

page read and write

11D0000

heap

page read and write

391E000

stack

page read and write

2C8D000

stack

page read and write

2E74000

heap

page read and write

34D2000

direct allocation

page execute and read and write

139F000

stack

page read and write

1330000

heap

page read and write

117A000

heap

page read and write

11FE000

stack

page read and write

5E0000

unkown

page readonly

11BF000

stack

page read and write

5E1000

unkown

page execute read

DA0000

unkown

page readonly

F21000

unkown

page readonly

2B86000

heap

page read and write

36DB000

stack

page read and write

1120000

heap

page read and write

1093000

unkown

page readonly

2B50000

direct allocation

page read and write

2C10000

direct allocation

page read and write

3180000

heap

page read and write

F10000

unkown

page write copy

1337000

heap

page read and write

2C10000

direct allocation

page read and write

F21000

unkown

page readonly

DA0000

unkown

page readonly

11D9000

heap

page read and write

5E0000

unkown

page readonly

8FB000

stack

page read and write

750000

unkown

page read and write

761000

unkown

page readonly

4365000

heap

page read and write

8D0000

unkown

page readonly

2E70000

heap

page read and write

2B4D000

stack

page read and write

2EB0000

heap

page read and write

11B7000

heap

page read and write

1230000

heap

page read and write

1160000

direct allocation

page read and write

8D3000

unkown

page readonly

1090000

unkown

page readonly

3480000

direct allocation

page execute and read and write

1093000

unkown

page readonly

4360000

trusted library allocation

page read and write

1455000

heap

page read and write

DA0000

unkown

page readonly

2E77000

heap

page read and write

750000

unkown

page write copy

1270000

heap

page read and write

421C000

stack

page read and write

DA1000

unkown

page execute read

7CB000

stack

page read and write

12FE000

heap

page read and write

2EA0000

heap

page read and write

156D000

stack

page read and write

1160000

heap

page read and write

10FE000

stack

page read and write

11B0000

heap

page read and write

425C000

stack

page read and write

44F0000

trusted library allocation

page read and write

365B000

stack

page read and write

DA1000

unkown

page execute read

351E000

stack

page read and write

117C000

stack

page read and write

2C90000

heap

page read and write

435D000

stack

page read and write

1420000

heap

page read and write

F10000

unkown

page read and write

2EB0000

heap

page read and write

2E50000

heap

page read and write

307D000

stack

page read and write

3280000

direct allocation

page read and write

2F7D000

stack

page read and write

C25000

heap

page read and write

2E60000

heap

page read and write

758000

unkown

page read and write

2EA4000

heap

page read and write

D6E000

stack

page read and write

F18000

unkown

page read and write

2EA7000

heap

page read and write

2B80000

heap

page read and write

1090000

unkown

page readonly

1461000

heap

page read and write

2D70000

heap

page read and write

F1E000

unkown

page read and write

B30000

heap

page read and write

DA0000

unkown

page readonly

D7E000

stack

page read and write

9FC000

stack

page read and write

2DD0000

heap

page read and write

F10000

unkown

page read and write

70A000

unkown

page readonly

1290000

heap

page read and write

43F0000

heap

page read and write

4360000

trusted library allocation

page read and write

11F0000

heap

page read and write

F21000

unkown

page readonly

5E1000

unkown

page execute read

D80000

heap

page read and write

12F9000

heap

page read and write

1250000

heap

page read and write

107B000

stack

page read and write

1160000

direct allocation

page read and write

2E70000

heap

page read and write

8D3000

unkown

page readonly

31C0000

heap

page read and write

369D000

stack

page read and write

2D73000

heap

page read and write

1093000

unkown

page readonly

There are 166 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Wt3pGldAnr.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportWt3pGldAnr.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
Wt3pGldAnr.exe