Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

gm5v3JlTMk.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.062568447042871
Filename:	gm5v3JlTMk.exe
Filesize:	312891
MD5:	79fc20c78e45d10f5f6d3f12c736b8d5
SHA1:	4a6b50e0cc1aa3c98bcb786311421ebf6815dcd0
SHA256:	5e0a9b8f7175b983c012fa530bb29693cd8aadf2b2feb0f56d1c089fac20edb4
SHA512:	8c86d2c46d5eac37eaf7ca2612a395a52811e12a4d1653e410ccfc609cf64ff25b0ec10c469f96467745ec553a2abf1a5d4259ac347d2e92083453ea64143b4d
SSDEEP:	6144:/qY6irwP7YfmrYiJv7TAPAzdcZqf7DI/L:/nwPkiJvGAzdcUzs/
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ... ....@.. ....................... ............@................................

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information	Data from Local System
Installs new ROOT certificates	Persistence and Installation Behavior	Install Root Certificate
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping
Tries to steal Crypto Currency Wallets	Stealing of Sensitive Information	Windows Management Instrumentation Security Software Discovery
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings	Windows Management Instrumentation Security Software Discovery
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops certificate files (DER)	E-Banking Fraud
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\Public\Desktop\Google Chrome.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 11:02:30 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide

dropped

Details

File:	C:\Users\Public\Desktop\Google Chrome.lnk
Category:	dropped
Dump:	Google Chrome.lnk.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\gm5v3JlTMk.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 11:02:30 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
Entropy:	3.4534191264567817
Encrypted:	false
Ssdeep:	48:8SZdATkoGRYrnvPdAKRkdAGdAKRFdAKR/U:8SMt
Size:	2104
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gm5v3JlTMk.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gm5v3JlTMk.exe.log
Category:	dropped
Dump:	gm5v3JlTMk.exe.log.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Users\user\Desktop\gm5v3JlTMk.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.3318368586986695
Encrypted:	false
Ssdeep:	96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqc85VD:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlq0
Size:	3274
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Temp\Tmp2B59.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Tmp2B59.tmp
Category:	dropped
Dump:	Tmp2B59.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\gm5v3JlTMk.exe
Type:	data
Entropy:	7.8230547059446645
Encrypted:	false
Ssdeep:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
Size:	2662
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops certificate files (DER)	E-Banking Fraud
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\Tmp2B6A.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Tmp2B6A.tmp
Category:	dropped
Dump:	Tmp2B6A.tmp.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\gm5v3JlTMk.exe
Type:	data
Entropy:	7.8230547059446645
Encrypted:	false
Ssdeep:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
Size:	2662
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops certificate files (DER)	E-Banking Fraud

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06
Category:	dropped
Dump:	76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\gm5v3JlTMk.exe
Type:	data
Entropy:	0.0
Encrypted:	false
Ssdeep:	3::
Size:	2251
Whitelisted:	true
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\gm5v3JlTMk.exe

"C:\Users\user\Desktop\gm5v3JlTMk.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6936
Target ID:	0
Parent PID:	2580
Name:	gm5v3JlTMk.exe
Path:	C:\Users\user\Desktop\gm5v3JlTMk.exe
Commandline:	"C:\Users\user\Desktop\gm5v3JlTMk.exe"
Size:	312891
MD5:	79FC20C78E45D10F5F6D3F12C736B8D5
Time:	14:26:55
Date:	24/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xbc0000
Modulesize:	335872
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/sct

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk

unknown

http://tempuri.org/Entity/Id14ResponseD

unknown

http://tempuri.org/Entity/Id23ResponseD

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary

unknown

http://tempuri.org/Entity/Id12Response

unknown

http://tempuri.org/

unknown

http://tempuri.org/Entity/Id2Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1

unknown

http://tempuri.org/Entity/Id21Response

unknown

http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap

unknown

http://tempuri.org/Entity/Id9

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID

unknown

http://tempuri.org/Entity/Id8

unknown

http://tempuri.org/Entity/Id6ResponseD

unknown

http://tempuri.org/Entity/Id5

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare

unknown

http://tempuri.org/Entity/Id4

unknown

http://tempuri.org/Entity/Id7

unknown

http://tempuri.org/Entity/Id6

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret

unknown

http://tempuri.org/Entity/Id19Response

unknown

http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence

unknown

http://tempuri.org/Entity/Id13ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/fault

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat

unknown

http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey

unknown

http://tempuri.org/Entity/Id15Response

unknown

http://tempuri.org/Entity/Id5ResponseD

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register

unknown

http://tempuri.org/Entity/Id6Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey

unknown

https://api.ip.sb/ip

unknown

http://schemas.xmlsoap.org/ws/2004/04/sc

unknown

http://tempuri.org/Entity/Id1ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel

unknown

http://tempuri.org/Entity/Id9Response

unknown

http://tempuri.org/Entity/Id20

unknown

http://tempuri.org/Entity/Id21

unknown

http://tempuri.org/Entity/Id22

unknown

http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1

unknown

http://tempuri.org/Entity/Id23

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1

unknown

http://tempuri.org/Entity/Id24

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue

unknown

http://tempuri.org/Entity/Id24Response

unknown

http://tempuri.org/Entity/Id1Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey

unknown

http://tempuri.org/Entity/Id21ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust

unknown

http://tempuri.org/Entity/Id10

unknown

http://tempuri.org/Entity/Id11

unknown

http://tempuri.org/Entity/Id10ResponseD

unknown

http://tempuri.org/Entity/Id12

unknown

http://tempuri.org/Entity/Id16Response

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel

unknown

http://tempuri.org/Entity/Id13

unknown

http://tempuri.org/Entity/Id14

unknown

http://tempuri.org/Entity/Id15

unknown

http://tempuri.org/Entity/Id16

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce

unknown

http://tempuri.org/Entity/Id17

unknown

http://tempuri.org/Entity/Id18

unknown

http://tempuri.org/Entity/Id5Response

unknown

http://tempuri.org/Entity/Id19

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns

unknown

http://tempuri.org/Entity/Id15ResponseD

unknown

http://tempuri.org/Entity/Id10Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Renew

unknown

http://tempuri.org/Entity/Id11ResponseD

unknown

http://tempuri.org/Entity/Id8Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT

unknown

http://schemas.xmlsoap.org/ws/2006/02/addressingidentity

unknown

http://tempuri.org/Entity/Id17ResponseD

unknown

http://schemas.xmlsoap.org/soap/envelope/

unknown

http://tempuri.org/Entity/Id8ResponseD

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey

unknown

http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust

unknown

There are 90 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

103.113.70.99

unknown

India

Details

IP:	103.113.70.99
TargetID:	0
Current Path:	C:\Users\user\Desktop\gm5v3JlTMk.exe
Country:	India
Countrycode:	IND
ASN number:	133973
ASN name:	NETCONNECTWIFI-ASNetConnectWifiPvtLtdIN
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064

Blob

Details

TargetID:	0
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064
Value name:	Blob
Value data:	0B 00 00 00 01 00 00 00 48 00 00 00 54 00 69 00 74 00 61 00 6E 00 69 00 75 00 6D 00 20 00 52 00 6F 00 6F 00 74 00 20 00 43 00 65 00 72 00 74 00 69 00 66 00 69 00 63 00 61 00 74 00 65 00 20 00 41 00 75 00 74 00 68 00 6F 00 72 00 69 00 74 00 79 00 00 00 02 00 00 00 01 00 00 00 CC 00 00 00 1C 00 00 00 6C 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 7B 00 34 00 31 00 37 00 34 00 34 00 42 00 45 00 34 00 2D 00 31 00 31 00 43 00 35 00 2D 00 34 00 39 00 34 00 43 00 2D 00 41 00 32 00 31 00 33 00 2D 00 42 00 41 00 30 00 43 00 45 00 39 00 34 00 34 00 39 00 33 00 38 00 45 00 7D 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 45 00 6E 00 68 00 61 00 6E 00 63 00 65 00 64 00 20 00 43 00 72 00 79 00 70 00 74 00 6F 00 67 00 72 00 61 00 70 00 68 00 69 00 63 00 20 00 50 00 72 00 6F 00 76 00 69 00 64 00 65 00 72 00 20 00 76 00 31 00 2E 00 30 00 00 00 00 00 03 00 00 00 01 00 00 00 14 00 00 00 F1 A5 78 C4 CB 5D E7 9A 37 08 93 98 3F D4 DA 8B 67 B2 B0 64 20 00 00 00 01 00 00 00 0A 03 00 00 30 82 03 06 30 82 01 EE A0 03 02 01 02 02 08 67 F7 BE B9 6A 4C 27 98 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30 2E 31 2C 30 2A 06 03 55 04 03 0C 23 54 69 74 61 6E 69 75 6D 20 52 6F 6F 74 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6F 72 69 74 79 30 1E 17 0D 32 33 30 33 31 34 31 30 33 35 32 30 5A 17 0D 32 36 30 36 31 37 31 30 33 35 32 30 5A 30 2E 31 2C 30 2A 06 03 55 04 03 0C 23 54 69 74 61 6E 69 75 6D 20 52 6F 6F 74 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6F 72 69 74 79 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 86 E4 57 7A 58 61 CE 81 91 77 D0 05 FA 51 D5 51 5A 93 6C 61 0C CF CB DE 53 32 CD 15 1D A6 47 EE 88 1A 24 5C 9B 02 83 3B 02 AF 3D 76 FE 20 BD 3B FA F7 A2 09 73 E7 2E BD 94 40 D0 9D 8C 3D 27 13 BD F0 D0 9F EB 95 32 AC D7 A4 2D A2 A9 52 DA A8 6A 2A 88 EE 42 7D 30 95 9D 90 BF BA 05 27 6A A0 29 98 A6 98 6F C0 13 06 62 9B 79 B8 40 5D 1F 1F A6 D9 A4 2F 82 7A FC 75 66 34 0D C2 DE 27 01 2B 94 BB 4A 27 B3 CB 1C 21 9A 3C B2 C1 42 03 F3 44 51 BD 62 65 20 ED D4 DB CC 41 4F 59 3F 2A CB C4 84 79 F7 14 3C BE 13 9C FD 12 9C 91 3E 53 03 DC 20 F9 4C 44 35 89 01 B6 9A 84 8D 7E A0 2E 30 8A 31 15 60 AC 00 AE 00 9A 29 10 9A EE D9 71 3D D8 91 9B 97 ED 59 80 58 E1 7F 07 26 C7 A0 20 F7 10 AB C0 62 91 DF AA F1 81 C6 BE 6A 76 C8 9C B6 8E B0 B0 EC 1C D9 5F 32 6C 7E 55 58 8B FD 76 C5 19 02 03 01 00 01 A3 28 30 26 30 13 06 03 55 1D 25 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 30 0F 06 03 55 1D 13 01 01 FF 04 05 30 03 01 01 FF 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 03 82 01 01 00 70 85 12 93 D7 57 E9 82 79 7D C5 F7 F2 7D A8 94 EF 0C DB 32 9F 06 A6 09 6E 0C F6 04 B0 E5 47 11 56 0E F4 0F 52 82 08 2E 21 0F 55 A3 DB 41 F3 12 54 8B 76 11 F5 F0 DA CE A3 C7 8B 13 F6 FC 24 3C 02 B1 06 66 5B E6 9E 18 40 88 41 5B 27 39 99 B8 77 BE E3 53 A2 48 CE C7 EE B5 A0 95 C2 17 4B C9 52 6C AF E3 37 2C 59 DB FB E7 58 13 4E D3 51 E5 14 72 73 FE C6 85 77 AE 45 52 A6 F9 9A C8 0C A8 D0 EE 42 2A F5 28 85 8C 6B E8 1C B0 A8 03 1A B0 AE 83 C0 EB 55 64 F4 E8 7A 5C 06 29 5D 39 03 EE E2 FD F9 2D 62 A7 F4 D4 05 4D EA A7 9B CA EB DA 4E 8B 1A 6E FD 42 AE F9 D0 1C 70 75 72 8C B1 3A A8 55 7C 85 A7 25 32 B5 E2 D6 C3 E5 50 41 C9 86 7C A8 F5 62 BB D2 AB 0C 37 10 D8 31 73 EC 37 81 D1 DC AA C5 C6 E0 7E E7 26 62 4D FD C5 81 4C FF D3 36 E1 79 32 F8 9B EB 9C F7 FD BE E9 BE BF 61

Signature Hits	Behavior Group	Mitre Attack
Installs new ROOT certificates	Persistence and Installation Behavior	Install Root Certificate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Owner

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

SessionHash

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Sequence

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFiles0000

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFilesHash

Memdumps

Base Address

Regiontype

Protect

Malicious

3198000

trusted library allocation

page read and write

BC2000

unkown

page readonly

7CF0000

trusted library allocation

page read and write

3624000

trusted library allocation

page read and write

7270000

trusted library allocation

page read and write

5770000

heap

page execute and read and write

44CD000

trusted library allocation

page read and write

668E000

stack

page read and write

8390000

trusted library allocation

page execute and read and write

15BB000

trusted library allocation

page execute and read and write

6E00000

trusted library allocation

page execute and read and write

CA9000

stack

page read and write

15B5000

trusted library allocation

page execute and read and write

6B7C000

heap

page read and write

324C000

trusted library allocation

page read and write

7CF5000

trusted library allocation

page read and write

6CFE000

trusted library allocation

page read and write

1414000

heap

page read and write

725E000

stack

page read and write

7279000

trusted library allocation

page read and write

83A0000

trusted library allocation

page read and write

30E0000

heap

page execute and read and write

2EAE000

stack

page read and write

412F000

trusted library allocation

page read and write

856E000

stack

page read and write

33DB000

trusted library allocation

page read and write

1180000

heap

page read and write

2EC0000

trusted library allocation

page read and write

3672000

trusted library allocation

page read and write

1320000

heap

page read and write

7E80000

trusted library allocation

page read and write

363D000

trusted library allocation

page read and write

7B11000

heap

page read and write

6C5B000

heap

page read and write

6C54000

heap

page read and write

7D08000

trusted library allocation

page read and write

6CA0000

trusted library allocation

page read and write

2F26000

trusted library allocation

page read and write

6F30000

trusted library allocation

page read and write

33D1000

trusted library allocation

page read and write

133F000

heap

page read and write

35B0000

trusted library allocation

page read and write

179E000

heap

page read and write

35D8000

trusted library allocation

page read and write

6C6A000

trusted library allocation

page read and write

7B76000

heap

page read and write

1312000

trusted library allocation

page read and write

3050000

heap

page read and write

7B4D000

heap

page read and write

6CC2000

trusted library allocation

page read and write

34F4000

trusted library allocation

page read and write

72B0000

trusted library allocation

page read and write

176C000

stack

page read and write

3670000

trusted library allocation

page read and write

6BA6000

heap

page read and write

7BF0000

heap

page read and write

6C75000

trusted library allocation

page read and write

16E0000

trusted library allocation

page read and write

6C34000

heap

page read and write

3459000

trusted library allocation

page read and write

6CB6000

trusted library allocation

page read and write

852F000

stack

page read and write

5A6F000

stack

page read and write

6D10000

trusted library allocation

page read and write

3062000

trusted library allocation

page read and write

6CE0000

trusted library allocation

page read and write

15B2000

trusted library allocation

page read and write

7D24000

trusted library allocation

page read and write

7D50000

trusted library allocation

page read and write

7CF9000

trusted library allocation

page read and write

6A2D000

stack

page read and write

2FF0000

trusted library allocation

page read and write

7E00000

trusted library allocation

page execute and read and write

1780000

trusted library allocation

page read and write

30DE000

stack

page read and write

60A1000

heap

page read and write

67E0000

heap

page read and write

2EB0000

trusted library allocation

page read and write

2ED0000

trusted library allocation

page read and write

BC0000

unkown

page readonly

628E000

stack

page read and write

678F000

stack

page read and write

4112000

trusted library allocation

page read and write

6C1A000

heap

page read and write

2EF3000

heap

page read and write

431E000

trusted library allocation

page read and write

6CD1000

trusted library allocation

page read and write

3060000

trusted library allocation

page read and write

70DC000

stack

page read and write

6C2D000

heap

page read and write

10F0000

heap

page read and write

3461000

trusted library allocation

page read and write

35DF000

trusted library allocation

page read and write

2F2D000

trusted library allocation

page read and write

6C77000

trusted library allocation

page read and write

132E000

heap

page read and write

3515000

trusted library allocation

page read and write

7E24000

trusted library allocation

page read and write

3572000

trusted library allocation

page read and write

6F20000

trusted library allocation

page read and write

573E000

stack

page read and write

357A000

trusted library allocation

page read and write

1347000

heap

page read and write

130D000

trusted library allocation

page execute and read and write

6D80000

trusted library allocation

page read and write

412C000

trusted library allocation

page read and write

2EE5000

trusted library allocation

page read and write

6D00000

trusted library allocation

page read and write

40FF000

trusted library allocation

page read and write

6D70000

trusted library allocation

page read and write

6C49000

heap

page read and write

79E0000

heap

page read and write

354E000

trusted library allocation

page read and write

6C1E000

heap

page read and write

6DA0000

trusted library allocation

page execute and read and write

7BB9000

heap

page read and write

6C06000

heap

page read and write

C06000

unkown

page readonly

711E000

stack

page read and write

56EE000

stack

page read and write

5AAE000

stack

page read and write

1799000

heap

page read and write

172E000

stack

page read and write

6C45000

heap

page read and write

3619000

trusted library allocation

page read and write

842E000

stack

page read and write

1300000

trusted library allocation

page read and write

7CF2000

trusted library allocation

page read and write

12F4000

trusted library allocation

page read and write

35B4000

trusted library allocation

page read and write

13EE000

heap

page read and write

15C7000

heap

page read and write

6CF0000

trusted library allocation

page read and write

6B60000

heap

page read and write

664E000

stack

page read and write

3551000

trusted library allocation

page read and write

3261000

trusted library allocation

page read and write

2EE0000

trusted library allocation

page read and write

6D90000

trusted library allocation

page execute and read and write

81CE000

stack

page read and write

6DF0000

trusted library allocation

page execute and read and write

7B6D000

heap

page read and write

7AFB000

heap

page read and write

654F000

stack

page read and write

7D1F000

trusted library allocation

page read and write

4120000

trusted library allocation

page read and write

3616000

trusted library allocation

page read and write

2F04000

trusted library allocation

page read and write

6CF5000

trusted library allocation

page read and write

BF7000

unkown

page readonly

15B7000

trusted library allocation

page execute and read and write

3469000

trusted library allocation

page read and write

1150000

heap

page read and write

7D20000

trusted library allocation

page read and write

350D000

trusted library allocation

page read and write

1316000

trusted library allocation

page execute and read and write

33EF000

trusted library allocation

page read and write

6D20000

trusted library allocation

page read and write

3246000

trusted library allocation

page read and write

7AEC000

heap

page read and write

824E000

stack

page read and write

69EE000

stack

page read and write

1328000

heap

page read and write

6D40000

trusted library allocation

page read and write

727F000

trusted library allocation

page read and write

12FD000

trusted library allocation

page execute and read and write

1796000

heap

page read and write

7CE0000

trusted library allocation

page execute and read and write

361C000

trusted library allocation

page read and write

7D40000

trusted library allocation

page read and write

7B5B000

heap

page read and write

4119000

trusted library allocation

page read and write

7E30000

trusted library allocation

page execute and read and write

7B2C000

heap

page read and write

7EAB000

trusted library allocation

page read and write

6800000

trusted library allocation

page execute and read and write

3500000

trusted library allocation

page read and write

1185000

heap

page read and write

7AFE000

heap

page read and write

3559000

trusted library allocation

page read and write

12E0000

trusted library allocation

page read and write

323E000

trusted library allocation

page read and write

12F0000

trusted library allocation

page read and write

4133000

trusted library allocation

page read and write

15C0000

heap

page read and write

40F1000

trusted library allocation

page read and write

3244000

trusted library allocation

page read and write

6F40000

trusted library allocation

page read and write

6D30000

trusted library allocation

page read and write

12CD000

stack

page read and write

727B000

trusted library allocation

page read and write

6C65000

trusted library allocation

page read and write

7EA0000

trusted library allocation

page read and write

3645000

trusted library allocation

page read and write

7AF7000

heap

page read and write

13DB000

heap

page read and write

1010000

heap

page read and write

79DD000

stack

page read and write

6C3B000

heap

page read and write

6C79000

trusted library allocation

page read and write

6C00000

heap

page read and write

7DFE000

stack

page read and write

7F8C0000

trusted library allocation

page execute and read and write

6C60000

trusted library allocation

page read and write

6F50000

trusted library allocation

page read and write

5750000

trusted library allocation

page read and write

35A5000

trusted library allocation

page read and write

83B0000

heap

page read and write

368A000

trusted library allocation

page read and write

7AE0000

heap

page read and write

6C2A000

heap

page read and write

128E000

stack

page read and write

360B000

trusted library allocation

page read and write

3070000

trusted library allocation

page execute and read and write

7D15000

trusted library allocation

page read and write

83E0000

heap

page read and write

2EDE000

trusted library allocation

page read and write

13E0000

heap

page read and write

7E20000

trusted library allocation

page read and write

7D1A000

trusted library allocation

page read and write

3541000

trusted library allocation

page read and write

4171000

trusted library allocation

page read and write

7BA8000

heap

page read and write

6C70000

trusted library allocation

page read and write

113E000

stack

page read and write

367F000

trusted library allocation

page read and write

1398000

heap

page read and write

2F40000

heap

page read and write

346C000

trusted library allocation

page read and write

7D0A000

trusted library allocation

page read and write

6CFB000

trusted library allocation

page read and write

596E000

stack

page read and write

1790000

heap

page read and write

60B8000

heap

page read and write

35B6000

trusted library allocation

page read and write

6CCE000

trusted library allocation

page read and write

6C68000

trusted library allocation

page read and write

838E000

stack

page read and write

131A000

trusted library allocation

page execute and read and write

36A3000

trusted library allocation

page read and write

68EE000

stack

page read and write

2F32000

trusted library allocation

page read and write

5760000

trusted library allocation

page read and write

1310000

trusted library allocation

page read and write

2F21000

trusted library allocation

page read and write

7D38000

trusted library allocation

page read and write

7D30000

trusted library allocation

page read and write

7E10000

trusted library allocation

page read and write

BF2000

unkown

page readonly

820E000

stack

page read and write

2F0B000

trusted library allocation

page read and write

DA7000

stack

page read and write

6B2E000

stack

page read and write

83C0000

trusted library allocation

page read and write

2EF0000

heap

page read and write

721C000

stack

page read and write

16CE000

stack

page read and write

6CAB000

trusted library allocation

page read and write

35BE000

trusted library allocation

page read and write

3242000

trusted library allocation

page read and write

7D0F000

trusted library allocation

page read and write

51EC000

stack

page read and write

301E000

trusted library allocation

page read and write

324A000

trusted library allocation

page read and write

1770000

trusted library allocation

page execute and read and write

3010000

trusted library allocation

page read and write

828B000

stack

page read and write

6FDC000

stack

page read and write

33D7000

trusted library allocation

page read and write

2F1E000

trusted library allocation

page read and write

15B0000

trusted library allocation

page read and write

6F90000

trusted library allocation

page execute and read and write

3630000

trusted library allocation

page read and write

7B18000

heap

page read and write

3695000

trusted library allocation

page read and write

5740000

trusted library allocation

page read and write

367C000

trusted library allocation

page read and write

354B000

trusted library allocation

page read and write

7E7E000

stack

page read and write

3479000

trusted library allocation

page read and write

7B47000

heap

page read and write

30F1000

trusted library allocation

page read and write

56A0000

heap

page read and write

12F3000

trusted library allocation

page execute and read and write

99DE000

stack

page read and write

7DBE000

stack

page read and write

5748000

trusted library allocation

page read and write

35CA000

trusted library allocation

page read and write

1361000

heap

page read and write

567E000

stack

page read and write

7B32000

heap

page read and write

6C52000

heap

page read and write

3565000

trusted library allocation

page read and write

7AF2000

heap

page read and write

67F0000

trusted library allocation

page execute and read and write

6F60000

trusted library allocation

page read and write

4125000

trusted library allocation

page read and write

7B30000

heap

page read and write

2F58000

trusted library allocation

page read and write

3682000

trusted library allocation

page read and write

2F00000

trusted library allocation

page read and write

6F70000

trusted library allocation

page execute and read and write

6CB1000

trusted library allocation

page read and write

There are 293 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
gm5v3JlTMk.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportgm5v3JlTMk.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
gm5v3JlTMk.exe