Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

CQPfRTSy7N.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.047896203911261
Filename:	CQPfRTSy7N.exe
Filesize:	314078
MD5:	8ddbe91dac2d37f344e4e8dd94dc73ee
SHA1:	7928fb3558db9214709fd473597c52bc72f761dc
SHA256:	aad1d01aac286d947ba465b0a639add4188cd87aff233946b293f3fd91986438
SHA512:	53e8cbf1bfec48b697034e1df60e218929e58451ffb23c17323a15ca405bc35eb449824e727ae71db9229cee0fafaffc01f3fc3aea874c0546a3e21c700f8f16
SSDEEP:	6144:/qY6irwP7YfmrYiJv7TAPAzdcZqf7DI/L:/nwPkiJvGAzdcUzs/
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ... ....@.. ....................... ............@................................

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Found many strings related to Crypto-Wallets (likely being stolen)	Stealing of Sensitive Information	Security Software Discovery
Installs new ROOT certificates	Persistence and Installation Behavior	Install Root Certificate
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)	Malware Analysis System Evasion
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping Security Software Discovery
Tries to steal Crypto Currency Wallets	Stealing of Sensitive Information	Data from Local System
AV process strings found (often used to terminate AV products)	Lowering of HIPS / PFW / Operating System Security Settings	Security Software Discovery
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp Security Software Discovery
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Detected potential crypto function	System Summary	Security Software Discovery Archive Collected Data Encrypted Channel
Drops certificate files (DER)	E-Banking Fraud
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Security Software Discovery
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Security Software Discovery
Sample file is different than original file name gathered from version info	System Summary	Security Software Discovery
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary	Security Software Discovery
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary	Windows Management Instrumentation System Information Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking	Security Software Discovery
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\Public\Desktop\Google Chrome.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 11:02:30 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide

dropped

Details

File:	C:\Users\Public\Desktop\Google Chrome.lnk
Category:	dropped
Dump:	Google Chrome.lnk.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\CQPfRTSy7N.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 11:02:30 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
Entropy:	3.4557451022122865
Encrypted:	false
Ssdeep:	48:8SNRdATkoGRYrnvPdAKRkdAGdAKRFdAKR/U:8Syt
Size:	2104
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CQPfRTSy7N.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CQPfRTSy7N.exe.log
Category:	dropped
Dump:	CQPfRTSy7N.exe.log.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Users\user\Desktop\CQPfRTSy7N.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.3318368586986695
Encrypted:	false
Ssdeep:	96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqc85VD:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlq0
Size:	3274
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Temp\Tmp64B0.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Tmp64B0.tmp
Category:	dropped
Dump:	Tmp64B0.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\CQPfRTSy7N.exe
Type:	data
Entropy:	7.8230547059446645
Encrypted:	false
Ssdeep:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
Size:	2662
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops certificate files (DER)	E-Banking Fraud
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\Tmp64C1.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Tmp64C1.tmp
Category:	dropped
Dump:	Tmp64C1.tmp.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\CQPfRTSy7N.exe
Type:	data
Entropy:	7.8230547059446645
Encrypted:	false
Ssdeep:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
Size:	2662
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops certificate files (DER)	E-Banking Fraud

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06
Category:	dropped
Dump:	76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\CQPfRTSy7N.exe
Type:	data
Entropy:	0.0
Encrypted:	false
Ssdeep:	3::
Size:	2251
Whitelisted:	true
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\CQPfRTSy7N.exe

"C:\Users\user\Desktop\CQPfRTSy7N.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7476
Target ID:	0
Parent PID:	2580
Name:	CQPfRTSy7N.exe
Path:	C:\Users\user\Desktop\CQPfRTSy7N.exe
Commandline:	"C:\Users\user\Desktop\CQPfRTSy7N.exe"
Size:	314078
MD5:	8DDBE91DAC2D37F344E4E8DD94DC73EE
Time:	17:16:55
Date:	24/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x250000
Modulesize:	335872
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/sct

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk

unknown

http://tempuri.org/Entity/Id14ResponseD

unknown

http://tempuri.org/Entity/Id23ResponseD

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary

unknown

http://tempuri.org/Entity/Id12Response

unknown

http://tempuri.org/

unknown

http://tempuri.org/Entity/Id2Response

unknown

http://tempuri.org/Entity/Id15V

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1

unknown

http://tempuri.org/Entity/Id21Response

unknown

http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap

unknown

http://tempuri.org/Entity/Id9

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID

unknown

http://tempuri.org/Entity/Id8

unknown

http://tempuri.org/Entity/Id6ResponseD

unknown

http://tempuri.org/Entity/Id5

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare

unknown

http://tempuri.org/Entity/Id4

unknown

http://tempuri.org/Entity/Id7

unknown

http://tempuri.org/Entity/Id6

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret

unknown

http://tempuri.org/Entity/Id19Response

unknown

http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence

unknown

http://tempuri.org/Entity/Id13ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/fault

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat

unknown

http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey

unknown

http://tempuri.org/Entity/Id15Response

unknown

http://tempuri.org/Entity/Id5ResponseD

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register

unknown

http://tempuri.org/Entity/Id6Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey

unknown

https://api.ip.sb/ip

unknown

http://schemas.xmlsoap.org/ws/2004/04/sc

unknown

http://tempuri.org/Entity/Id1ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel

unknown

http://tempuri.org/Entity/Id9Response

unknown

http://tempuri.org/Entity/Id20

unknown

http://tempuri.org/Entity/Id21

unknown

http://tempuri.org/Entity/Id22

unknown

http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1

unknown

http://tempuri.org/Entity/Id23

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1

unknown

http://tempuri.org/Entity/Id24

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue

unknown

http://tempuri.org/Entity/Id24Response

unknown

http://tempuri.org/Entity/Id1Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey

unknown

http://tempuri.org/Entity/Id21ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust

unknown

http://tempuri.org/Entity/Id10

unknown

http://tempuri.org/Entity/Id11

unknown

http://tempuri.org/Entity/Id10ResponseD

unknown

http://tempuri.org/Entity/Id12

unknown

http://tempuri.org/Entity/Id16Response

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel

unknown

http://tempuri.org/Entity/Id13

unknown

http://tempuri.org/Entity/Id14

unknown

http://tempuri.org/Entity/Id15

unknown

http://tempuri.org/Entity/Id16

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce

unknown

http://tempuri.org/Entity/Id17

unknown

http://tempuri.org/Entity/Id18

unknown

http://tempuri.org/Entity/Id5Response

unknown

http://tempuri.org/Entity/Id19

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns

unknown

http://tempuri.org/Entity/Id15ResponseD

unknown

http://tempuri.org/Entity/Id10Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Renew

unknown

http://tempuri.org/Entity/Id11ResponseD

unknown

http://tempuri.org/Entity/Id8Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT

unknown

http://schemas.xmlsoap.org/ws/2006/02/addressingidentity

unknown

http://tempuri.org/Entity/Id17ResponseD

unknown

http://schemas.xmlsoap.org/soap/envelope/

unknown

http://tempuri.org/Entity/Id8ResponseD

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey

unknown

http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust

unknown

There are 90 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

103.113.70.99

unknown

India

Details

IP:	103.113.70.99
TargetID:	0
Current Path:	C:\Users\user\Desktop\CQPfRTSy7N.exe
Country:	India
Countrycode:	IND
ASN number:	133973
ASN name:	NETCONNECTWIFI-ASNetConnectWifiPvtLtdIN
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064

Blob

Details

TargetID:	0
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064
Value name:	Blob
Value data:	0B 00 00 00 01 00 00 00 48 00 00 00 54 00 69 00 74 00 61 00 6E 00 69 00 75 00 6D 00 20 00 52 00 6F 00 6F 00 74 00 20 00 43 00 65 00 72 00 74 00 69 00 66 00 69 00 63 00 61 00 74 00 65 00 20 00 41 00 75 00 74 00 68 00 6F 00 72 00 69 00 74 00 79 00 00 00 02 00 00 00 01 00 00 00 CC 00 00 00 1C 00 00 00 6C 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 7B 00 34 00 31 00 37 00 34 00 34 00 42 00 45 00 34 00 2D 00 31 00 31 00 43 00 35 00 2D 00 34 00 39 00 34 00 43 00 2D 00 41 00 32 00 31 00 33 00 2D 00 42 00 41 00 30 00 43 00 45 00 39 00 34 00 34 00 39 00 33 00 38 00 45 00 7D 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 45 00 6E 00 68 00 61 00 6E 00 63 00 65 00 64 00 20 00 43 00 72 00 79 00 70 00 74 00 6F 00 67 00 72 00 61 00 70 00 68 00 69 00 63 00 20 00 50 00 72 00 6F 00 76 00 69 00 64 00 65 00 72 00 20 00 76 00 31 00 2E 00 30 00 00 00 00 00 03 00 00 00 01 00 00 00 14 00 00 00 F1 A5 78 C4 CB 5D E7 9A 37 08 93 98 3F D4 DA 8B 67 B2 B0 64 20 00 00 00 01 00 00 00 0A 03 00 00 30 82 03 06 30 82 01 EE A0 03 02 01 02 02 08 67 F7 BE B9 6A 4C 27 98 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30 2E 31 2C 30 2A 06 03 55 04 03 0C 23 54 69 74 61 6E 69 75 6D 20 52 6F 6F 74 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6F 72 69 74 79 30 1E 17 0D 32 33 30 33 31 34 31 30 33 35 32 30 5A 17 0D 32 36 30 36 31 37 31 30 33 35 32 30 5A 30 2E 31 2C 30 2A 06 03 55 04 03 0C 23 54 69 74 61 6E 69 75 6D 20 52 6F 6F 74 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6F 72 69 74 79 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 86 E4 57 7A 58 61 CE 81 91 77 D0 05 FA 51 D5 51 5A 93 6C 61 0C CF CB DE 53 32 CD 15 1D A6 47 EE 88 1A 24 5C 9B 02 83 3B 02 AF 3D 76 FE 20 BD 3B FA F7 A2 09 73 E7 2E BD 94 40 D0 9D 8C 3D 27 13 BD F0 D0 9F EB 95 32 AC D7 A4 2D A2 A9 52 DA A8 6A 2A 88 EE 42 7D 30 95 9D 90 BF BA 05 27 6A A0 29 98 A6 98 6F C0 13 06 62 9B 79 B8 40 5D 1F 1F A6 D9 A4 2F 82 7A FC 75 66 34 0D C2 DE 27 01 2B 94 BB 4A 27 B3 CB 1C 21 9A 3C B2 C1 42 03 F3 44 51 BD 62 65 20 ED D4 DB CC 41 4F 59 3F 2A CB C4 84 79 F7 14 3C BE 13 9C FD 12 9C 91 3E 53 03 DC 20 F9 4C 44 35 89 01 B6 9A 84 8D 7E A0 2E 30 8A 31 15 60 AC 00 AE 00 9A 29 10 9A EE D9 71 3D D8 91 9B 97 ED 59 80 58 E1 7F 07 26 C7 A0 20 F7 10 AB C0 62 91 DF AA F1 81 C6 BE 6A 76 C8 9C B6 8E B0 B0 EC 1C D9 5F 32 6C 7E 55 58 8B FD 76 C5 19 02 03 01 00 01 A3 28 30 26 30 13 06 03 55 1D 25 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 30 0F 06 03 55 1D 13 01 01 FF 04 05 30 03 01 01 FF 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 03 82 01 01 00 70 85 12 93 D7 57 E9 82 79 7D C5 F7 F2 7D A8 94 EF 0C DB 32 9F 06 A6 09 6E 0C F6 04 B0 E5 47 11 56 0E F4 0F 52 82 08 2E 21 0F 55 A3 DB 41 F3 12 54 8B 76 11 F5 F0 DA CE A3 C7 8B 13 F6 FC 24 3C 02 B1 06 66 5B E6 9E 18 40 88 41 5B 27 39 99 B8 77 BE E3 53 A2 48 CE C7 EE B5 A0 95 C2 17 4B C9 52 6C AF E3 37 2C 59 DB FB E7 58 13 4E D3 51 E5 14 72 73 FE C6 85 77 AE 45 52 A6 F9 9A C8 0C A8 D0 EE 42 2A F5 28 85 8C 6B E8 1C B0 A8 03 1A B0 AE 83 C0 EB 55 64 F4 E8 7A 5C 06 29 5D 39 03 EE E2 FD F9 2D 62 A7 F4 D4 05 4D EA A7 9B CA EB DA 4E 8B 1A 6E FD 42 AE F9 D0 1C 70 75 72 8C B1 3A A8 55 7C 85 A7 25 32 B5 E2 D6 C3 E5 50 41 C9 86 7C A8 F5 62 BB D2 AB 0C 37 10 D8 31 73 EC 37 81 D1 DC AA C5 C6 E0 7E E7 26 62 4D FD C5 81 4C FF D3 36 E1 79 32 F8 9B EB 9C F7 FD BE E9 BE BF 61

Signature Hits	Behavior Group	Mitre Attack
Installs new ROOT certificates	Persistence and Installation Behavior	Install Root Certificate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Owner

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

SessionHash

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Sequence

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFiles0000

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFilesHash

Memdumps

Base Address

Regiontype

Protect

Malicious

252000

unkown

page readonly

2728000

trusted library allocation

page read and write

725E000

heap

page read and write

5F90000

heap

page read and write

63FA000

trusted library allocation

page read and write

2829000

trusted library allocation

page read and write

66E0000

trusted library allocation

page read and write

5D1E000

stack

page read and write

2515000

trusted library allocation

page read and write

80E000

stack

page read and write

9B6000

heap

page read and write

6530000

trusted library allocation

page execute and read and write

2842000

trusted library allocation

page read and write

74C0000

trusted library allocation

page read and write

3681000

trusted library allocation

page read and write

6405000

trusted library allocation

page read and write

6A1A000

trusted library allocation

page read and write

4AE6000

trusted library allocation

page read and write

3813000

trusted library allocation

page read and write

6A44000

trusted library allocation

page read and write

884000

trusted library allocation

page read and write

8BB000

trusted library allocation

page execute and read and write

62BE000

stack

page read and write

9A0000

trusted library allocation

page read and write

265E000

trusted library allocation

page read and write

990000

trusted library allocation

page read and write

4D00000

trusted library allocation

page read and write

7510000

trusted library allocation

page read and write

4AC0000

trusted library allocation

page read and write

4BB0000

heap

page execute and read and write

8E7000

heap

page read and write

66B0000

trusted library allocation

page read and write

5F6D000

heap

page read and write

2804000

trusted library allocation

page read and write

A9D000

heap

page read and write

37CF000

trusted library allocation

page read and write

29DC000

trusted library allocation

page read and write

507E000

stack

page read and write

7480000

trusted library allocation

page execute and read and write

263E000

stack

page read and write

5F9E000

heap

page read and write

4B20000

heap

page read and write

7298000

heap

page read and write

9D8000

heap

page read and write

4B30000

heap

page read and write

56CA000

heap

page read and write

607D000

stack

page read and write

64C0000

trusted library allocation

page read and write

5E90000

trusted library allocation

page execute and read and write

66D0000

trusted library allocation

page read and write

28BA000

trusted library allocation

page read and write

8B5000

trusted library allocation

page execute and read and write

63F8000

trusted library allocation

page read and write

3A1C000

trusted library allocation

page read and write

747E000

stack

page read and write

723C000

heap

page read and write

9F7000

heap

page read and write

4B50000

trusted library allocation

page execute and read and write

5F7C000

heap

page read and write

726F000

heap

page read and write

3B0000

heap

page read and write

718C000

heap

page read and write

71A5000

heap

page read and write

738A000

trusted library allocation

page read and write

71E8000

heap

page read and write

4BA0000

heap

page read and write

9B0000

heap

page read and write

5F86000

heap

page read and write

7195000

heap

page read and write

4B40000

trusted library allocation

page read and write

7490000

trusted library allocation

page read and write

2681000

trusted library allocation

page read and write

5E1E000

stack

page read and write

73B0000

trusted library allocation

page read and write

589E000

stack

page read and write

29E4000

trusted library allocation

page read and write

4CFE000

stack

page read and write

7372000

trusted library allocation

page read and write

7170000

heap

page read and write

2837000

trusted library allocation

page read and write

6300000

heap

page read and write

2478000

trusted library allocation

page read and write

71E3000

heap

page read and write

883000

trusted library allocation

page execute and read and write

743D000

stack

page read and write

840000

heap

page read and write

6480000

trusted library allocation

page read and write

7388000

trusted library allocation

page read and write

9D0000

heap

page read and write

4AC4000

trusted library allocation

page read and write

7280000

heap

page read and write

750E000

stack

page read and write

845000

heap

page read and write

6580000

trusted library allocation

page execute and read and write

4ACB000

trusted library allocation

page read and write

7379000

trusted library allocation

page read and write

287000

unkown

page readonly

2801000

trusted library allocation

page read and write

890000

trusted library allocation

page read and write

73D0000

trusted library allocation

page read and write

71B6000

heap

page read and write

2810000

trusted library allocation

page read and write

6485000

trusted library allocation

page read and write

5E80000

trusted library allocation

page execute and read and write

89D000

trusted library allocation

page execute and read and write

27F9000

trusted library allocation

page read and write

6720000

trusted library allocation

page execute and read and write

789E000

stack

page read and write

2530000

heap

page read and write

6430000

trusted library allocation

page read and write

717A000

heap

page read and write

8A6000

trusted library allocation

page execute and read and write

8B7000

trusted library allocation

page execute and read and write

7A80000

trusted library allocation

page read and write

375D000

trusted library allocation

page read and write

7208000

heap

page read and write

6461000

trusted library allocation

page read and write

7A1E000

stack

page read and write

7183000

heap

page read and write

721C000

heap

page read and write

727B000

heap

page read and write

63F5000

trusted library allocation

page read and write

8B2000

trusted library allocation

page read and write

4BC0000

trusted library allocation

page read and write

7BAD000

stack

page read and write

4AE1000

trusted library allocation

page read and write

5BDF000

stack

page read and write

5F70000

heap

page read and write

7212000

heap

page read and write

7375000

trusted library allocation

page read and write

379E000

trusted library allocation

page read and write

4CBE000

stack

page read and write

2896000

trusted library allocation

page read and write

4B42000

trusted library allocation

page read and write

74BD000

trusted library allocation

page read and write

970000

trusted library allocation

page execute and read and write

3776000

trusted library allocation

page read and write

74C4000

trusted library allocation

page read and write

2650000

trusted library allocation

page read and write

5F95000

heap

page read and write

50BE000

stack

page read and write

250000

unkown

page readonly

36A2000

trusted library allocation

page read and write

3FE000

stack

page read and write

716D000

stack

page read and write

64D0000

trusted library allocation

page read and write

71C9000

heap

page read and write

68AE000

stack

page read and write

CCE000

stack

page read and write

791E000

stack

page read and write

66F0000

trusted library allocation

page read and write

724E000

heap

page read and write

9BB000

heap

page read and write

6470000

trusted library allocation

page read and write

74B0000

trusted library allocation

page read and write

ABF000

heap

page read and write

4ADE000

trusted library allocation

page read and write

7220000

heap

page read and write

BCE000

stack

page read and write

74A0000

trusted library allocation

page execute and read and write

2510000

trusted library allocation

page read and write

7A20000

trusted library allocation

page execute and read and write

78DF000

stack

page read and write

7BEE000

stack

page read and write

9DE000

heap

page read and write

591E000

stack

page read and write

980000

trusted library allocation

page read and write

5F53000

heap

page read and write

8D0000

trusted library allocation

page read and write

4AF2000

trusted library allocation

page read and write

8B0000

trusted library allocation

page read and write

88D000

trusted library allocation

page execute and read and write

477C000

stack

page read and write

7A6B000

stack

page read and write

6500000

trusted library allocation

page read and write

648E000

trusted library allocation

page read and write

5EEF000

heap

page read and write

870000

trusted library allocation

page read and write

6446000

trusted library allocation

page read and write

A7F000

heap

page read and write

7F9A0000

trusted library allocation

page execute and read and write

686C000

stack

page read and write

5E70000

heap

page read and write

2520000

trusted library allocation

page read and write

AB0000

heap

page read and write

6A17000

trusted library allocation

page read and write

4AED000

trusted library allocation

page read and write

880000

trusted library allocation

page read and write

5F51000

heap

page read and write

785E000

stack

page read and write

33A000

stack

page read and write

4B33000

heap

page read and write

282C000

trusted library allocation

page read and write

92E000

stack

page read and write

69EE000

stack

page read and write

58DE000

stack

page read and write

73A0000

trusted library allocation

page read and write

69AC000

stack

page read and write

6700000

trusted library allocation

page execute and read and write

2850000

trusted library allocation

page read and write

63F0000

trusted library allocation

page read and write

820000

heap

page read and write

6409000

trusted library allocation

page read and write

7530000

trusted library allocation

page read and write

56B1000

heap

page read and write

7AA0000

heap

page read and write

64A0000

trusted library allocation

page read and write

282F000

trusted library allocation

page read and write

9C0000

trusted library allocation

page read and write

4D10000

heap

page read and write

6590000

trusted library allocation

page execute and read and write

2858000

trusted library allocation

page read and write

5EA1000

heap

page read and write

71A3000

heap

page read and write

6510000

trusted library allocation

page read and write

64B0000

trusted library allocation

page read and write

72B3000

heap

page read and write

2A82000

trusted library allocation

page read and write

3913000

trusted library allocation

page read and write

6A10000

trusted library allocation

page read and write

296000

unkown

page readonly

6400000

trusted library allocation

page read and write

66C0000

trusted library allocation

page read and write

4F0F000

stack

page read and write

676C000

stack

page read and write

648B000

trusted library allocation

page read and write

5CDF000

stack

page read and write

4BC8000

trusted library allocation

page read and write

720E000

heap

page read and write

6490000

trusted library allocation

page read and write

8E0000

heap

page read and write

7395000

trusted library allocation

page read and write

3758000

trusted library allocation

page read and write

2470000

trusted library allocation

page read and write

643B000

trusted library allocation

page read and write

62F0000

heap

page read and write

368F000

trusted library allocation

page read and write

6441000

trusted library allocation

page read and write

6520000

trusted library allocation

page execute and read and write

738F000

trusted library allocation

page read and write

6A40000

trusted library allocation

page read and write

6F7000

stack

page read and write

73A8000

trusted library allocation

page read and write

8A0000

trusted library allocation

page read and write

617E000

stack

page read and write

645E000

trusted library allocation

page read and write

4BD0000

trusted library allocation

page read and write

8C6E000

stack

page read and write

739F000

trusted library allocation

page read and write

A11000

heap

page read and write

2670000

heap

page execute and read and write

61BE000

stack

page read and write

71B9000

heap

page read and write

2812000

trusted library allocation

page read and write

96B000

stack

page read and write

8A2000

trusted library allocation

page read and write

71AB000

heap

page read and write

6407000

trusted library allocation

page read and write

27C8000

trusted library allocation

page read and write

739A000

trusted library allocation

page read and write

6452000

trusted library allocation

page read and write

5F48000

heap

page read and write

282000

unkown

page readonly

3764000

trusted library allocation

page read and write

73C0000

trusted library allocation

page execute and read and write

7174000

heap

page read and write

3A21000

trusted library allocation

page read and write

7188000

heap

page read and write

5EC1000

heap

page read and write

7370000

trusted library allocation

page read and write

3A0000

heap

page read and write

8AA000

trusted library allocation

page execute and read and write

There are 262 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
CQPfRTSy7N.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportCQPfRTSy7N.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
CQPfRTSy7N.exe