Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

X8K556WeiK.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.053325044389024
Filename:	X8K556WeiK.exe
Filesize:	313638
MD5:	6f5adb2e7998f571b25a6f332207d0de
SHA1:	be9eb5b2d4cdcb867568f646a72f6f5e28930199
SHA256:	c2886ea3aee978297806940b8e8c4c9e8be23bb9ff8f039be91c040bdc5f3a62
SHA512:	3a3427354b422a53107adf26777a5a07e6743808754c478710b9a926c10188f3f3f2bd52091d726a7e8b3edf25f89952f6d24d5f2e8cc2ed3b9c61f3f5e47d9f
SSDEEP:	6144:/qY6irwP7YfmrYiJv7TAPAzdcZqf7DI/L:/nwPkiJvGAzdcUzs/
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ... ....@.. ....................... ............@................................

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Installs new ROOT certificates	Persistence and Installation Behavior	Install Root Certificate
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation Security Software Discovery
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)	Malware Analysis System Evasion
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping
Tries to steal Crypto Currency Wallets	Stealing of Sensitive Information	Data from Local System
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)	Anti Debugging
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops certificate files (DER)	E-Banking Fraud
Enables debug privileges	Anti Debugging
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities	Obfuscated Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\Public\Desktop\Google Chrome.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 11:02:28 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide

dropped

Details

File:	C:\Users\Public\Desktop\Google Chrome.lnk
Category:	dropped
Dump:	Google Chrome.lnk.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\X8K556WeiK.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 11:02:28 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
Entropy:	3.453756697943058
Encrypted:	false
Ssdeep:	48:8S+VdZTBnGRYrnvPdAKRkdAGdAKRFdAKR/U:8S+hZ
Size:	2104
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\X8K556WeiK.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\X8K556WeiK.exe.log
Category:	dropped
Dump:	X8K556WeiK.exe.log.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Users\user\Desktop\X8K556WeiK.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.3318368586986695
Encrypted:	false
Ssdeep:	96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqc85VD:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlq0
Size:	3274
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Temp\TmpEBFA.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\TmpEBFA.tmp
Category:	dropped
Dump:	TmpEBFA.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\X8K556WeiK.exe
Type:	data
Entropy:	7.8230547059446645
Encrypted:	false
Ssdeep:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
Size:	2662
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops certificate files (DER)	E-Banking Fraud
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\TmpEC0A.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\TmpEC0A.tmp
Category:	dropped
Dump:	TmpEC0A.tmp.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\X8K556WeiK.exe
Type:	data
Entropy:	7.8230547059446645
Encrypted:	false
Ssdeep:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
Size:	2662
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops certificate files (DER)	E-Banking Fraud

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06
Category:	dropped
Dump:	76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\X8K556WeiK.exe
Type:	data
Entropy:	0.0
Encrypted:	false
Ssdeep:	3::
Size:	2251
Whitelisted:	true
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\X8K556WeiK.exe

"C:\Users\user\Desktop\X8K556WeiK.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7540
Target ID:	0
Parent PID:	2580
Name:	X8K556WeiK.exe
Path:	C:\Users\user\Desktop\X8K556WeiK.exe
Commandline:	"C:\Users\user\Desktop\X8K556WeiK.exe"
Size:	313638
MD5:	6F5ADB2E7998F571B25A6F332207D0DE
Time:	16:16:18
Date:	24/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x890000
Modulesize:	335872
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/sct

unknown

https://duckduckgo.com/chrome_newtab

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk

unknown

https://duckduckgo.com/ac/?q=

unknown

http://tempuri.org/Entity/Id14ResponseD

unknown

http://tempuri.org/Entity/Id23ResponseD

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary

unknown

http://tempuri.org/Entity/Id12Response

unknown

http://tempuri.org/

unknown

http://tempuri.org/Entity/Id2Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1

unknown

http://tempuri.org/Entity/Id21Response

unknown

http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap

unknown

http://tempuri.org/Entity/Id9

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID

unknown

http://tempuri.org/Entity/Id8

unknown

http://tempuri.org/Entity/Id6ResponseD

unknown

http://tempuri.org/Entity/Id5

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare

unknown

http://tempuri.org/Entity/Id4

unknown

http://tempuri.org/Entity/Id7

unknown

http://purl.oen

unknown

http://tempuri.org/Entity/Id6

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret

unknown

http://tempuri.org/Entity/Id19Response

unknown

http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue

unknown

http://tempuri.org/Entity/Id22Response0

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence

unknown

http://tempuri.org/Entity/Id13ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/fault

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat

unknown

http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey

unknown

http://tempuri.org/Entity/Id15Response

unknown

http://tempuri.org/Entity/Id5ResponseD

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register

unknown

http://tempuri.org/Entity/Id6Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey

unknown

https://api.ip.sb/ip

unknown

http://schemas.xmlsoap.org/ws/2004/04/sc

unknown

http://tempuri.org/Entity/Id1ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel

unknown

http://tempuri.org/Entity/Id9Response

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

http://tempuri.org/Entity/Id20

unknown

http://tempuri.org/Entity/Id21

unknown

http://tempuri.org/Entity/Id22

unknown

http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1

unknown

http://tempuri.org/Entity/Id23

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1

unknown

http://tempuri.org/Entity/Id24

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue

unknown

http://tempuri.org/Entity/Id24Response

unknown

https://www.ecosia.org/newtab/

unknown

http://tempuri.org/Entity/Id1Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey

unknown

http://tempuri.org/Entity/Id21ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust

unknown

http://tempuri.org/Entity/Id10

unknown

http://tempuri.org/Entity/Id11

unknown

http://tempuri.org/Entity/Id10ResponseD

unknown

http://tempuri.org/Entity/Id12

unknown

http://tempuri.org/Entity/Id16Response

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel

unknown

http://tempuri.org/Entity/Id13

unknown

http://tempuri.org/Entity/Id14

unknown

http://tempuri.org/Entity/Id15

unknown

http://tempuri.org/Entity/Id16

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce

unknown

http://tempuri.org/Entity/Id17

unknown

http://tempuri.org/Entity/Id18

unknown

http://tempuri.org/Entity/Id5Response

unknown

http://tempuri.org/Entity/Id19

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns

unknown

http://tempuri.org/Entity/Id15ResponseD

unknown

http://tempuri.org/Entity/Id10Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Renew

unknown

http://tempuri.org/Entity/Id11ResponseD

unknown

http://tempuri.org/Entity/Id8Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT

unknown

http://schemas.xmlsoap.org/ws/2006/02/addressingidentity

unknown

There are 90 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

103.113.70.99

unknown

India

Details

IP:	103.113.70.99
TargetID:	0
Current Path:	C:\Users\user\Desktop\X8K556WeiK.exe
Country:	India
Countrycode:	IND
ASN number:	133973
ASN name:	NETCONNECTWIFI-ASNetConnectWifiPvtLtdIN
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064

Blob

Details

TargetID:	0
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064
Value name:	Blob
Value data:	0B 00 00 00 01 00 00 00 48 00 00 00 54 00 69 00 74 00 61 00 6E 00 69 00 75 00 6D 00 20 00 52 00 6F 00 6F 00 74 00 20 00 43 00 65 00 72 00 74 00 69 00 66 00 69 00 63 00 61 00 74 00 65 00 20 00 41 00 75 00 74 00 68 00 6F 00 72 00 69 00 74 00 79 00 00 00 02 00 00 00 01 00 00 00 CC 00 00 00 1C 00 00 00 6C 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 7B 00 34 00 31 00 37 00 34 00 34 00 42 00 45 00 34 00 2D 00 31 00 31 00 43 00 35 00 2D 00 34 00 39 00 34 00 43 00 2D 00 41 00 32 00 31 00 33 00 2D 00 42 00 41 00 30 00 43 00 45 00 39 00 34 00 34 00 39 00 33 00 38 00 45 00 7D 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 45 00 6E 00 68 00 61 00 6E 00 63 00 65 00 64 00 20 00 43 00 72 00 79 00 70 00 74 00 6F 00 67 00 72 00 61 00 70 00 68 00 69 00 63 00 20 00 50 00 72 00 6F 00 76 00 69 00 64 00 65 00 72 00 20 00 76 00 31 00 2E 00 30 00 00 00 00 00 03 00 00 00 01 00 00 00 14 00 00 00 F1 A5 78 C4 CB 5D E7 9A 37 08 93 98 3F D4 DA 8B 67 B2 B0 64 20 00 00 00 01 00 00 00 0A 03 00 00 30 82 03 06 30 82 01 EE A0 03 02 01 02 02 08 67 F7 BE B9 6A 4C 27 98 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30 2E 31 2C 30 2A 06 03 55 04 03 0C 23 54 69 74 61 6E 69 75 6D 20 52 6F 6F 74 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6F 72 69 74 79 30 1E 17 0D 32 33 30 33 31 34 31 30 33 35 32 30 5A 17 0D 32 36 30 36 31 37 31 30 33 35 32 30 5A 30 2E 31 2C 30 2A 06 03 55 04 03 0C 23 54 69 74 61 6E 69 75 6D 20 52 6F 6F 74 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6F 72 69 74 79 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 86 E4 57 7A 58 61 CE 81 91 77 D0 05 FA 51 D5 51 5A 93 6C 61 0C CF CB DE 53 32 CD 15 1D A6 47 EE 88 1A 24 5C 9B 02 83 3B 02 AF 3D 76 FE 20 BD 3B FA F7 A2 09 73 E7 2E BD 94 40 D0 9D 8C 3D 27 13 BD F0 D0 9F EB 95 32 AC D7 A4 2D A2 A9 52 DA A8 6A 2A 88 EE 42 7D 30 95 9D 90 BF BA 05 27 6A A0 29 98 A6 98 6F C0 13 06 62 9B 79 B8 40 5D 1F 1F A6 D9 A4 2F 82 7A FC 75 66 34 0D C2 DE 27 01 2B 94 BB 4A 27 B3 CB 1C 21 9A 3C B2 C1 42 03 F3 44 51 BD 62 65 20 ED D4 DB CC 41 4F 59 3F 2A CB C4 84 79 F7 14 3C BE 13 9C FD 12 9C 91 3E 53 03 DC 20 F9 4C 44 35 89 01 B6 9A 84 8D 7E A0 2E 30 8A 31 15 60 AC 00 AE 00 9A 29 10 9A EE D9 71 3D D8 91 9B 97 ED 59 80 58 E1 7F 07 26 C7 A0 20 F7 10 AB C0 62 91 DF AA F1 81 C6 BE 6A 76 C8 9C B6 8E B0 B0 EC 1C D9 5F 32 6C 7E 55 58 8B FD 76 C5 19 02 03 01 00 01 A3 28 30 26 30 13 06 03 55 1D 25 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 30 0F 06 03 55 1D 13 01 01 FF 04 05 30 03 01 01 FF 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 03 82 01 01 00 70 85 12 93 D7 57 E9 82 79 7D C5 F7 F2 7D A8 94 EF 0C DB 32 9F 06 A6 09 6E 0C F6 04 B0 E5 47 11 56 0E F4 0F 52 82 08 2E 21 0F 55 A3 DB 41 F3 12 54 8B 76 11 F5 F0 DA CE A3 C7 8B 13 F6 FC 24 3C 02 B1 06 66 5B E6 9E 18 40 88 41 5B 27 39 99 B8 77 BE E3 53 A2 48 CE C7 EE B5 A0 95 C2 17 4B C9 52 6C AF E3 37 2C 59 DB FB E7 58 13 4E D3 51 E5 14 72 73 FE C6 85 77 AE 45 52 A6 F9 9A C8 0C A8 D0 EE 42 2A F5 28 85 8C 6B E8 1C B0 A8 03 1A B0 AE 83 C0 EB 55 64 F4 E8 7A 5C 06 29 5D 39 03 EE E2 FD F9 2D 62 A7 F4 D4 05 4D EA A7 9B CA EB DA 4E 8B 1A 6E FD 42 AE F9 D0 1C 70 75 72 8C B1 3A A8 55 7C 85 A7 25 32 B5 E2 D6 C3 E5 50 41 C9 86 7C A8 F5 62 BB D2 AB 0C 37 10 D8 31 73 EC 37 81 D1 DC AA C5 C6 E0 7E E7 26 62 4D FD C5 81 4C FF D3 36 E1 79 32 F8 9B EB 9C F7 FD BE E9 BE BF 61

Signature Hits	Behavior Group	Mitre Attack
Installs new ROOT certificates	Persistence and Installation Behavior	Install Root Certificate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Owner

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

SessionHash

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Sequence

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFiles0000

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFilesHash

Memdumps

Base Address

Regiontype

Protect

Malicious

892000

unkown

page readonly

2D27000

trusted library allocation

page read and write

61DE000

stack

page read and write

31CD000

trusted library allocation

page read and write

2E17000

trusted library allocation

page read and write

9E5000

heap

page read and write

2E7D000

trusted library allocation

page read and write

65BE000

stack

page read and write

2F0B000

trusted library allocation

page read and write

2E4E000

trusted library allocation

page read and write

40FD000

trusted library allocation

page read and write

2F84000

trusted library allocation

page read and write

3E71000

trusted library allocation

page read and write

7836000

heap

page read and write

3CA9000

trusted library allocation

page read and write

3E58000

trusted library allocation

page read and write

7B42000

trusted library allocation

page read and write

2B40000

trusted library allocation

page read and write

9F0000

heap

page read and write

2F25000

trusted library allocation

page read and write

559E000

stack

page read and write

77BD000

heap

page read and write

68C6000

heap

page read and write

6F2E000

stack

page read and write

3FB4000

trusted library allocation

page read and write

5D31000

heap

page read and write

5180000

trusted library allocation

page read and write

2990000

trusted library allocation

page read and write

693B000

heap

page read and write

5358000

trusted library allocation

page read and write

CF7000

stack

page read and write

3168000

trusted library allocation

page read and write

7A00000

trusted library allocation

page execute and read and write

7B5A000

trusted library allocation

page read and write

29A6000

trusted library allocation

page execute and read and write

7A30000

heap

page read and write

694A000

heap

page read and write

3E77000

trusted library allocation

page read and write

7D00000

trusted library allocation

page read and write

66BE000

stack

page read and write

76B0000

heap

page read and write

3234000

trusted library allocation

page read and write

7CF4000

trusted library allocation

page read and write

410C000

trusted library allocation

page read and write

555F000

stack

page read and write

3F9E000

trusted library allocation

page read and write

6C20000

trusted library allocation

page read and write

2EB5000

trusted library allocation

page read and write

69E0000

trusted library allocation

page read and write

2E0F000

trusted library allocation

page read and write

2F46000

trusted library allocation

page read and write

6C30000

trusted library allocation

page read and write

2F3E000

trusted library allocation

page read and write

30B8000

trusted library allocation

page read and write

3276000

trusted library allocation

page read and write

6BF0000

trusted library allocation

page read and write

5105000

trusted library allocation

page read and write

3E2C000

trusted library allocation

page read and write

309D000

trusted library allocation

page read and write

407F000

trusted library allocation

page read and write

3FCD000

trusted library allocation

page read and write

315C000

trusted library allocation

page read and write

108E000

stack

page read and write

2EB8000

trusted library allocation

page read and write

3F24000

trusted library allocation

page read and write

3F1F000

trusted library allocation

page read and write

5130000

trusted library allocation

page read and write

30DD000

trusted library allocation

page read and write

7889000

heap

page read and write

3206000

trusted library allocation

page read and write

7848000

heap

page read and write

3F54000

trusted library allocation

page read and write

40EB000

trusted library allocation

page read and write

3ECB000

trusted library allocation

page read and write

2F1D000

trusted library allocation

page read and write

2E67000

trusted library allocation

page read and write

7CEE000

stack

page read and write

3092000

trusted library allocation

page read and write

4024000

trusted library allocation

page read and write

3E16000

trusted library allocation

page read and write

3083000

trusted library allocation

page read and write

31B9000

trusted library allocation

page read and write

29BB000

trusted library allocation

page execute and read and write

40BA000

trusted library allocation

page read and write

6DAC000

stack

page read and write

2B70000

heap

page execute and read and write

3E50000

trusted library allocation

page read and write

3F90000

trusted library allocation

page read and write

3103000

trusted library allocation

page read and write

2E01000

trusted library allocation

page read and write

3D06000

trusted library allocation

page read and write

7B49000

trusted library allocation

page read and write

79EC000

stack

page read and write

EBF000

heap

page read and write

7B88000

trusted library allocation

page read and write

3FD0000

trusted library allocation

page read and write

2EE1000

trusted library allocation

page read and write

5350000

trusted library allocation

page read and write

50CB000

trusted library allocation

page read and write

3E7C000

trusted library allocation

page read and write

3C8F000

trusted library allocation

page read and write

4028000

trusted library allocation

page read and write

3ED7000

trusted library allocation

page read and write

3154000

trusted library allocation

page read and write

29B2000

trusted library allocation

page read and write

3FF2000

trusted library allocation

page read and write

7B45000

trusted library allocation

page read and write

5D43000

heap

page read and write

7BB0000

trusted library allocation

page read and write

6AD0000

trusted library allocation

page execute and read and write

4016000

trusted library allocation

page read and write

2F30000

trusted library allocation

page read and write

3F3C000

trusted library allocation

page read and write

2EB2000

trusted library allocation

page read and write

7B6A000

trusted library allocation

page read and write

31B3000

trusted library allocation

page read and write

410A000

trusted library allocation

page read and write

5D48000

heap

page read and write

6849000

trusted library allocation

page read and write

2E42000

trusted library allocation

page read and write

8C7000

unkown

page readonly

3210000

trusted library allocation

page read and write

69C5000

trusted library allocation

page read and write

5290000

heap

page read and write

5D1E000

stack

page read and write

7C6E000

stack

page read and write

6986000

trusted library allocation

page read and write

7B65000

trusted library allocation

page read and write

2A88000

trusted library allocation

page read and write

2A70000

heap

page read and write

30B2000

trusted library allocation

page read and write

40C7000

trusted library allocation

page read and write

3EB8000

trusted library allocation

page read and write

7CA0000

trusted library allocation

page execute and read and write

30F7000

trusted library allocation

page read and write

7814000

heap

page read and write

7A20000

trusted library allocation

page read and write

29AA000

trusted library allocation

page execute and read and write

2F17000

trusted library allocation

page read and write

6A50000

trusted library allocation

page read and write

101F000

stack

page read and write

30EF000

trusted library allocation

page read and write

2C7E000

stack

page read and write

3CBC000

trusted library allocation

page read and write

40D2000

trusted library allocation

page read and write

3089000

trusted library allocation

page read and write

6840000

trusted library allocation

page read and write

3E39000

trusted library allocation

page read and write

6845000

trusted library allocation

page read and write

3280000

trusted library allocation

page read and write

6927000

heap

page read and write

69CE000

trusted library allocation

page read and write

2E75000

trusted library allocation

page read and write

29B0000

trusted library allocation

page read and write

6992000

trusted library allocation

page read and write

69D0000

trusted library allocation

page read and write

76C0000

heap

page read and write

7820000

heap

page read and write

3151000

trusted library allocation

page read and write

3EF3000

trusted library allocation

page read and write

2B20000

trusted library allocation

page execute and read and write

3FFD000

trusted library allocation

page read and write

2ECC000

trusted library allocation

page read and write

97A000

stack

page read and write

3F85000

trusted library allocation

page read and write

3000000

trusted library allocation

page read and write

3FA9000

trusted library allocation

page read and write

3EA5000

trusted library allocation

page read and write

68B2000

heap

page read and write

2B6E000

trusted library allocation

page read and write

7A23000

trusted library allocation

page read and write

ED0000

heap

page read and write

816E000

stack

page read and write

6981000

trusted library allocation

page read and write

7B70000

trusted library allocation

page read and write

696A000

heap

page read and write

308F000

trusted library allocation

page read and write

30AD000

trusted library allocation

page read and write

30A0000

trusted library allocation

page read and write

7BC0000

trusted library allocation

page read and write

6C40000

trusted library allocation

page execute and read and write

2DDE000

trusted library allocation

page read and write

77D3000

heap

page read and write

2970000

trusted library allocation

page read and write

2B30000

trusted library allocation

page read and write

DD0000

heap

page read and write

2B50000

trusted library allocation

page read and write

29D0000

trusted library allocation

page read and write

2A60000

heap

page read and write

3E4E000

trusted library allocation

page read and write

3110000

trusted library allocation

page read and write

4046000

trusted library allocation

page read and write

69A1000

trusted library allocation

page read and write

7B6F000

trusted library allocation

page read and write

3F19000

trusted library allocation

page read and write

3CC3000

trusted library allocation

page read and write

7C70000

trusted library allocation

page read and write

2980000

trusted library allocation

page read and write

6950000

heap

page read and write

50E6000

trusted library allocation

page read and write

314E000

trusted library allocation

page read and write

68BA000

heap

page read and write

3FC2000

trusted library allocation

page read and write

40DE000

trusted library allocation

page read and write

3FD9000

trusted library allocation

page read and write

3F4A000

trusted library allocation

page read and write

29B5000

trusted library allocation

page execute and read and write

298D000

trusted library allocation

page execute and read and write

3282000

trusted library allocation

page read and write

69CB000

trusted library allocation

page read and write

3EF9000

trusted library allocation

page read and write

7B5F000

trusted library allocation

page read and write

66FE000

stack

page read and write

31E3000

trusted library allocation

page read and write

299D000

trusted library allocation

page execute and read and write

40A2000

trusted library allocation

page read and write

29A2000

trusted library allocation

page read and write

9E0000

heap

page read and write

2DE8000

trusted library allocation

page read and write

6870000

heap

page read and write

806E000

stack

page read and write

3E83000

trusted library allocation

page read and write

68BD000

heap

page read and write

631E000

stack

page read and write

1046000

heap

page read and write

67FE000

stack

page read and write

29A0000

trusted library allocation

page read and write

1040000

heap

page read and write

DF7000

heap

page read and write

68C0000

heap

page read and write

4008000

trusted library allocation

page read and write

890000

unkown

page readonly

3F0C000

trusted library allocation

page read and write

62DE000

stack

page read and write

7864000

heap

page read and write

3FA1000

trusted library allocation

page read and write

77DF000

heap

page read and write

8D6000

unkown

page readonly

2DF6000

trusted library allocation

page read and write

321B000

trusted library allocation

page read and write

3E40000

trusted library allocation

page read and write

3C81000

trusted library allocation

page read and write

7B3D000

stack

page read and write

31A8000

trusted library allocation

page read and write

5110000

trusted library allocation

page read and write

4034000

trusted library allocation

page read and write

6A60000

trusted library allocation

page execute and read and write

6A10000

trusted library allocation

page read and write

30EC000

trusted library allocation

page read and write

2DAF000

trusted library allocation

page read and write

3229000

trusted library allocation

page read and write

3E20000

trusted library allocation

page read and write

5F1E000

stack

page read and write

6AC0000

trusted library allocation

page execute and read and write

6C60000

trusted library allocation

page execute and read and write

6A70000

trusted library allocation

page execute and read and write

2F1A000

trusted library allocation

page read and write

3EF6000

trusted library allocation

page read and write

3E08000

trusted library allocation

page read and write

6907000

heap

page read and write

6420000

trusted library allocation

page read and write

50C4000

trusted library allocation

page read and write

2E54000

trusted library allocation

page read and write

31B6000

trusted library allocation

page read and write

7C74000

trusted library allocation

page read and write

3ED0000

trusted library allocation

page read and write

693E000

heap

page read and write

3FEF000

trusted library allocation

page read and write

29B7000

trusted library allocation

page execute and read and write

7B58000

trusted library allocation

page read and write

3EE8000

trusted library allocation

page read and write

2DEB000

trusted library allocation

page read and write

3F7F000

trusted library allocation

page read and write

695E000

heap

page read and write

641F000

stack

page read and write

3F60000

trusted library allocation

page read and write

3FD3000

trusted library allocation

page read and write

3F38000

trusted library allocation

page read and write

69B0000

trusted library allocation

page read and write

3F6D000

trusted library allocation

page read and write

7B74000

trusted library allocation

page read and write

2A1E000

stack

page read and write

4097000

trusted library allocation

page read and write

3E64000

trusted library allocation

page read and write

3F9B000

trusted library allocation

page read and write

40CA000

trusted library allocation

page read and write

2E51000

trusted library allocation

page read and write

3EC5000

trusted library allocation

page read and write

401B000

trusted library allocation

page read and write

6964000

heap

page read and write

11CF000

stack

page read and write

7C2D000

stack

page read and write

50E1000

trusted library allocation

page read and write

4103000

trusted library allocation

page read and write

3E12000

trusted library allocation

page read and write

E98000

heap

page read and write

3E4A000

trusted library allocation

page read and write

317D000

trusted library allocation

page read and write

7A26000

trusted library allocation

page read and write

40C4000

trusted library allocation

page read and write

6847000

trusted library allocation

page read and write

6F80000

trusted library allocation

page execute and read and write

6838000

trusted library allocation

page read and write

3CA2000

trusted library allocation

page read and write

3CBF000

trusted library allocation

page read and write

7F9C0000

trusted library allocation

page execute and read and write

3F47000

trusted library allocation

page read and write

6EEE000

stack

page read and write

DD8000

heap

page read and write

30DF000

trusted library allocation

page read and write

3F8C000

trusted library allocation

page read and write

2B60000

trusted library allocation

page read and write

6CAC000

stack

page read and write

F1E000

stack

page read and write

3EE4000

trusted library allocation

page read and write

79F0000

trusted library allocation

page read and write

3F4D000

trusted library allocation

page read and write

7C80000

heap

page read and write

2EA7000

trusted library allocation

page read and write

699E000

trusted library allocation

page read and write

40F1000

trusted library allocation

page read and write

55DE000

stack

page read and write

3274000

trusted library allocation

page read and write

2D64000

trusted library allocation

page read and write

2FA7000

trusted library allocation

page read and write

3E89000

trusted library allocation

page read and write

1090000

heap

page read and write

7B80000

trusted library allocation

page read and write

3E9E000

trusted library allocation

page read and write

2DDC000

trusted library allocation

page read and write

3CB5000

trusted library allocation

page read and write

50F2000

trusted library allocation

page read and write

7842000

heap

page read and write

3F00000

trusted library allocation

page read and write

77F4000

heap

page read and write

697B000

trusted library allocation

page read and write

513E000

trusted library allocation

page read and write

7B40000

trusted library allocation

page read and write

3E18000

trusted library allocation

page read and write

323B000

trusted library allocation

page read and write

6C00000

trusted library allocation

page read and write

2DEE000

trusted library allocation

page read and write

3EDD000

trusted library allocation

page read and write

683A000

trusted library allocation

page read and write

5170000

heap

page read and write

6F50000

trusted library allocation

page read and write

561E000

stack

page read and write

2F0D000

trusted library allocation

page read and write

77C5000

heap

page read and write

2C81000

trusted library allocation

page read and write

30E9000

trusted library allocation

page read and write

408A000

trusted library allocation

page read and write

104E000

heap

page read and write

3118000

trusted library allocation

page read and write

7BA0000

trusted library allocation

page execute and read and write

3143000

trusted library allocation

page read and write

2EF8000

trusted library allocation

page read and write

3086000

trusted library allocation

page read and write

2983000

trusted library allocation

page execute and read and write

3CB0000

trusted library allocation

page read and write

2A63000

heap

page read and write

3F78000

trusted library allocation

page read and write

6970000

trusted library allocation

page read and write

50DE000

trusted library allocation

page read and write

6C10000

trusted library allocation

page read and write

50C0000

trusted library allocation

page read and write

3175000

trusted library allocation

page read and write

69C0000

trusted library allocation

page read and write

31C1000

trusted library allocation

page read and write

3F31000

trusted library allocation

page read and write

5190000

trusted library allocation

page execute and read and write

7858000

heap

page read and write

2984000

trusted library allocation

page read and write

6A40000

trusted library allocation

page read and write

3FC7000

trusted library allocation

page read and write

64D0000

trusted library allocation

page execute and read and write

5100000

trusted library allocation

page read and write

5660000

trusted library allocation

page read and write

7CF0000

trusted library allocation

page read and write

50ED000

trusted library allocation

page read and write

2EC0000

trusted library allocation

page read and write

5182000

trusted library allocation

page read and write

3FE0000

trusted library allocation

page read and write

3F2B000

trusted library allocation

page read and write

40A9000

trusted library allocation

page read and write

DDE000

heap

page read and write

3E94000

trusted library allocation

page read and write

2E5C000

trusted library allocation

page read and write

4D7C000

stack

page read and write

3E90000

trusted library allocation

page read and write

30B4000

trusted library allocation

page read and write

40F6000

trusted library allocation

page read and write

802E000

stack

page read and write

69F0000

trusted library allocation

page read and write

3EA2000

trusted library allocation

page read and write

2A5B000

stack

page read and write

2ED9000

trusted library allocation

page read and write

77B0000

heap

page read and write

3EAC000

trusted library allocation

page read and write

402D000

trusted library allocation

page read and write

40AF000

trusted library allocation

page read and write

4021000

trusted library allocation

page read and write

31DA000

trusted library allocation

page read and write

40B6000

trusted library allocation

page read and write

2E44000

trusted library allocation

page read and write

8C2000

unkown

page readonly

E11000

heap

page read and write

7B90000

trusted library allocation

page read and write

565E000

stack

page read and write

10C0000

heap

page read and write

E04000

heap

page read and write

77B4000

heap

page read and write

7804000

heap

page read and write

76AC000

stack

page read and write

E7E000

heap

page read and write

406E000

trusted library allocation

page read and write

409D000

trusted library allocation

page read and write

6830000

trusted library allocation

page read and write

3FE4000

trusted library allocation

page read and write

6835000

trusted library allocation

page read and write

64B0000

heap

page read and write

3F73000

trusted library allocation

page read and write

3FF5000

trusted library allocation

page read and write

6956000

heap

page read and write

52DE000

stack

page read and write

6A00000

trusted library allocation

page read and write

6DEE000

stack

page read and write

5360000

heap

page execute and read and write

6F60000

trusted library allocation

page read and write

64C0000

trusted library allocation

page execute and read and write

There are 420 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
X8K556WeiK.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportX8K556WeiK.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
X8K556WeiK.exe