Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

W8Q1QyZc1j.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.080994357975796
Filename:	W8Q1QyZc1j.exe
Filesize:	311410
MD5:	a07998253a3ca569c961450b7c17b34c
SHA1:	af8dbe956f6177e72352b511133ca8ebc8c416cf
SHA256:	df8c1264b7ae61e5fca5741a1ca4e2800e96f8dc316e2d13d7088ad58aa3229a
SHA512:	ccdd3e183bfb68d691afd1e99adf95b1bfac546ac3ee14d6ce57debbcb0ec66d2f3fc6f26713a9f43a4002078d55e2af9aa417509e7902e7cfc2b590360a0f8f
SSDEEP:	6144:/qY6irwP7YfmrYiJv7TAPAzdcZqf7DI/L:/nwPkiJvGAzdcUzs/
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ... ....@.. ....................... ............@................................

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information
Installs new ROOT certificates	Persistence and Installation Behavior	Install Root Certificate
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)	Malware Analysis System Evasion
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping
Tries to steal Crypto Currency Wallets	Stealing of Sensitive Information	Security Software Discovery Data from Local System
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings	Security Software Discovery
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops certificate files (DER)	E-Banking Fraud
Enables debug privileges	Anti Debugging
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Monitors certain registry keys / values for changes (often done to protect autostart functionality)	Hooking and other Techniques for Hiding and Protection	Query Registry
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary	Windows Management Instrumentation System Information Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\Public\Desktop\Google Chrome.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 11:02:29 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide

dropped

Details

File:	C:\Users\Public\Desktop\Google Chrome.lnk
Category:	dropped
Dump:	Google Chrome.lnk.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\W8Q1QyZc1j.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 11:02:29 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
Entropy:	3.4576814301215766
Encrypted:	false
Ssdeep:	48:8SAdZTBnGRYrnvPdAKRkdAGdAKRFdAKR/U:8SWZ
Size:	2104
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\W8Q1QyZc1j.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\W8Q1QyZc1j.exe.log
Category:	dropped
Dump:	W8Q1QyZc1j.exe.log.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Users\user\Desktop\W8Q1QyZc1j.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.3318368586986695
Encrypted:	false
Ssdeep:	96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqc85VD:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlq0
Size:	3274
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Temp\Tmp5127.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Tmp5127.tmp
Category:	dropped
Dump:	Tmp5127.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\W8Q1QyZc1j.exe
Type:	data
Entropy:	7.8230547059446645
Encrypted:	false
Ssdeep:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
Size:	2662
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops certificate files (DER)	E-Banking Fraud
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\Tmp5138.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Tmp5138.tmp
Category:	dropped
Dump:	Tmp5138.tmp.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\W8Q1QyZc1j.exe
Type:	data
Entropy:	7.8230547059446645
Encrypted:	false
Ssdeep:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
Size:	2662
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops certificate files (DER)	E-Banking Fraud

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06
Category:	dropped
Dump:	76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\W8Q1QyZc1j.exe
Type:	data
Entropy:	0.0
Encrypted:	false
Ssdeep:	3::
Size:	2251
Whitelisted:	true
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\W8Q1QyZc1j.exe

"C:\Users\user\Desktop\W8Q1QyZc1j.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6756
Target ID:	0
Parent PID:	2580
Name:	W8Q1QyZc1j.exe
Path:	C:\Users\user\Desktop\W8Q1QyZc1j.exe
Commandline:	"C:\Users\user\Desktop\W8Q1QyZc1j.exe"
Size:	311410
MD5:	A07998253A3CA569C961450B7C17B34C
Time:	11:16:17
Date:	24/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	335872
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/sct

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk

unknown

http://tempuri.org/Entity/Id14ResponseD

unknown

http://tempuri.org/Entity/Id23ResponseD

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary

unknown

http://tempuri.org/Entity/Id12Response

unknown

http://tempuri.org/

unknown

http://tempuri.org/Entity/Id2Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1

unknown

http://tempuri.org/Entity/Id21Response

unknown

http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap

unknown

http://tempuri.org/Entity/Id9

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID

unknown

http://tempuri.org/Entity/Id8

unknown

http://tempuri.org/Entity/Id6ResponseD

unknown

http://tempuri.org/Entity/Id5

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare

unknown

http://tempuri.org/Entity/Id4

unknown

http://tempuri.org/Entity/Id7

unknown

http://purl.oen

unknown

http://tempuri.org/Entity/Id6

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret

unknown

http://tempuri.org/Entity/Id19Response

unknown

http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence

unknown

http://tempuri.org/Entity/Id13ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/fault

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat

unknown

http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey

unknown

http://tempuri.org/Entity/Id15Response

unknown

http://tempuri.org/Entity/Id5ResponseD

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register

unknown

http://tempuri.org/Entity/Id6Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey

unknown

https://api.ip.sb/ip

unknown

http://schemas.xmlsoap.org/ws/2004/04/sc

unknown

http://tempuri.org/Entity/Id1ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel

unknown

http://tempuri.org/Entity/Id9Response

unknown

http://tempuri.org/Entity/Id20

unknown

http://tempuri.org/Entity/Id21

unknown

http://tempuri.org/Entity/Id22

unknown

http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1

unknown

http://tempuri.org/Entity/Id23

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1

unknown

http://tempuri.org/Entity/Id24

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue

unknown

http://tempuri.org/Entity/Id24Response

unknown

http://tempuri.org/Entity/Id1Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey

unknown

http://tempuri.org/Entity/Id21ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust

unknown

http://tempuri.org/Entity/Id10

unknown

http://tempuri.org/Entity/Id11

unknown

http://tempuri.org/Entity/Id10ResponseD

unknown

http://tempuri.org/Entity/Id12

unknown

http://tempuri.org/Entity/Id16Response

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel

unknown

http://tempuri.org/Entity/Id13

unknown

http://tempuri.org/Entity/Id14

unknown

http://tempuri.org/Entity/Id15

unknown

http://tempuri.org/Entity/Id16

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce

unknown

http://tempuri.org/Entity/Id17

unknown

http://tempuri.org/Entity/Id18

unknown

http://tempuri.org/Entity/Id5Response

unknown

http://tempuri.org/Entity/Id19

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns

unknown

http://tempuri.org/Entity/Id15ResponseD

unknown

http://tempuri.org/Entity/Id10Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Renew

unknown

http://tempuri.org/Entity/Id11ResponseD

unknown

http://tempuri.org/Entity/Id8Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT

unknown

http://schemas.xmlsoap.org/ws/2006/02/addressingidentity

unknown

http://tempuri.org/Entity/Id17ResponseD

unknown

http://schemas.xmlsoap.org/soap/envelope/

unknown

http://tempuri.org/Entity/Id8ResponseD

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey

unknown

http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust

unknown

There are 90 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

103.113.70.99

unknown

India

Details

IP:	103.113.70.99
TargetID:	0
Current Path:	C:\Users\user\Desktop\W8Q1QyZc1j.exe
Country:	India
Countrycode:	IND
ASN number:	133973
ASN name:	NETCONNECTWIFI-ASNetConnectWifiPvtLtdIN
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064

Blob

Details

TargetID:	0
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064
Value name:	Blob
Value data:	0B 00 00 00 01 00 00 00 48 00 00 00 54 00 69 00 74 00 61 00 6E 00 69 00 75 00 6D 00 20 00 52 00 6F 00 6F 00 74 00 20 00 43 00 65 00 72 00 74 00 69 00 66 00 69 00 63 00 61 00 74 00 65 00 20 00 41 00 75 00 74 00 68 00 6F 00 72 00 69 00 74 00 79 00 00 00 02 00 00 00 01 00 00 00 CC 00 00 00 1C 00 00 00 6C 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 7B 00 34 00 31 00 37 00 34 00 34 00 42 00 45 00 34 00 2D 00 31 00 31 00 43 00 35 00 2D 00 34 00 39 00 34 00 43 00 2D 00 41 00 32 00 31 00 33 00 2D 00 42 00 41 00 30 00 43 00 45 00 39 00 34 00 34 00 39 00 33 00 38 00 45 00 7D 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 45 00 6E 00 68 00 61 00 6E 00 63 00 65 00 64 00 20 00 43 00 72 00 79 00 70 00 74 00 6F 00 67 00 72 00 61 00 70 00 68 00 69 00 63 00 20 00 50 00 72 00 6F 00 76 00 69 00 64 00 65 00 72 00 20 00 76 00 31 00 2E 00 30 00 00 00 00 00 03 00 00 00 01 00 00 00 14 00 00 00 F1 A5 78 C4 CB 5D E7 9A 37 08 93 98 3F D4 DA 8B 67 B2 B0 64 20 00 00 00 01 00 00 00 0A 03 00 00 30 82 03 06 30 82 01 EE A0 03 02 01 02 02 08 67 F7 BE B9 6A 4C 27 98 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30 2E 31 2C 30 2A 06 03 55 04 03 0C 23 54 69 74 61 6E 69 75 6D 20 52 6F 6F 74 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6F 72 69 74 79 30 1E 17 0D 32 33 30 33 31 34 31 30 33 35 32 30 5A 17 0D 32 36 30 36 31 37 31 30 33 35 32 30 5A 30 2E 31 2C 30 2A 06 03 55 04 03 0C 23 54 69 74 61 6E 69 75 6D 20 52 6F 6F 74 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6F 72 69 74 79 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 86 E4 57 7A 58 61 CE 81 91 77 D0 05 FA 51 D5 51 5A 93 6C 61 0C CF CB DE 53 32 CD 15 1D A6 47 EE 88 1A 24 5C 9B 02 83 3B 02 AF 3D 76 FE 20 BD 3B FA F7 A2 09 73 E7 2E BD 94 40 D0 9D 8C 3D 27 13 BD F0 D0 9F EB 95 32 AC D7 A4 2D A2 A9 52 DA A8 6A 2A 88 EE 42 7D 30 95 9D 90 BF BA 05 27 6A A0 29 98 A6 98 6F C0 13 06 62 9B 79 B8 40 5D 1F 1F A6 D9 A4 2F 82 7A FC 75 66 34 0D C2 DE 27 01 2B 94 BB 4A 27 B3 CB 1C 21 9A 3C B2 C1 42 03 F3 44 51 BD 62 65 20 ED D4 DB CC 41 4F 59 3F 2A CB C4 84 79 F7 14 3C BE 13 9C FD 12 9C 91 3E 53 03 DC 20 F9 4C 44 35 89 01 B6 9A 84 8D 7E A0 2E 30 8A 31 15 60 AC 00 AE 00 9A 29 10 9A EE D9 71 3D D8 91 9B 97 ED 59 80 58 E1 7F 07 26 C7 A0 20 F7 10 AB C0 62 91 DF AA F1 81 C6 BE 6A 76 C8 9C B6 8E B0 B0 EC 1C D9 5F 32 6C 7E 55 58 8B FD 76 C5 19 02 03 01 00 01 A3 28 30 26 30 13 06 03 55 1D 25 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 30 0F 06 03 55 1D 13 01 01 FF 04 05 30 03 01 01 FF 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 03 82 01 01 00 70 85 12 93 D7 57 E9 82 79 7D C5 F7 F2 7D A8 94 EF 0C DB 32 9F 06 A6 09 6E 0C F6 04 B0 E5 47 11 56 0E F4 0F 52 82 08 2E 21 0F 55 A3 DB 41 F3 12 54 8B 76 11 F5 F0 DA CE A3 C7 8B 13 F6 FC 24 3C 02 B1 06 66 5B E6 9E 18 40 88 41 5B 27 39 99 B8 77 BE E3 53 A2 48 CE C7 EE B5 A0 95 C2 17 4B C9 52 6C AF E3 37 2C 59 DB FB E7 58 13 4E D3 51 E5 14 72 73 FE C6 85 77 AE 45 52 A6 F9 9A C8 0C A8 D0 EE 42 2A F5 28 85 8C 6B E8 1C B0 A8 03 1A B0 AE 83 C0 EB 55 64 F4 E8 7A 5C 06 29 5D 39 03 EE E2 FD F9 2D 62 A7 F4 D4 05 4D EA A7 9B CA EB DA 4E 8B 1A 6E FD 42 AE F9 D0 1C 70 75 72 8C B1 3A A8 55 7C 85 A7 25 32 B5 E2 D6 C3 E5 50 41 C9 86 7C A8 F5 62 BB D2 AB 0C 37 10 D8 31 73 EC 37 81 D1 DC AA C5 C6 E0 7E E7 26 62 4D FD C5 81 4C FF D3 36 E1 79 32 F8 9B EB 9C F7 FD BE E9 BE BF 61

Signature Hits	Behavior Group	Mitre Attack
Installs new ROOT certificates	Persistence and Installation Behavior	Install Root Certificate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Owner

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

SessionHash

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Sequence

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFiles0000

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFilesHash

Memdumps

Base Address

Regiontype

Protect

Malicious

28F8000

trusted library allocation

page read and write

402000

unkown

page readonly

63CE000

trusted library allocation

page read and write

7520000

trusted library allocation

page read and write

400000

unkown

page readonly

860000

heap

page read and write

63AB000

trusted library allocation

page read and write

B72000

trusted library allocation

page read and write

9E0000

heap

page read and write

BA0000

trusted library allocation

page execute and read and write

6480000

trusted library allocation

page read and write

4EC0000

trusted library allocation

page read and write

2A8B000

trusted library allocation

page read and write

7514000

trusted library allocation

page read and write

2A10000

trusted library allocation

page read and write

26B4000

trusted library allocation

page read and write

5E7000

stack

page read and write

635A000

heap

page read and write

64A0000

trusted library allocation

page execute and read and write

3879000

trusted library allocation

page read and write

2740000

heap

page read and write

293D000

trusted library allocation

page read and write

938000

heap

page read and write

723A000

heap

page read and write

2A62000

trusted library allocation

page read and write

2AE7000

trusted library allocation

page read and write

6440000

trusted library allocation

page read and write

92E000

heap

page read and write

71EA000

heap

page read and write

725A000

heap

page read and write

7440000

trusted library allocation

page read and write

2B1E000

trusted library allocation

page read and write

8DFE000

stack

page read and write

2E07000

trusted library allocation

page read and write

BD0000

heap

page read and write

A15000

heap

page read and write

6500000

trusted library allocation

page execute and read and write

B90000

trusted library allocation

page read and write

2715000

trusted library allocation

page read and write

7425000

trusted library allocation

page read and write

7830000

trusted library allocation

page read and write

6650000

trusted library allocation

page read and write

2A52000

trusted library allocation

page read and write

5EE0000

heap

page read and write

625E000

stack

page read and write

6490000

trusted library allocation

page execute and read and write

4CD0000

heap

page read and write

520E000

stack

page read and write

2DE0000

trusted library allocation

page read and write

2BA1000

trusted library allocation

page read and write

63D1000

trusted library allocation

page read and write

63A0000

trusted library allocation

page read and write

4E03000

heap

page read and write

26F0000

trusted library allocation

page read and write

6990000

trusted library allocation

page read and write

7540000

trusted library allocation

page execute and read and write

2700000

trusted library allocation

page read and write

72C2000

heap

page read and write

723F000

heap

page read and write

63FB000

trusted library allocation

page read and write

6355000

heap

page read and write

727C000

heap

page read and write

2AC6000

trusted library allocation

page read and write

26B0000

trusted library allocation

page read and write

7402000

trusted library allocation

page read and write

53A0000

trusted library allocation

page read and write

5C2E000

stack

page read and write

2B51000

trusted library allocation

page read and write

2DE3000

trusted library allocation

page read and write

9FB000

heap

page read and write

B7B000

trusted library allocation

page execute and read and write

6307000

heap

page read and write

66DC000

stack

page read and write

6470000

trusted library allocation

page read and write

63C2000

trusted library allocation

page read and write

635E000

heap

page read and write

B43000

trusted library allocation

page execute and read and write

388C000

trusted library allocation

page read and write

50F8000

heap

page read and write

AF0000

heap

page read and write

2B2E000

trusted library allocation

page read and write

71E0000

heap

page read and write

7235000

heap

page read and write

71FC000

heap

page read and write

697C000

trusted library allocation

page read and write

B5D000

trusted library allocation

page execute and read and write

B4D000

trusted library allocation

page execute and read and write

B60000

trusted library allocation

page read and write

2AB5000

trusted library allocation

page read and write

7450000

trusted library allocation

page read and write

3872000

trusted library allocation

page read and write

2710000

trusted library allocation

page read and write

632B000

heap

page read and write

B10000

heap

page read and write

963000

heap

page read and write

2DFA000

trusted library allocation

page read and write

2ACE000

trusted library allocation

page read and write

64F0000

trusted library allocation

page execute and read and write

3C2F000

trusted library allocation

page read and write

B75000

trusted library allocation

page execute and read and write

69A0000

trusted library allocation

page execute and read and write

50E1000

heap

page read and write

25C0000

trusted library allocation

page read and write

67DC000

stack

page read and write

5D6E000

stack

page read and write

3885000

trusted library allocation

page read and write

50F3000

heap

page read and write

93F000

heap

page read and write

4CE2000

trusted library allocation

page read and write

70E0000

heap

page read and write

691C000

stack

page read and write

6360000

trusted library allocation

page read and write

722C000

heap

page read and write

DDE000

stack

page read and write

538E000

stack

page read and write

2A08000

trusted library allocation

page read and write

63FE000

trusted library allocation

page read and write

75AC000

stack

page read and write

530E000

stack

page read and write

3851000

trusted library allocation

page read and write

2A5C000

trusted library allocation

page read and write

2B99000

trusted library allocation

page read and write

B50000

trusted library allocation

page read and write

6670000

trusted library allocation

page execute and read and write

7214000

heap

page read and write

7430000

trusted library allocation

page read and write

928000

heap

page read and write

6335000

heap

page read and write

50CE000

stack

page read and write

9DD000

heap

page read and write

7206000

heap

page read and write

2A5F000

trusted library allocation

page read and write

6630000

trusted library allocation

page read and write

B30000

trusted library allocation

page read and write

494C000

stack

page read and write

B66000

trusted library allocation

page execute and read and write

4ED0000

heap

page execute and read and write

6620000

trusted library allocation

page read and write

B44000

trusted library allocation

page read and write

5F00000

trusted library allocation

page execute and read and write

270E000

trusted library allocation

page read and write

2660000

heap

page execute and read and write

6368000

trusted library allocation

page read and write

681E000

stack

page read and write

6992000

trusted library allocation

page read and write

7313000

heap

page read and write

7434000

trusted library allocation

page read and write

7530000

trusted library allocation

page read and write

385F000

trusted library allocation

page read and write

26D1000

trusted library allocation

page read and write

60EE000

stack

page read and write

437000

unkown

page readonly

742A000

trusted library allocation

page read and write

BB0000

trusted library allocation

page read and write

697A000

trusted library allocation

page read and write

70DD000

stack

page read and write

3880000

trusted library allocation

page read and write

6379000

trusted library allocation

page read and write

2A83000

trusted library allocation

page read and write

630D000

heap

page read and write

7FC50000

trusted library allocation

page execute and read and write

75B0000

trusted library allocation

page read and write

63F5000

trusted library allocation

page read and write

6377000

trusted library allocation

page read and write

4C90000

trusted library allocation

page read and write

6260000

heap

page read and write

7289000

heap

page read and write

947000

heap

page read and write

2AEF000

trusted library allocation

page read and write

2A6A000

trusted library allocation

page read and write

6400000

trusted library allocation

page read and write

BC0000

trusted library allocation

page read and write

CDF000

stack

page read and write

26CE000

trusted library allocation

page read and write

4E00000

heap

page read and write

2DEE000

trusted library allocation

page read and write

695E000

stack

page read and write

7510000

trusted library allocation

page read and write

5EF0000

trusted library allocation

page execute and read and write

534E000

stack

page read and write

870000

heap

page read and write

63B6000

trusted library allocation

page read and write

26DD000

trusted library allocation

page read and write

2ADA000

trusted library allocation

page read and write

62BB000

heap

page read and write

2A13000

trusted library allocation

page read and write

850000

heap

page read and write

7409000

trusted library allocation

page read and write

82FD000

stack

page read and write

7244000

heap

page read and write

26E2000

trusted library allocation

page read and write

5390000

trusted library allocation

page read and write

A19000

heap

page read and write

4EBE000

stack

page read and write

7550000

trusted library allocation

page execute and read and write

7273000

heap

page read and write

B16000

heap

page read and write

B1E000

heap

page read and write

446000

unkown

page readonly

2BB8000

trusted library allocation

page read and write

B19000

heap

page read and write

B6A000

trusted library allocation

page execute and read and write

728F000

heap

page read and write

782E000

stack

page read and write

7418000

trusted library allocation

page read and write

26AC000

stack

page read and write

B77000

trusted library allocation

page execute and read and write

63B1000

trusted library allocation

page read and write

741F000

trusted library allocation

page read and write

6365000

trusted library allocation

page read and write

5FEE000

stack

page read and write

2720000

trusted library allocation

page read and write

2A75000

trusted library allocation

page read and write

2AC0000

trusted library allocation

page read and write

4CE0000

trusted library allocation

page read and write

8BE000

stack

page read and write

71F5000

heap

page read and write

920000

heap

page read and write

634B000

heap

page read and write

7448000

trusted library allocation

page read and write

62A6000

heap

page read and write

7400000

trusted library allocation

page read and write

4C9E000

trusted library allocation

page read and write

3893000

trusted library allocation

page read and write

3A7D000

trusted library allocation

page read and write

6970000

trusted library allocation

page read and write

69B0000

trusted library allocation

page execute and read and write

432000

unkown

page readonly

B70000

trusted library allocation

page read and write

B62000

trusted library allocation

page read and write

6274000

heap

page read and write

63E0000

trusted library allocation

page read and write

750E000

stack

page read and write

4D10000

heap

page read and write

741A000

trusted library allocation

page read and write

7268000

heap

page read and write

38D3000

trusted library allocation

page read and write

6660000

trusted library allocation

page read and write

5D2E000

stack

page read and write

8FE000

stack

page read and write

7860000

heap

page read and write

615D000

stack

page read and write

62E7000

heap

page read and write

4EC8000

trusted library allocation

page read and write

2A26000

trusted library allocation

page read and write

5E6F000

stack

page read and write

298C000

trusted library allocation

page read and write

7405000

trusted library allocation

page read and write

7460000

trusted library allocation

page read and write

726B000

heap

page read and write

4DF0000

trusted library allocation

page read and write

74CE000

stack

page read and write

725D000

heap

page read and write

284E000

stack

page read and write

6351000

heap

page read and write

9CD000

heap

page read and write

4CF0000

trusted library allocation

page execute and read and write

2AC3000

trusted library allocation

page read and write

742F000

trusted library allocation

page read and write

26BB000

trusted library allocation

page read and write

6690000

trusted library allocation

page execute and read and write

9E9000

heap

page read and write

636A000

trusted library allocation

page read and write

865000

heap

page read and write

6375000

trusted library allocation

page read and write

6430000

trusted library allocation

page read and write

25C8000

trusted library allocation

page read and write

B40000

trusted library allocation

page read and write

2935000

trusted library allocation

page read and write

72D2000

heap

page read and write

7218000

heap

page read and write

2A50000

trusted library allocation

page read and write

2851000

trusted library allocation

page read and write

26D6000

trusted library allocation

page read and write

6370000

trusted library allocation

page read and write

63F0000

trusted library allocation

page read and write

2DE6000

trusted library allocation

page read and write

388F000

trusted library allocation

page read and write

6410000

trusted library allocation

page read and write

6420000

trusted library allocation

page read and write

2B9D000

trusted library allocation

page read and write

4EA000

stack

page read and write

25BE000

stack

page read and write

6640000

trusted library allocation

page read and write

There are 274 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
W8Q1QyZc1j.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportW8Q1QyZc1j.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
W8Q1QyZc1j.exe