Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

file.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.610471077261223
Filename:	file.exe
Filesize:	3948984
MD5:	acfc823a15fbc0247f1974b9a7dc7cf8
SHA1:	3289cb74a353915117e7b1649acbff7449068018
SHA256:	2b8795c54cc826e2f7c62a5c15088a1d9aa9ff31373abf710caacf4d0a5f1b81
SHA512:	1429b568485669dd1376cf2082efa4dff7ac2042fab6ddc31889cb92087dfd4609399395935e47910f4c982f85e1e5b3dc6061e97258c5078a8791aa2d5b3568
SSDEEP:	49152:2sr3b8LJA1/x5CQIcSlU9Jn03eHk5SyiZfOp7fgqjIr7vFKNrFeE:9fGJeHI2Jn0OHk5SbOpKwOE
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Qx...............P...9..T........:.. ... :...@.. ........................;.....<.=...@................................

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection	Process Injection
.NET source code contains method to dynamically call methods (often used by packers)	Data Obfuscation
.NET source code contains potential unpacker	Data Obfuscation	Software Packing
.NET source code contains very large array initializations	System Summary	Process Injection Disable or Modify Tools
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion
Machine Learning detection for sample	AV Detection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Process Injection Timestomp
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)	Remote Access Functionality
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	Process Injection
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Process Injection Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities	Obfuscated Files or Information
Found potential string decryption / allocating functions	System Summary
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
PE / OLE file has an invalid certificate	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Native API System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Process Injection Masquerading
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	Process Injection
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary	Process Injection
.NET source code contains calls to encryption/decryption functions	System Summary	Process Injection Disable or Modify Tools Deobfuscate/Decode Files or Information
.NET source code contains long base64-encoded strings	System Summary	Process Injection Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Process Injection Disable or Modify Tools
.NET source code contains methods with suspicious names	System Summary	Process Injection Disable or Modify Tools
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Process Injection Disable or Modify Tools
Creates temporary files	System Summary	Process Injection
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Program exit points	Malware Analysis System Evasion
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	Process Injection
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking	Process Injection
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary
Uses Microsoft Silverlight	System Summary	Process Injection

C:\Users\Public\Desktop\Google Chrome.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 11:02:30 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide

dropped

Details

File:	C:\Users\Public\Desktop\Google Chrome.lnk
Category:	dropped
Dump:	Google Chrome.lnk.1.dr
ID:	dr_5
Target ID:	1
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 11:02:30 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
Entropy:	3.4531466025221493
Encrypted:	false
Ssdeep:	48:8SedATkoGRYrnvPdAKRkdAs6IdAKRFdAKR/U:8Slt
Size:	2106
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MsBuild.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MsBuild.exe.log
Category:	dropped
Dump:	MsBuild.exe.log.1.dr
ID:	dr_6
Target ID:	1
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.342376182732888
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4xLE4qE4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0H6
Size:	1299
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log
Category:	dropped
Dump:	file.exe.log.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.358731107079437
Encrypted:	false
Ssdeep:	12:Q3La/hz92n4M9tDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:MLU84qpE4KlKDE4KhKiKhk
Size:	522
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
PE / OLE file has an invalid certificate	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll
Category:	dropped
Dump:	Protect544cd51a.dll.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\file.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.561572491684602
Encrypted:	false
Ssdeep:	12288:wCMz4nuvURpZ4jR1b2Ag+dQMWCD8iN2+OeO+OeNhBBhhBBgoo+A1AW8JwkaCZ+36:wCs4uvW4jfb2K90oo+C8JwUZc0
Size:	760320
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\TmpDA31.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\TmpDA31.tmp
Category:	dropped
Dump:	TmpDA31.tmp.1.dr
ID:	dr_2
Target ID:	1
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Type:	data
Entropy:	7.8230547059446645
Encrypted:	false
Ssdeep:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
Size:	2662
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops certificate files (DER)	E-Banking Fraud

C:\Users\user\AppData\Local\Temp\TmpDA41.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\TmpDA41.tmp
Category:	dropped
Dump:	TmpDA41.tmp.1.dr
ID:	dr_3
Target ID:	1
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Type:	data
Entropy:	7.8230547059446645
Encrypted:	false
Ssdeep:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
Size:	2662
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops certificate files (DER)	E-Banking Fraud

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06
Category:	dropped
Dump:	76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06.1.dr
ID:	dr_4
Target ID:	1
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Type:	data
Entropy:	0.0
Encrypted:	false
Ssdeep:	3::
Size:	2251
Whitelisted:	true
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\file.exe

"C:\Users\user\Desktop\file.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7256
Target ID:	0
Parent PID:	2580
Name:	file.exe
Path:	C:\Users\user\Desktop\file.exe
Commandline:	"C:\Users\user\Desktop\file.exe"
Size:	3948984
MD5:	ACFC823A15FBC0247F1974B9A7DC7CF8
Time:	15:37:55
Date:	25/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x3f0000
Modulesize:	3907584
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected zgRAT	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
PE / OLE file has an invalid certificate	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file contains a COM descriptor data directory	System Summary
PE file has a big code size	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

Details

Is windows:	true
Is dropped:	false
PID:	7304
Target ID:	1
Parent PID:	7256
Name:	MSBuild.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
Size:	262432
MD5:	8FDF47E0FF70C40ED3A17014AEEA4232
Time:	15:37:55
Date:	25/04/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xee0000
Modulesize:	262144
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected zgRAT	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7316
Target ID:	2
Parent PID:	7304
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	15:37:55
Date:	25/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://www.apache.org/licenses/LICENSE-2.0

unknown

http://www.fontbureau.com

unknown

http://www.fontbureau.com/designersG

unknown

https://api.ip.sb/ip

unknown

https://sectigo.com/CPS0

unknown

http://www.fontbureau.com/designers/?

unknown

http://www.founder.com.cn/cn/bThe

unknown

http://ocsp.sectigo.com0

unknown

http://www.fontbureau.com/designers?

unknown

http://www.tiro.com

unknown

https://api.ip.s

unknown

https://www.google.com/accounts/ClientLogin

unknown

http://www.fontbureau.com/designers

unknown

http://www.goodfont.co.kr

unknown

https://android.apis.google.com/c2dm/send

unknown

http://www.carterandcone.coml

unknown

http://www.sajatypeworks.com

unknown

http://www.typography.netD

unknown

http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t

unknown

http://www.fontbureau.com/designers/cabarga.htmlN

unknown

http://www.founder.com.cn/cn/cThe

unknown

http://www.galapagosdesign.com/staff/dennis.htm

unknown

http://www.founder.com.cn/cn

unknown

http://www.fontbureau.com/designers/frere-user.html

unknown

http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#

unknown

https://www.security.us.panasonic.com

unknown

http://www.jiyu-kobo.co.jp/

unknown

https://discord.com/api/v9/users/

unknown

http://www.galapagosdesign.com/DPlease

unknown

http://www.fontbureau.com/designers8

unknown

http://www.fonts.com

unknown

http://www.sandoll.co.kr

unknown

http://www.urwpp.deDPlease

unknown

http://www.zhongyicts.com.cn

unknown

http://www.sakkal.com

unknown

There are 25 hidden URLs, click here to show them.

Domains

Name

Malicious

bg.microsoft.map.fastly.net

199.232.214.172

fp2e7a.wpc.phicdn.net

192.229.211.108

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064

Blob

Details

TargetID:	1
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064
Value name:	Blob
Value data:	0B 00 00 00 01 00 00 00 48 00 00 00 54 00 69 00 74 00 61 00 6E 00 69 00 75 00 6D 00 20 00 52 00 6F 00 6F 00 74 00 20 00 43 00 65 00 72 00 74 00 69 00 66 00 69 00 63 00 61 00 74 00 65 00 20 00 41 00 75 00 74 00 68 00 6F 00 72 00 69 00 74 00 79 00 00 00 02 00 00 00 01 00 00 00 CC 00 00 00 1C 00 00 00 6C 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 7B 00 34 00 31 00 37 00 34 00 34 00 42 00 45 00 34 00 2D 00 31 00 31 00 43 00 35 00 2D 00 34 00 39 00 34 00 43 00 2D 00 41 00 32 00 31 00 33 00 2D 00 42 00 41 00 30 00 43 00 45 00 39 00 34 00 34 00 39 00 33 00 38 00 45 00 7D 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 45 00 6E 00 68 00 61 00 6E 00 63 00 65 00 64 00 20 00 43 00 72 00 79 00 70 00 74 00 6F 00 67 00 72 00 61 00 70 00 68 00 69 00 63 00 20 00 50 00 72 00 6F 00 76 00 69 00 64 00 65 00 72 00 20 00 76 00 31 00 2E 00 30 00 00 00 00 00 03 00 00 00 01 00 00 00 14 00 00 00 F1 A5 78 C4 CB 5D E7 9A 37 08 93 98 3F D4 DA 8B 67 B2 B0 64 20 00 00 00 01 00 00 00 0A 03 00 00 30 82 03 06 30 82 01 EE A0 03 02 01 02 02 08 67 F7 BE B9 6A 4C 27 98 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30 2E 31 2C 30 2A 06 03 55 04 03 0C 23 54 69 74 61 6E 69 75 6D 20 52 6F 6F 74 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6F 72 69 74 79 30 1E 17 0D 32 33 30 33 31 34 31 30 33 35 32 30 5A 17 0D 32 36 30 36 31 37 31 30 33 35 32 30 5A 30 2E 31 2C 30 2A 06 03 55 04 03 0C 23 54 69 74 61 6E 69 75 6D 20 52 6F 6F 74 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6F 72 69 74 79 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 86 E4 57 7A 58 61 CE 81 91 77 D0 05 FA 51 D5 51 5A 93 6C 61 0C CF CB DE 53 32 CD 15 1D A6 47 EE 88 1A 24 5C 9B 02 83 3B 02 AF 3D 76 FE 20 BD 3B FA F7 A2 09 73 E7 2E BD 94 40 D0 9D 8C 3D 27 13 BD F0 D0 9F EB 95 32 AC D7 A4 2D A2 A9 52 DA A8 6A 2A 88 EE 42 7D 30 95 9D 90 BF BA 05 27 6A A0 29 98 A6 98 6F C0 13 06 62 9B 79 B8 40 5D 1F 1F A6 D9 A4 2F 82 7A FC 75 66 34 0D C2 DE 27 01 2B 94 BB 4A 27 B3 CB 1C 21 9A 3C B2 C1 42 03 F3 44 51 BD 62 65 20 ED D4 DB CC 41 4F 59 3F 2A CB C4 84 79 F7 14 3C BE 13 9C FD 12 9C 91 3E 53 03 DC 20 F9 4C 44 35 89 01 B6 9A 84 8D 7E A0 2E 30 8A 31 15 60 AC 00 AE 00 9A 29 10 9A EE D9 71 3D D8 91 9B 97 ED 59 80 58 E1 7F 07 26 C7 A0 20 F7 10 AB C0 62 91 DF AA F1 81 C6 BE 6A 76 C8 9C B6 8E B0 B0 EC 1C D9 5F 32 6C 7E 55 58 8B FD 76 C5 19 02 03 01 00 01 A3 28 30 26 30 13 06 03 55 1D 25 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 30 0F 06 03 55 1D 13 01 01 FF 04 05 30 03 01 01 FF 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 03 82 01 01 00 70 85 12 93 D7 57 E9 82 79 7D C5 F7 F2 7D A8 94 EF 0C DB 32 9F 06 A6 09 6E 0C F6 04 B0 E5 47 11 56 0E F4 0F 52 82 08 2E 21 0F 55 A3 DB 41 F3 12 54 8B 76 11 F5 F0 DA CE A3 C7 8B 13 F6 FC 24 3C 02 B1 06 66 5B E6 9E 18 40 88 41 5B 27 39 99 B8 77 BE E3 53 A2 48 CE C7 EE B5 A0 95 C2 17 4B C9 52 6C AF E3 37 2C 59 DB FB E7 58 13 4E D3 51 E5 14 72 73 FE C6 85 77 AE 45 52 A6 F9 9A C8 0C A8 D0 EE 42 2A F5 28 85 8C 6B E8 1C B0 A8 03 1A B0 AE 83 C0 EB 55 64 F4 E8 7A 5C 06 29 5D 39 03 EE E2 FD F9 2D 62 A7 F4 D4 05 4D EA A7 9B CA EB DA 4E 8B 1A 6E FD 42 AE F9 D0 1C 70 75 72 8C B1 3A A8 55 7C 85 A7 25 32 B5 E2 D6 C3 E5 50 41 C9 86 7C A8 F5 62 BB D2 AB 0C 37 10 D8 31 73 EC 37 81 D1 DC AA C5 C6 E0 7E E7 26 62 4D FD C5 81 4C FF D3 36 E1 79 32 F8 9B EB 9C F7 FD BE E9 BE BF 61

Signature Hits	Behavior Group	Mitre Attack
Installs new ROOT certificates	Persistence and Installation Behavior	Install Root Certificate

Memdumps

Base Address

Regiontype

Protect

Malicious

3D4A000

trusted library allocation

page read and write

3CAA000

trusted library allocation

page read and write

3F2000

unkown

page readonly

402000

remote allocation

page execute and read and write

C69000

heap

page read and write

337B000

trusted library allocation

page read and write

6CF93000

unkown

page write copy

116E000

stack

page read and write

34AF000

trusted library allocation

page read and write

59F0000

heap

page execute and read and write

2B99000

trusted library allocation

page read and write

5A00000

heap

page read and write

5840000

heap

page read and write

5110000

heap

page read and write

955E000

stack

page read and write

358D000

trusted library allocation

page read and write

306E000

stack

page read and write

34E1000

trusted library allocation

page read and write

59F3000

heap

page execute and read and write

7D7E000

stack

page read and write

33A2000

trusted library allocation

page read and write

5800000

heap

page read and write

5A50000

trusted library allocation

page execute and read and write

3494000

trusted library allocation

page read and write

3567000

trusted library allocation

page read and write

355F000

trusted library allocation

page read and write

10C0000

trusted library allocation

page read and write

7A00000

trusted library allocation

page read and write

34C8000

trusted library allocation

page read and write

972E000

stack

page read and write

33BF000

trusted library allocation

page read and write

33DA000

trusted library allocation

page read and write

3387000

trusted library allocation

page read and write

77B0000

heap

page read and write

444D000

trusted library allocation

page read and write

7E52000

heap

page read and write

34CA000

trusted library allocation

page read and write

41F4000

trusted library allocation

page read and write

330A000

trusted library allocation

page read and write

5B90000

heap

page read and write

7DF2000

heap

page read and write

7D90000

trusted library allocation

page read and write

3487000

trusted library allocation

page read and write

5780000

trusted library allocation

page read and write

53DE000

stack

page read and write

437F000

trusted library allocation

page read and write

335C000

trusted library allocation

page read and write

5A70000

trusted library allocation

page read and write

3519000

trusted library allocation

page read and write

340A000

trusted library allocation

page read and write

58F1000

heap

page read and write

3354000

trusted library allocation

page read and write

1710000

trusted library allocation

page read and write

34CE000

trusted library allocation

page read and write

10B0000

trusted library allocation

page read and write

336C000

trusted library allocation

page read and write

33B9000

trusted library allocation

page read and write

3451000

trusted library allocation

page read and write

5701000

trusted library allocation

page read and write

1780000

heap

page read and write

1622000

heap

page read and write

3498000

trusted library allocation

page read and write

350F000

trusted library allocation

page read and write

163F000

heap

page read and write

2B8E000

trusted library allocation

page read and write

15E5000

heap

page read and write

33D6000

trusted library allocation

page read and write

7E0B000

heap

page read and write

30B0000

trusted library allocation

page read and write

3381000

trusted library allocation

page read and write

16FD000

trusted library allocation

page execute and read and write

C2E000

heap

page read and write

142E000

stack

page read and write

7A7E000

stack

page read and write

10C5000

trusted library allocation

page execute and read and write

57C0000

trusted library allocation

page execute and read and write

56E0000

trusted library allocation

page read and write

349C000

trusted library allocation

page read and write

35AD000

trusted library allocation

page read and write

79FE000

stack

page read and write

559A000

trusted library section

page read and write

1470000

heap

page read and write

5050000

heap

page execute and read and write

5706000

trusted library allocation

page read and write

6CF9E000

unkown

page readonly

5BA9000

heap

page read and write

1725000

trusted library allocation

page execute and read and write

33AF000

trusted library allocation

page read and write

34D1000

trusted library allocation

page read and write

1712000

trusted library allocation

page read and write

1680000

heap

page read and write

3485000

trusted library allocation

page read and write

3201000

trusted library allocation

page read and write

16F3000

trusted library allocation

page execute and read and write

5BA0000

heap

page execute and read and write

5A46000

trusted library allocation

page read and write

5CA0000

trusted library allocation

page execute and read and write

2BC1000

trusted library allocation

page read and write

7DB8000

heap

page read and write

10AD000

trusted library allocation

page execute and read and write

5030000

trusted library allocation

page read and write

31D0000

trusted library allocation

page read and write

336A000

trusted library allocation

page read and write

1720000

trusted library allocation

page read and write

31E0000

trusted library allocation

page read and write

91D0000

trusted library allocation

page read and write

3540000

trusted library allocation

page read and write

5027000

trusted library allocation

page read and write

34CC000

trusted library allocation

page read and write

3563000

trusted library allocation

page read and write

33C1000

trusted library allocation

page read and write

3400000

trusted library allocation

page read and write

35D8000

trusted library allocation

page read and write

355D000

trusted library allocation

page read and write

3517000

trusted library allocation

page read and write

3565000

trusted library allocation

page read and write

3329000

trusted library allocation

page read and write

5A7F000

trusted library allocation

page read and write

344D000

trusted library allocation

page read and write

3466000

trusted library allocation

page read and write

3481000

trusted library allocation

page read and write

7E0E000

heap

page read and write

162C000

heap

page read and write

34BC000

trusted library allocation

page read and write

1310000

heap

page read and write

33A7000

trusted library allocation

page read and write

5BB5000

heap

page read and write

CC1000

heap

page read and write

5B8E000

stack

page read and write

3462000

trusted library allocation

page read and write

109D000

trusted library allocation

page execute and read and write

34AD000

trusted library allocation

page read and write

3531000

trusted library allocation

page read and write

349A000

trusted library allocation

page read and write

1580000

heap

page read and write

56AE000

stack

page read and write

2A0B000

heap

page read and write

6CEF0000

unkown

page readonly

1626000

heap

page read and write

1080000

trusted library allocation

page read and write

5770000

trusted library allocation

page read and write

10CB000

trusted library allocation

page execute and read and write

3464000

trusted library allocation

page read and write

3580000

trusted library allocation

page read and write

1475000

heap

page read and write

10A3000

trusted library allocation

page read and write

31EF000

trusted library allocation

page read and write

E2E000

stack

page read and write

340E000

trusted library allocation

page read and write

34DB000

trusted library allocation

page read and write

4A2000

remote allocation

page execute and read and write

5A85000

heap

page read and write

7D3F000

stack

page read and write

56FE000

trusted library allocation

page read and write

33D0000

trusted library allocation

page read and write

325E000

trusted library allocation

page read and write

351B000

trusted library allocation

page read and write

346D000

trusted library allocation

page read and write

5A16000

heap

page read and write

5BA0000

heap

page read and write

5290000

trusted library allocation

page execute and read and write

B38000

stack

page read and write

34E7000

trusted library allocation

page read and write

3576000

trusted library allocation

page read and write

BC0000

heap

page read and write

3460000

trusted library allocation

page read and write

5A40000

trusted library allocation

page read and write

4201000

trusted library allocation

page read and write

346A000

trusted library allocation

page read and write

170D000

trusted library allocation

page execute and read and write

157E000

stack

page read and write

5CEE000

stack

page read and write

501E000

stack

page read and write

354F000

trusted library allocation

page read and write

6CF9A000

unkown

page read and write

5725000

trusted library allocation

page read and write

33D2000

trusted library allocation

page read and write

15B8000

heap

page read and write

1740000

heap

page read and write

523F000

stack

page read and write

931E000

stack

page read and write

6CF9C000

unkown

page read and write

56EB000

trusted library allocation

page read and write

112E000

stack

page read and write

10E0000

trusted library allocation

page read and write

34FA000

trusted library allocation

page read and write

3389000

trusted library allocation

page read and write

7E6B000

heap

page read and write

941E000

stack

page read and write

5A3B000

stack

page read and write

346F000

trusted library allocation

page read and write

59F0000

trusted library allocation

page read and write

BF0000

heap

page read and write

3569000

trusted library allocation

page read and write

5668000

trusted library section

page read and write

338B000

trusted library allocation

page read and write

30C0000

heap

page read and write

34E5000

trusted library allocation

page read and write

3542000

trusted library allocation

page read and write

3368000

trusted library allocation

page read and write

3404000

trusted library allocation

page read and write

7E5B000

heap

page read and write

527E000

stack

page read and write

5AA0000

heap

page read and write

336E000

trusted library allocation

page read and write

1770000

trusted library allocation

page read and write

1747000

heap

page read and write

354C000

trusted library allocation

page read and write

5120000

heap

page execute and read and write

7E21000

heap

page read and write

6CF91000

unkown

page read and write

7E08000

heap

page read and write

57F0000

trusted library allocation

page read and write

16A0000

heap

page read and write

2B20000

heap

page execute and read and write

56EE000

trusted library allocation

page read and write

31CE000

stack

page read and write

351E000

trusted library allocation

page read and write

C55000

heap

page read and write

7E18000

heap

page read and write

F2F000

stack

page read and write

33F5000

trusted library allocation

page read and write

33E7000

trusted library allocation

page read and write

352D000

trusted library allocation

page read and write

57AF000

stack

page read and write

96C0000

trusted library allocation

page execute and read and write

3F0000

unkown

page readonly

78FE000

stack

page read and write

33BB000

trusted library allocation

page read and write

3591000

trusted library allocation

page read and write

171A000

trusted library allocation

page execute and read and write

3E08000

trusted library allocation

page read and write

34C4000

trusted library allocation

page read and write

57EE000

stack

page read and write

34C6000

trusted library allocation

page read and write

5720000

trusted library allocation

page read and write

1631000

heap

page read and write

34A0000

trusted library allocation

page read and write

3533000

trusted library allocation

page read and write

792000

unkown

page readonly

1608000

heap

page read and write

16E0000

trusted library allocation

page read and write

3364000

trusted library allocation

page read and write

29F0000

trusted library allocation

page read and write

3505000

trusted library allocation

page read and write

3366000

trusted library allocation

page read and write

340C000

trusted library allocation

page read and write

5820000

trusted library section

page readonly

1703000

trusted library allocation

page read and write

33F9000

trusted library allocation

page read and write

34DF000

trusted library allocation

page read and write

106E000

stack

page read and write

5712000

trusted library allocation

page read and write

10C7000

trusted library allocation

page execute and read and write

30AB000

stack

page read and write

BB0000

heap

page read and write

15FA000

heap

page read and write

34E9000

trusted library allocation

page read and write

29E0000

trusted library allocation

page read and write

15AB000

heap

page read and write

352F000

trusted library allocation

page read and write

10C2000

trusted library allocation

page read and write

33F1000

trusted library allocation

page read and write

350B000

trusted library allocation

page read and write

33A4000

trusted library allocation

page read and write

5830000

heap

page read and write

33BD000

trusted library allocation

page read and write

C28000

heap

page read and write

73B0000

trusted library allocation

page read and write

34A3000

trusted library allocation

page read and write

5730000

trusted library allocation

page read and write

12F7000

stack

page read and write

3572000

trusted library allocation

page read and write

54E0000

trusted library section

page read and write

172B000

trusted library allocation

page execute and read and write

15F6000

heap

page read and write

6CF8E000

unkown

page read and write

F6E000

stack

page read and write

347D000

trusted library allocation

page read and write

5843000

heap

page read and write

539E000

stack

page read and write

5040000

trusted library allocation

page read and write

570D000

trusted library allocation

page read and write

34FC000

trusted library allocation

page read and write

33DC000

trusted library allocation

page read and write

57B0000

heap

page read and write

34B1000

trusted library allocation

page read and write

54DE000

stack

page read and write

6CEF1000

unkown

page execute read

9120000

heap

page execute and read and write

29C0000

trusted library allocation

page execute and read and write

357E000

trusted library allocation

page read and write

56E4000

trusted library allocation

page read and write

BA0000

heap

page read and write

5A10000

heap

page read and write

10B6000

trusted library allocation

page execute and read and write

146E000

stack

page read and write

3492000

trusted library allocation

page read and write

33F3000

trusted library allocation

page read and write

344F000

trusted library allocation

page read and write

3373000

trusted library allocation

page read and write

3408000

trusted library allocation

page read and write

29D3000

trusted library allocation

page read and write

59E0000

heap

page read and write

354A000

trusted library allocation

page read and write

33AB000

trusted library allocation

page read and write

3561000

trusted library allocation

page read and write

33D4000

trusted library allocation

page read and write

1093000

trusted library allocation

page execute and read and write

3406000

trusted library allocation

page read and write

1750000

trusted library allocation

page read and write

C00000

heap

page read and write

5020000

trusted library allocation

page read and write

7DCC000

heap

page read and write

33A0000

trusted library allocation

page read and write

945E000

stack

page read and write

400000

remote allocation

page execute and read and write

C48000

heap

page read and write

339C000

trusted library allocation

page read and write

320E000

trusted library allocation

page read and write

57E0000

trusted library allocation

page execute and read and write

3559000

trusted library allocation

page read and write

5280000

trusted library section

page read and write

163C000

heap

page read and write

347B000

trusted library allocation

page read and write

C20000

heap

page read and write

358F000

trusted library allocation

page read and write

2B0E000

stack

page read and write

1727000

trusted library allocation

page execute and read and write

3500000

trusted library allocation

page read and write

921E000

stack

page read and write

6CF74000

unkown

page readonly

3546000

trusted library allocation

page read and write

1722000

trusted library allocation

page read and write

7D80000

trusted library allocation

page execute and read and write

3B31000

trusted library allocation

page read and write

188E000

stack

page read and write

33D8000

trusted library allocation

page read and write

982E000

stack

page read and write

29D0000

trusted library allocation

page read and write

7DC8000

heap

page read and write

1760000

trusted library allocation

page execute and read and write

328E000

trusted library allocation

page read and write

33F7000

trusted library allocation

page read and write

3370000

trusted library allocation

page read and write

BA5000

heap

page read and write

A3B000

stack

page read and write

3513000

trusted library allocation

page read and write

3578000

trusted library allocation

page read and write

31F0000

heap

page execute and read and write

357A000

trusted library allocation

page read and write

3502000

trusted library allocation

page read and write

7DC4000

heap

page read and write

1619000

heap

page read and write

34AB000

trusted library allocation

page read and write

4C2D000

stack

page read and write

1610000

heap

page read and write

1603000

heap

page read and write

357C000

trusted library allocation

page read and write

33EB000

trusted library allocation

page read and write

2A00000

heap

page read and write

338E000

trusted library allocation

page read and write

539D000

stack

page read and write

7E39000

heap

page read and write

505A000

heap

page execute and read and write

10BA000

trusted library allocation

page execute and read and write

3468000

trusted library allocation

page read and write

34EC000

trusted library allocation

page read and write

42C2000

trusted library allocation

page read and write

3548000

trusted library allocation

page read and write

C63000

heap

page read and write

16F0000

trusted library allocation

page read and write

5750000

trusted library allocation

page execute and read and write

33ED000

trusted library allocation

page read and write

1170000

heap

page read and write

58EE000

stack

page read and write

33DE000

trusted library allocation

page read and write

16F4000

trusted library allocation

page read and write

352B000

trusted library allocation

page read and write

5BCE000

heap

page read and write

3496000

trusted library allocation

page read and write

6CF90000

unkown

page write copy

347F000

trusted library allocation

page read and write

5130000

heap

page read and write

5DEE000

stack

page read and write

3589000

trusted library allocation

page read and write

3515000

trusted library allocation

page read and write

34B3000

trusted library allocation

page read and write

5BE0000

heap

page read and write

33EF000

trusted library allocation

page read and write

D1D000

heap

page read and write

1090000

trusted library allocation

page read and write

3544000

trusted library allocation

page read and write

5A80000

heap

page read and write

349E000

trusted library allocation

page read and write

1094000

trusted library allocation

page read and write

2B31000

trusted library allocation

page read and write

2BED000

trusted library allocation

page read and write

73D2000

trusted library allocation

page read and write

1588000

heap

page read and write

FA9000

stack

page read and write

3385000

trusted library allocation

page read and write

1716000

trusted library allocation

page execute and read and write

3483000

trusted library allocation

page read and write

There are 394 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
file.exe

Files

Processes

URLs

Domains

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportfile.exe

Files

Processes

URLs

Domains

Registry

Memdumps

IOC Report
file.exe