Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

pdhmXuEYmc.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.083790498934454
Filename:	pdhmXuEYmc.exe
Filesize:	311296
MD5:	085f06b14ffef066d5a8acc5995e82f0
SHA1:	42afb72c4f5d73b7af151d90e59de9cc235e87b5
SHA256:	92afa7a9c3f0dceaaba64f46bee7623f43c94fa04dc56c8704f9f82f2054e453
SHA512:	dafee8b090d3c6449ab0b41dabbb9d5c421f2e0e5f72ea6d7eba5ade2f69124c1f6c204dbb40e022db9b5071e2fd84cafaefef5d15261975d1a6dce53af49def
SSDEEP:	3072:gq6EgY6i2rUjeLTeHwP+ChTQ4E1WPSmbTAwtASiSkcZqf7D34FeqiOLibBO9:jqY6i4MwPXT5EIS6TAsAskcZqf7DIPL
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0................0.................. ... ....@.. ....................... ............@................................

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Installs new ROOT certificates	Persistence and Installation Behavior	Install Root Certificate
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation Virtualization/Sandbox Evasion Security Software Discovery
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)	Malware Analysis System Evasion
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping
Tries to steal Crypto Currency Wallets	Stealing of Sensitive Information	Data from Local System
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops certificate files (DER)	E-Banking Fraud
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\Public\Desktop\Google Chrome.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 11:02:34 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide

dropped

Details

File:	C:\Users\Public\Desktop\Google Chrome.lnk
Category:	dropped
Dump:	Google Chrome.lnk.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\pdhmXuEYmc.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 11:02:34 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
Entropy:	3.4578669622154754
Encrypted:	false
Ssdeep:	48:8SzdGTi+7RYrnvPdAKRkdAGdAKRFdAKR/U:8Ss4
Size:	2104
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pdhmXuEYmc.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pdhmXuEYmc.exe.log
Category:	dropped
Dump:	pdhmXuEYmc.exe.log.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Users\user\Desktop\pdhmXuEYmc.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.3318368586986695
Encrypted:	false
Ssdeep:	96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlqY
Size:	3274
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Temp\TmpAA73.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\TmpAA73.tmp
Category:	dropped
Dump:	TmpAA73.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\pdhmXuEYmc.exe
Type:	data
Entropy:	7.8230547059446645
Encrypted:	false
Ssdeep:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
Size:	2662
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops certificate files (DER)	E-Banking Fraud
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\TmpAA84.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\TmpAA84.tmp
Category:	dropped
Dump:	TmpAA84.tmp.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\pdhmXuEYmc.exe
Type:	data
Entropy:	7.8230547059446645
Encrypted:	false
Ssdeep:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
Size:	2662
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops certificate files (DER)	E-Banking Fraud

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06
Category:	dropped
Dump:	76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\pdhmXuEYmc.exe
Type:	data
Entropy:	0.0
Encrypted:	false
Ssdeep:	3::
Size:	2251
Whitelisted:	true
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\pdhmXuEYmc.exe

"C:\Users\user\Desktop\pdhmXuEYmc.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7432
Target ID:	0
Parent PID:	2580
Name:	pdhmXuEYmc.exe
Path:	C:\Users\user\Desktop\pdhmXuEYmc.exe
Commandline:	"C:\Users\user\Desktop\pdhmXuEYmc.exe"
Size:	311296
MD5:	085F06B14FFEF066D5A8ACC5995E82F0
Time:	09:58:01
Date:	23/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x840000
Modulesize:	335872
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/sct

unknown

https://duckduckgo.com/chrome_newtab

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk

unknown

https://duckduckgo.com/ac/?q=

unknown

http://tempuri.org/Entity/Id14ResponseD

unknown

http://tempuri.org/Entity/Id23ResponseD

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary

unknown

http://tempuri.org/Entity/Id12Response

unknown

http://tempuri.org/

unknown

http://tempuri.org/Entity/Id2Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1

unknown

http://tempuri.org/Entity/Id21Response

unknown

http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap

unknown

http://tempuri.org/Entity/Id9

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID

unknown

http://tempuri.org/Entity/Id8

unknown

http://tempuri.org/Entity/Id6ResponseD

unknown

http://tempuri.org/Entity/Id5

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare

unknown

http://tempuri.org/Entity/Id4

unknown

http://tempuri.org/Entity/Id7

unknown

http://tempuri.org/Entity/Id6

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret

unknown

http://tempuri.org/Entity/Id19Response

unknown

http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence

unknown

http://tempuri.org/Entity/Id13ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/fault

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat

unknown

http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey

unknown

http://tempuri.org/Entity/Id15Response

unknown

http://tempuri.org/Entity/Id5ResponseD

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register

unknown

http://tempuri.org/Entity/Id6Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey

unknown

https://api.ip.sb/ip

unknown

http://schemas.xmlsoap.org/ws/2004/04/sc

unknown

http://tempuri.org/Entity/Id1ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel

unknown

http://tempuri.org/Entity/Id9Response

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

http://tempuri.org/Entity/Id20

unknown

http://tempuri.org/Entity/Id21

unknown

http://tempuri.org/Entity/Id22

unknown

http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1

unknown

http://tempuri.org/Entity/Id23

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1

unknown

http://tempuri.org/Entity/Id24

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue

unknown

http://tempuri.org/Entity/Id24Response

unknown

https://www.ecosia.org/newtab/

unknown

http://tempuri.org/Entity/Id1Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey

unknown

http://tempuri.org/Entity/Id21ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust

unknown

http://tempuri.org/Entity/Id10

unknown

http://tempuri.org/Entity/Id11

unknown

http://tempuri.org/Entity/Id10ResponseD

unknown

http://tempuri.org/Entity/Id12

unknown

http://tempuri.org/Entity/Id16Response

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel

unknown

http://tempuri.org/Entity/Id13

unknown

http://tempuri.org/Entity/Id14

unknown

http://tempuri.org/Entity/Id15

unknown

http://tempuri.org/Entity/Id16

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce

unknown

http://tempuri.org/Entity/Id17

unknown

http://tempuri.org/Entity/Id18

unknown

http://tempuri.org/Entity/Id5Response

unknown

http://tempuri.org/Entity/Id19

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns

unknown

http://tempuri.org/Entity/Id15ResponseD

unknown

http://tempuri.org/Entity/Id10Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Renew

unknown

http://tempuri.org/Entity/Id11ResponseD

unknown

http://tempuri.org/Entity/Id8Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT

unknown

http://schemas.xmlsoap.org/ws/2006/02/addressingidentity

unknown

http://tempuri.org/Entity/Id17ResponseD

unknown

http://schemas.xmlsoap.org/soap/envelope/

unknown

There are 90 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

91.92.241.122

unknown

Bulgaria

Details

IP:	91.92.241.122
TargetID:	0
Current Path:	C:\Users\user\Desktop\pdhmXuEYmc.exe
Country:	Bulgaria
Countrycode:	BGR
ASN number:	34368
ASN name:	THEZONEBG
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064

Blob

Details

TargetID:	0
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064
Value name:	Blob
Value data:	0B 00 00 00 01 00 00 00 48 00 00 00 54 00 69 00 74 00 61 00 6E 00 69 00 75 00 6D 00 20 00 52 00 6F 00 6F 00 74 00 20 00 43 00 65 00 72 00 74 00 69 00 66 00 69 00 63 00 61 00 74 00 65 00 20 00 41 00 75 00 74 00 68 00 6F 00 72 00 69 00 74 00 79 00 00 00 02 00 00 00 01 00 00 00 CC 00 00 00 1C 00 00 00 6C 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 7B 00 34 00 31 00 37 00 34 00 34 00 42 00 45 00 34 00 2D 00 31 00 31 00 43 00 35 00 2D 00 34 00 39 00 34 00 43 00 2D 00 41 00 32 00 31 00 33 00 2D 00 42 00 41 00 30 00 43 00 45 00 39 00 34 00 34 00 39 00 33 00 38 00 45 00 7D 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 45 00 6E 00 68 00 61 00 6E 00 63 00 65 00 64 00 20 00 43 00 72 00 79 00 70 00 74 00 6F 00 67 00 72 00 61 00 70 00 68 00 69 00 63 00 20 00 50 00 72 00 6F 00 76 00 69 00 64 00 65 00 72 00 20 00 76 00 31 00 2E 00 30 00 00 00 00 00 03 00 00 00 01 00 00 00 14 00 00 00 F1 A5 78 C4 CB 5D E7 9A 37 08 93 98 3F D4 DA 8B 67 B2 B0 64 20 00 00 00 01 00 00 00 0A 03 00 00 30 82 03 06 30 82 01 EE A0 03 02 01 02 02 08 67 F7 BE B9 6A 4C 27 98 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30 2E 31 2C 30 2A 06 03 55 04 03 0C 23 54 69 74 61 6E 69 75 6D 20 52 6F 6F 74 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6F 72 69 74 79 30 1E 17 0D 32 33 30 33 31 34 31 30 33 35 32 30 5A 17 0D 32 36 30 36 31 37 31 30 33 35 32 30 5A 30 2E 31 2C 30 2A 06 03 55 04 03 0C 23 54 69 74 61 6E 69 75 6D 20 52 6F 6F 74 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6F 72 69 74 79 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 86 E4 57 7A 58 61 CE 81 91 77 D0 05 FA 51 D5 51 5A 93 6C 61 0C CF CB DE 53 32 CD 15 1D A6 47 EE 88 1A 24 5C 9B 02 83 3B 02 AF 3D 76 FE 20 BD 3B FA F7 A2 09 73 E7 2E BD 94 40 D0 9D 8C 3D 27 13 BD F0 D0 9F EB 95 32 AC D7 A4 2D A2 A9 52 DA A8 6A 2A 88 EE 42 7D 30 95 9D 90 BF BA 05 27 6A A0 29 98 A6 98 6F C0 13 06 62 9B 79 B8 40 5D 1F 1F A6 D9 A4 2F 82 7A FC 75 66 34 0D C2 DE 27 01 2B 94 BB 4A 27 B3 CB 1C 21 9A 3C B2 C1 42 03 F3 44 51 BD 62 65 20 ED D4 DB CC 41 4F 59 3F 2A CB C4 84 79 F7 14 3C BE 13 9C FD 12 9C 91 3E 53 03 DC 20 F9 4C 44 35 89 01 B6 9A 84 8D 7E A0 2E 30 8A 31 15 60 AC 00 AE 00 9A 29 10 9A EE D9 71 3D D8 91 9B 97 ED 59 80 58 E1 7F 07 26 C7 A0 20 F7 10 AB C0 62 91 DF AA F1 81 C6 BE 6A 76 C8 9C B6 8E B0 B0 EC 1C D9 5F 32 6C 7E 55 58 8B FD 76 C5 19 02 03 01 00 01 A3 28 30 26 30 13 06 03 55 1D 25 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 30 0F 06 03 55 1D 13 01 01 FF 04 05 30 03 01 01 FF 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 03 82 01 01 00 70 85 12 93 D7 57 E9 82 79 7D C5 F7 F2 7D A8 94 EF 0C DB 32 9F 06 A6 09 6E 0C F6 04 B0 E5 47 11 56 0E F4 0F 52 82 08 2E 21 0F 55 A3 DB 41 F3 12 54 8B 76 11 F5 F0 DA CE A3 C7 8B 13 F6 FC 24 3C 02 B1 06 66 5B E6 9E 18 40 88 41 5B 27 39 99 B8 77 BE E3 53 A2 48 CE C7 EE B5 A0 95 C2 17 4B C9 52 6C AF E3 37 2C 59 DB FB E7 58 13 4E D3 51 E5 14 72 73 FE C6 85 77 AE 45 52 A6 F9 9A C8 0C A8 D0 EE 42 2A F5 28 85 8C 6B E8 1C B0 A8 03 1A B0 AE 83 C0 EB 55 64 F4 E8 7A 5C 06 29 5D 39 03 EE E2 FD F9 2D 62 A7 F4 D4 05 4D EA A7 9B CA EB DA 4E 8B 1A 6E FD 42 AE F9 D0 1C 70 75 72 8C B1 3A A8 55 7C 85 A7 25 32 B5 E2 D6 C3 E5 50 41 C9 86 7C A8 F5 62 BB D2 AB 0C 37 10 D8 31 73 EC 37 81 D1 DC AA C5 C6 E0 7E E7 26 62 4D FD C5 81 4C FF D3 36 E1 79 32 F8 9B EB 9C F7 FD BE E9 BE BF 61

Signature Hits	Behavior Group	Mitre Attack
Installs new ROOT certificates	Persistence and Installation Behavior	Install Root Certificate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Owner

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

SessionHash

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Sequence

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFiles0000

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFilesHash

Memdumps

Base Address

Regiontype

Protect

Malicious

2D78000

trusted library allocation

page read and write

842000

unkown

page readonly

4004000

trusted library allocation

page read and write

6BE0000

trusted library allocation

page read and write

3CD1000

trusted library allocation

page read and write

2DBA000

trusted library allocation

page read and write

5061000

trusted library allocation

page read and write

3D13000

trusted library allocation

page read and write

3EC2000

trusted library allocation

page read and write

7087000

trusted library allocation

page read and write

3F9A000

trusted library allocation

page read and write

50DE000

trusted library allocation

page read and write

4043000

trusted library allocation

page read and write

62CE000

stack

page read and write

F85000

trusted library allocation

page execute and read and write

11EA000

heap

page read and write

418B000

trusted library allocation

page read and write

89F0000

trusted library allocation

page read and write

531E000

stack

page read and write

3F39000

trusted library allocation

page read and write

F60000

trusted library allocation

page read and write

3F9D000

trusted library allocation

page read and write

40D0000

trusted library allocation

page read and write

3F28000

trusted library allocation

page read and write

E65000

heap

page read and write

997E000

stack

page read and write

F76000

trusted library allocation

page execute and read and write

9574000

heap

page read and write

703B000

trusted library allocation

page read and write

877000

unkown

page readonly

63F8000

heap

page read and write

40E0000

trusted library allocation

page read and write

89E0000

trusted library allocation

page read and write

30FA000

trusted library allocation

page read and write

30D9000

trusted library allocation

page read and write

3E9E000

trusted library allocation

page read and write

7089000

trusted library allocation

page read and write

3F7C000

trusted library allocation

page read and write

2F37000

trusted library allocation

page read and write

64D2000

heap

page read and write

40B2000

trusted library allocation

page read and write

576E000

stack

page read and write

2F61000

trusted library allocation

page read and write

8C10000

trusted library allocation

page read and write

3FEB000

trusted library allocation

page read and write

3F81000

trusted library allocation

page read and write

2E06000

trusted library allocation

page read and write

E1D000

trusted library allocation

page execute and read and write

4086000

trusted library allocation

page read and write

E20000

heap

page read and write

3F1B000

trusted library allocation

page read and write

2FDB000

trusted library allocation

page read and write

9E1E000

stack

page read and write

40BA000

trusted library allocation

page read and write

662E000

stack

page read and write

F7A000

trusted library allocation

page execute and read and write

415A000

trusted library allocation

page read and write

9460000

heap

page read and write

2F20000

trusted library allocation

page read and write

6B70000

trusted library allocation

page read and write

3F75000

trusted library allocation

page read and write

2FCC000

trusted library allocation

page read and write

504B000

trusted library allocation

page read and write

702B000

stack

page read and write

5090000

trusted library allocation

page read and write

3EFD000

trusted library allocation

page read and write

705E000

trusted library allocation

page read and write

618E000

stack

page read and write

559C000

heap

page read and write

64BC000

heap

page read and write

94E0000

heap

page read and write

328D000

trusted library allocation

page read and write

6FD0000

trusted library allocation

page execute and read and write

3E91000

trusted library allocation

page read and write

94B5000

heap

page read and write

6B90000

trusted library allocation

page execute and read and write

11E6000

heap

page read and write

99BE000

stack

page read and write

6BD0000

trusted library allocation

page read and write

94F0000

heap

page read and write

7140000

trusted library allocation

page read and write

E2E000

heap

page read and write

E00000

trusted library allocation

page read and write

A680000

heap

page read and write

98EE000

stack

page read and write

64A9000

heap

page read and write

8A00000

trusted library allocation

page read and write

410E000

trusted library allocation

page read and write

686A000

stack

page read and write

4120000

trusted library allocation

page read and write

3EB4000

trusted library allocation

page read and write

3F2D000

trusted library allocation

page read and write

608F000

stack

page read and write

2E1F000

trusted library allocation

page read and write

7041000

trusted library allocation

page read and write

988D000

trusted library allocation

page read and write

2F12000

trusted library allocation

page read and write

5120000

trusted library allocation

page read and write

5044000

trusted library allocation

page read and write

840000

unkown

page readonly

556F000

stack

page read and write

CF7000

stack

page read and write

6FC0000

trusted library allocation

page execute and read and write

872000

unkown

page readonly

2E17000

trusted library allocation

page read and write

4030000

trusted library allocation

page read and write

69EC000

stack

page read and write

4089000

trusted library allocation

page read and write

30E5000

trusted library allocation

page read and write

3030000

trusted library allocation

page read and write

413C000

trusted library allocation

page read and write

2FBE000

trusted library allocation

page read and write

992E000

stack

page read and write

307F000

trusted library allocation

page read and write

2F34000

trusted library allocation

page read and write

9870000

heap

page read and write

E47000

heap

page read and write

5066000

trusted library allocation

page read and write

305A000

trusted library allocation

page read and write

3D00000

trusted library allocation

page read and write

10FE000

stack

page read and write

2FC9000

trusted library allocation

page read and write

8A78000

trusted library allocation

page read and write

3CF9000

trusted library allocation

page read and write

3E9B000

trusted library allocation

page read and write

308D000

trusted library allocation

page read and write

3CDF000

trusted library allocation

page read and write

64B6000

heap

page read and write

3F88000

trusted library allocation

page read and write

3E71000

trusted library allocation

page read and write

4012000

trusted library allocation

page read and write

3074000

trusted library allocation

page read and write

9512000

heap

page read and write

2FD6000

trusted library allocation

page read and write

2F7A000

trusted library allocation

page read and write

67A0000

trusted library allocation

page read and write

31C3000

trusted library allocation

page read and write

3095000

trusted library allocation

page read and write

6F8D000

stack

page read and write

2E7F000

trusted library allocation

page read and write

F5E000

stack

page read and write

6B30000

trusted library allocation

page read and write

6BB0000

trusted library allocation

page execute and read and write

9481000

heap

page read and write

9A3D000

stack

page read and write

9525000

heap

page read and write

3F6A000

trusted library allocation

page read and write

3FBE000

trusted library allocation

page read and write

32C9000

trusted library allocation

page read and write

3F08000

trusted library allocation

page read and write

3CF2000

trusted library allocation

page read and write

9508000

heap

page read and write

2B8F000

stack

page read and write

696C000

stack

page read and write

8A8F000

trusted library allocation

page read and write

3EE0000

trusted library allocation

page read and write

3E69000

trusted library allocation

page read and write

8A20000

trusted library allocation

page read and write

9A0000

heap

page read and write

6B2E000

stack

page read and write

6BA0000

trusted library allocation

page execute and read and write

9880000

trusted library allocation

page read and write

50A5000

trusted library allocation

page read and write

61CE000

stack

page read and write

8A30000

trusted library allocation

page read and write

32D4000

trusted library allocation

page read and write

4167000

trusted library allocation

page read and write

E10000

trusted library allocation

page read and write

4094000

trusted library allocation

page read and write

6BC0000

trusted library allocation

page read and write

7030000

trusted library allocation

page read and write

40C5000

trusted library allocation

page read and write

F8B000

trusted library allocation

page execute and read and write

3FC9000

trusted library allocation

page read and write

4024000

trusted library allocation

page read and write

2CAC000

stack

page read and write

5110000

heap

page read and write

30F2000

trusted library allocation

page read and write

2F1A000

trusted library allocation

page read and write

2FFC000

trusted library allocation

page read and write

6B50000

trusted library allocation

page execute and read and write

6BF0000

trusted library allocation

page execute and read and write

3FE1000

trusted library allocation

page read and write

6320000

heap

page read and write

40CB000

trusted library allocation

page read and write

6D0C000

stack

page read and write

11DB000

stack

page read and write

2F2B000

trusted library allocation

page read and write

505E000

trusted library allocation

page read and write

2EA2000

trusted library allocation

page read and write

9490000

heap

page read and write

3069000

trusted library allocation

page read and write

94CC000

heap

page read and write

DE0000

heap

page read and write

52BE000

stack

page read and write

30CE000

trusted library allocation

page read and write

3248000

trusted library allocation

page read and write

F13000

heap

page read and write

40BF000

trusted library allocation

page read and write

4147000

trusted library allocation

page read and write

64ED000

heap

page read and write

3E66000

trusted library allocation

page read and write

3EEF000

trusted library allocation

page read and write

3F21000

trusted library allocation

page read and write

3EF2000

trusted library allocation

page read and write

3EA9000

trusted library allocation

page read and write

4106000

trusted library allocation

page read and write

6410000

heap

page read and write

2FE6000

trusted library allocation

page read and write

40DD000

trusted library allocation

page read and write

3253000

trusted library allocation

page read and write

2E2B000

trusted library allocation

page read and write

E3F000

heap

page read and write

94D7000

heap

page read and write

94C2000

heap

page read and write

9473000

heap

page read and write

6A2E000

stack

page read and write

92A000

stack

page read and write

2E11000

trusted library allocation

page read and write

947D000

heap

page read and write

32E2000

trusted library allocation

page read and write

7085000

trusted library allocation

page read and write

3D05000

trusted library allocation

page read and write

89EE000

trusted library allocation

page read and write

6B80000

trusted library allocation

page read and write

3F34000

trusted library allocation

page read and write

679E000

stack

page read and write

985E000

stack

page read and write

401D000

trusted library allocation

page read and write

3D0F000

trusted library allocation

page read and write

9538000

heap

page read and write

2EFC000

trusted library allocation

page read and write

4017000

trusted library allocation

page read and write

950C000

heap

page read and write

32F3000

trusted library allocation

page read and write

3EA1000

trusted library allocation

page read and write

6E4C000

stack

page read and write

4174000

trusted library allocation

page read and write

9A40000

trusted library allocation

page read and write

7120000

trusted library allocation

page read and write

F87000

trusted library allocation

page execute and read and write

315F000

trusted library allocation

page read and write

4113000

trusted library allocation

page read and write

7075000

trusted library allocation

page read and write

410C000

trusted library allocation

page read and write

5593000

heap

page read and write

2F10000

trusted library allocation

page read and write

509E000

trusted library allocation

page read and write

7F720000

trusted library allocation

page execute and read and write

94BE000

heap

page read and write

4131000

trusted library allocation

page read and write

11E0000

heap

page read and write

31B1000

trusted library allocation

page read and write

50B0000

trusted library allocation

page read and write

6340000

trusted library allocation

page execute and read and write

3F51000

trusted library allocation

page read and write

9554000

heap

page read and write

5581000

heap

page read and write

FA0000

trusted library allocation

page read and write

6330000

trusted library allocation

page execute and read and write

3FC3000

trusted library allocation

page read and write

6F90000

trusted library allocation

page read and write

7080000

trusted library allocation

page read and write

407C000

trusted library allocation

page read and write

3FDC000

trusted library allocation

page read and write

8A85000

trusted library allocation

page read and write

F82000

trusted library allocation

page read and write

31A3000

trusted library allocation

page read and write

5040000

trusted library allocation

page read and write

3F16000

trusted library allocation

page read and write

7046000

trusted library allocation

page read and write

6F96000

trusted library allocation

page read and write

3FEE000

trusted library allocation

page read and write

946A000

heap

page read and write

51E3000

heap

page read and write

3198000

trusted library allocation

page read and write

305C000

trusted library allocation

page read and write

5010000

heap

page read and write

3FF1000

trusted library allocation

page read and write

306C000

trusted library allocation

page read and write

3FD0000

trusted library allocation

page read and write

2B90000

trusted library allocation

page execute and read and write

2CD1000

trusted library allocation

page read and write

3F6F000

trusted library allocation

page read and write

9EE000

stack

page read and write

301A000

trusted library allocation

page read and write

652D000

stack

page read and write

3F46000

trusted library allocation

page read and write

6C00000

trusted library allocation

page read and write

6990000

trusted library allocation

page execute and read and write

E14000

trusted library allocation

page read and write

F0D000

heap

page read and write

8A04000

trusted library allocation

page read and write

2BA0000

heap

page read and write

40F3000

trusted library allocation

page read and write

3EC7000

trusted library allocation

page read and write

951F000

heap

page read and write

3066000

trusted library allocation

page read and write

3FF9000

trusted library allocation

page read and write

712A000

trusted library allocation

page read and write

FEE000

stack

page read and write

8A8A000

trusted library allocation

page read and write

2A8E000

stack

page read and write

6E8E000

stack

page read and write

312D000

trusted library allocation

page read and write

8A7A000

trusted library allocation

page read and write

8A69000

trusted library allocation

page read and write

5072000

trusted library allocation

page read and write

323A000

trusted library allocation

page read and write

2EF8000

trusted library allocation

page read and write

89E5000

trusted library allocation

page read and write

949E000

heap

page read and write

3E8A000

trusted library allocation

page read and write

3EE5000

trusted library allocation

page read and write

8A90000

trusted library allocation

page read and write

886000

unkown

page readonly

3ECD000

trusted library allocation

page read and write

7127000

trusted library allocation

page read and write

5360000

trusted library allocation

page read and write

3FA5000

trusted library allocation

page read and write

4119000

trusted library allocation

page read and write

EF8000

heap

page read and write

50D0000

trusted library allocation

page read and write

5122000

trusted library allocation

page read and write

7070000

trusted library allocation

page read and write

51E0000

heap

page read and write

3F43000

trusted library allocation

page read and write

64D9000

heap

page read and write

506D000

trusted library allocation

page read and write

3ED4000

trusted library allocation

page read and write

F6D000

trusted library allocation

page execute and read and write

9860000

heap

page read and write

990000

heap

page read and write

3F49000

trusted library allocation

page read and write

5340000

trusted library allocation

page read and write

2E6F000

trusted library allocation

page read and write

2F3A000

trusted library allocation

page read and write

31BD000

trusted library allocation

page read and write

9564000

heap

page read and write

2FF4000

trusted library allocation

page read and write

30C0000

trusted library allocation

page read and write

6418000

heap

page read and write

2F64000

trusted library allocation

page read and write

3FD5000

trusted library allocation

page read and write

4162000

trusted library allocation

page read and write

2E40000

trusted library allocation

page read and write

3E63000

trusted library allocation

page read and write

8A60000

trusted library allocation

page read and write

31F5000

trusted library allocation

page read and write

4177000

trusted library allocation

page read and write

EEC000

heap

page read and write

2F3E000

trusted library allocation

page read and write

3F5C000

trusted library allocation

page read and write

322F000

trusted library allocation

page read and write

643D000

heap

page read and write

9D1E000

stack

page read and write

2F94000

trusted library allocation

page read and write

4160000

trusted library allocation

page read and write

3ED9000

trusted library allocation

page read and write

40E8000

trusted library allocation

page read and write

5030000

trusted library allocation

page read and write

3259000

trusted library allocation

page read and write

FF0000

heap

page read and write

3F8D000

trusted library allocation

page read and write

E28000

heap

page read and write

7052000

trusted library allocation

page read and write

11EE000

heap

page read and write

63F0000

heap

page read and write

6D4E000

stack

page read and write

6414000

heap

page read and write

40DA000

trusted library allocation

page read and write

5350000

trusted library allocation

page read and write

2F57000

trusted library allocation

page read and write

2F55000

trusted library allocation

page read and write

2F28000

trusted library allocation

page read and write

89D0000

trusted library allocation

page read and write

6FE0000

trusted library allocation

page read and write

3E7C000

trusted library allocation

page read and write

32ED000

trusted library allocation

page read and write

669E000

stack

page read and write

2F2E000

trusted library allocation

page read and write

52D0000

heap

page read and write

8A65000

trusted library allocation

page read and write

3EF5000

trusted library allocation

page read and write

98A0000

trusted library allocation

page execute and read and write

3D0C000

trusted library allocation

page read and write

30D1000

trusted library allocation

page read and write

F80000

trusted library allocation

page read and write

8A62000

trusted library allocation

page read and write

5080000

trusted library allocation

page read and write

6B60000

trusted library allocation

page read and write

6970000

trusted library allocation

page read and write

2CB0000

trusted library allocation

page read and write

3127000

trusted library allocation

page read and write

5DCE000

stack

page read and write

94A6000

heap

page read and write

94AF000

heap

page read and write

3028000

trusted library allocation

page read and write

40AD000

trusted library allocation

page read and write

409F000

trusted library allocation

page read and write

E13000

trusted library allocation

page execute and read and write

30CB000

trusted library allocation

page read and write

F72000

trusted library allocation

page read and write

8A28000

trusted library allocation

page read and write

5130000

trusted library allocation

page execute and read and write

4155000

trusted library allocation

page read and write

2EF4000

trusted library allocation

page read and write

F70000

trusted library allocation

page read and write

3E59000

trusted library allocation

page read and write

2E14000

trusted library allocation

page read and write

5348000

trusted library allocation

page read and write

1108000

trusted library allocation

page read and write

408C000

trusted library allocation

page read and write

707A000

trusted library allocation

page read and write

4134000

trusted library allocation

page read and write

3D57000

trusted library allocation

page read and write

6B40000

trusted library allocation

page read and write

640C000

heap

page read and write

3F97000

trusted library allocation

page read and write

9660000

heap

page read and write

69A0000

trusted library allocation

page read and write

2F16000

trusted library allocation

page read and write

2F67000

trusted library allocation

page read and write

7078000

trusted library allocation

page read and write

5D8E000

stack

page read and write

412E000

trusted library allocation

page read and write

E61000

heap

page read and write

50A0000

trusted library allocation

page read and write

406B000

trusted library allocation

page read and write

3FB0000

trusted library allocation

page read and write

4029000

trusted library allocation

page read and write

5370000

heap

page execute and read and write

64DD000

heap

page read and write

2F1C000

trusted library allocation

page read and write

40B8000

trusted library allocation

page read and write

2CC0000

heap

page execute and read and write

9465000

heap

page read and write

4124000

trusted library allocation

page read and write

99FE000

stack

page read and write

2E38000

trusted library allocation

page read and write

416D000

trusted library allocation

page read and write

8A7F000

trusted library allocation

page read and write

2F88000

trusted library allocation

page read and write

9517000

heap

page read and write

8A10000

trusted library allocation

page read and write

DE5000

heap

page read and write

4180000

trusted library allocation

page read and write

2F6F000

trusted library allocation

page read and write

89EB000

trusted library allocation

page read and write

FF7000

heap

page read and write

9552000

heap

page read and write

4101000

trusted library allocation

page read and write

9930000

trusted library allocation

page execute and read and write

2FCF000

trusted library allocation

page read and write

There are 444 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
pdhmXuEYmc.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportpdhmXuEYmc.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
pdhmXuEYmc.exe