Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

e5oMWYWLig.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.911893966908288
Filename:	e5oMWYWLig.exe
Filesize:	6182064
MD5:	1c14867a6f2cd134302561e60dd2ef2e
SHA1:	2127a62fcb303ed0d3c9d331cf065c67d7c0bb28
SHA256:	177a882c7576a1deba30eebad7a241e989d0ee2e6f7662c2571e5c45ba8d1829
SHA512:	0031646c662ad4f1082b7e711ac9b2b86190dd031a61fc7fdbeba4abc1fca4c9e2438c8c5c87ef34db3cd62c303e4aa711d4076675318e70aa70e641f752bc37
SSDEEP:	98304:Lb19ov2iGedTohSxtTs3fVd0lPhjp9oPYLEEibe9jIPIhiUgsPoTDBZ33CrKOk3o:XfoOACSxTlaGFjIeiUlPoTDBhgk4
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0......B......./... ........@.. .......................`... ..tT....@... .. .... .. .......... 0U....

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation
Multi AV Scanner detection for submitted file	AV Detection
Hides threads from debuggers	Anti Debugging	Security Software Discovery
Installs new ROOT certificates	Persistence and Installation Behavior	Install Root Certificate
PE file has nameless sections	System Summary
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)	Malware Analysis System Evasion
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	OS Credential Dumping
Tries to steal Crypto Currency Wallets	Stealing of Sensitive Information	Data from Local System
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)	Lowering of HIPS / PFW / Operating System Security Settings
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	System Information Discovery
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops certificate files (DER)	E-Banking Fraud
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Binary may include packed or encrypted code	Data Obfuscation
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
Parts of this applications are using Borland Delphi (Probably coded in Delphi)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\Public\Desktop\Google Chrome.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 13:16:50 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide

dropped

Details

File:	C:\Users\Public\Desktop\Google Chrome.lnk
Category:	dropped
Dump:	Google Chrome.lnk.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\e5oMWYWLig.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 13:16:50 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
Entropy:	3.454252604942066
Encrypted:	false
Ssdeep:	48:8SM9l2dfTXd3RYrnvPdAKRkdAGdAKRFdAKRE:8SM9lOw
Size:	2104
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e5oMWYWLig.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e5oMWYWLig.exe.log
Category:	dropped
Dump:	e5oMWYWLig.exe.log.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Users\user\Desktop\e5oMWYWLig.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.3318368586986695
Encrypted:	false
Ssdeep:	96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlqY
Size:	3274
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
PE file has nameless sections	System Summary
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\TmpF32B.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\TmpF32B.tmp
Category:	dropped
Dump:	TmpF32B.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\e5oMWYWLig.exe
Type:	data
Entropy:	7.8230547059446645
Encrypted:	false
Ssdeep:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
Size:	2662
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops certificate files (DER)	E-Banking Fraud
Creates temporary files	System Summary

C:\Users\user\AppData\Local\Temp\TmpF33B.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\TmpF33B.tmp
Category:	dropped
Dump:	TmpF33B.tmp.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\e5oMWYWLig.exe
Type:	data
Entropy:	7.8230547059446645
Encrypted:	false
Ssdeep:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
Size:	2662
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops certificate files (DER)	E-Banking Fraud

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06
Category:	dropped
Dump:	76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\e5oMWYWLig.exe
Type:	data
Entropy:	0.0
Encrypted:	false
Ssdeep:	3::
Size:	2251
Whitelisted:	true
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\e5oMWYWLig.exe

"C:\Users\user\Desktop\e5oMWYWLig.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5776
Target ID:	0
Parent PID:	1028
Name:	e5oMWYWLig.exe
Path:	C:\Users\user\Desktop\e5oMWYWLig.exe
Commandline:	"C:\Users\user\Desktop\e5oMWYWLig.exe"
Size:	6182064
MD5:	1C14867A6F2CD134302561E60DD2EF2E
Time:	06:56:48
Date:	02/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x3a0000
Modulesize:	28008448
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
PE file has nameless sections	System Summary
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
PE file contains an invalid checksum	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
URLs found in memory or binary data	Networking
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

URLs

Name

Malicious

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/sct

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk

unknown

https://duckduckgo.com/ac/?q=

unknown

http://tempuri.org/Entity/Id14ResponseD

unknown

http://tempuri.org/Entity/Id23ResponseD

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary

unknown

http://tempuri.org/Entity/Id12Response

unknown

http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07

unknown

http://tempuri.org/

unknown

http://tempuri.org/Entity/Id2Response

unknown

http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr

unknown

http://tempuri.org/Entity/Id15V

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1

unknown

http://tempuri.org/Entity/Id21Response

unknown

http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap

unknown

http://tempuri.org/Entity/Id9

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID

unknown

http://tempuri.org/Entity/Id8

unknown

http://tempuri.org/Entity/Id6ResponseD

unknown

http://tempuri.org/Entity/Id5

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare

unknown

http://tempuri.org/Entity/Id4

unknown

http://tempuri.org/Entity/Id7

unknown

http://purl.oen

unknown

http://tempuri.org/Entity/Id6

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret

unknown

http://tempuri.org/Entity/Id19Response

unknown

http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence

unknown

http://tempuri.org/Entity/Id13ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/fault

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat

unknown

http://Certera.crt.sectigo.com/CerteraCodeSigningCA.crt0

unknown

http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey

unknown

http://tempuri.org/Entity/Id15Response

unknown

http://tempuri.org/Entity/Id5ResponseD

unknown

http://Certera.crl.sectigo.com/CerteraCodeSigningCA.crl0

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register

unknown

http://tempuri.org/Entity/Id6Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey

unknown

https://api.ip.sb/ip

unknown

http://schemas.xmlsoap.org/ws/2004/04/sc

unknown

http://tempuri.org/Entity/Id1ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel

unknown

http://tempuri.org/Entity/Id9Response

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

http://tempuri.org/Entity/Id20

unknown

http://tempuri.org/Entity/Id21

unknown

http://tempuri.org/Entity/Id22

unknown

http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1

unknown

http://tempuri.org/Entity/Id23

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1

unknown

http://tempuri.org/Entity/Id24

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue

unknown

http://tempuri.org/Entity/Id24Response

unknown

https://www.ecosia.org/newtab/

unknown

http://tempuri.org/Entity/Id1Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey

unknown

http://tempuri.org/Entity/Id21ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust

unknown

http://tempuri.org/Entity/Id10

unknown

http://tempuri.org/Entity/Id11

unknown

http://tempuri.org/Entity/Id10ResponseD

unknown

http://tempuri.org/Entity/Id12

unknown

http://tempuri.org/Entity/Id16Response

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel

unknown

http://tempuri.org/Entity/Id13

unknown

http://tempuri.org/Entity/Id14

unknown

http://tempuri.org/Entity/Id15

unknown

http://tempuri.org/Entity/Id16

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce

unknown

http://tempuri.org/Entity/Id17

unknown

http://tempuri.org/Entity/Id18

unknown

http://tempuri.org/Entity/Id5Response

unknown

http://tempuri.org/Entity/Id19

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns

unknown

http://tempuri.org/Entity/Id15ResponseD

unknown

http://tempuri.org/Entity/Id10Response

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Renew

unknown

http://tempuri.org/Entity/Id11ResponseD

unknown

http://tempuri.org/Entity/Id8Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID

unknown

There are 90 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

65.108.19.51

unknown

United States

Details

IP:	65.108.19.51
TargetID:	0
Current Path:	C:\Users\user\Desktop\e5oMWYWLig.exe
Country:	United States
Countrycode:	USA
ASN number:	11022
ASN name:	ALABANZA-BALTUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064

Blob

Details

TargetID:	0
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064
Value name:	Blob
Value data:	0B 00 00 00 01 00 00 00 48 00 00 00 54 00 69 00 74 00 61 00 6E 00 69 00 75 00 6D 00 20 00 52 00 6F 00 6F 00 74 00 20 00 43 00 65 00 72 00 74 00 69 00 66 00 69 00 63 00 61 00 74 00 65 00 20 00 41 00 75 00 74 00 68 00 6F 00 72 00 69 00 74 00 79 00 00 00 02 00 00 00 01 00 00 00 CC 00 00 00 1C 00 00 00 6C 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 7B 00 34 00 31 00 37 00 34 00 34 00 42 00 45 00 34 00 2D 00 31 00 31 00 43 00 35 00 2D 00 34 00 39 00 34 00 43 00 2D 00 41 00 32 00 31 00 33 00 2D 00 42 00 41 00 30 00 43 00 45 00 39 00 34 00 34 00 39 00 33 00 38 00 45 00 7D 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 45 00 6E 00 68 00 61 00 6E 00 63 00 65 00 64 00 20 00 43 00 72 00 79 00 70 00 74 00 6F 00 67 00 72 00 61 00 70 00 68 00 69 00 63 00 20 00 50 00 72 00 6F 00 76 00 69 00 64 00 65 00 72 00 20 00 76 00 31 00 2E 00 30 00 00 00 00 00 03 00 00 00 01 00 00 00 14 00 00 00 F1 A5 78 C4 CB 5D E7 9A 37 08 93 98 3F D4 DA 8B 67 B2 B0 64 20 00 00 00 01 00 00 00 0A 03 00 00 30 82 03 06 30 82 01 EE A0 03 02 01 02 02 08 67 F7 BE B9 6A 4C 27 98 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30 2E 31 2C 30 2A 06 03 55 04 03 0C 23 54 69 74 61 6E 69 75 6D 20 52 6F 6F 74 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6F 72 69 74 79 30 1E 17 0D 32 33 30 33 31 34 31 30 33 35 32 30 5A 17 0D 32 36 30 36 31 37 31 30 33 35 32 30 5A 30 2E 31 2C 30 2A 06 03 55 04 03 0C 23 54 69 74 61 6E 69 75 6D 20 52 6F 6F 74 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6F 72 69 74 79 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 86 E4 57 7A 58 61 CE 81 91 77 D0 05 FA 51 D5 51 5A 93 6C 61 0C CF CB DE 53 32 CD 15 1D A6 47 EE 88 1A 24 5C 9B 02 83 3B 02 AF 3D 76 FE 20 BD 3B FA F7 A2 09 73 E7 2E BD 94 40 D0 9D 8C 3D 27 13 BD F0 D0 9F EB 95 32 AC D7 A4 2D A2 A9 52 DA A8 6A 2A 88 EE 42 7D 30 95 9D 90 BF BA 05 27 6A A0 29 98 A6 98 6F C0 13 06 62 9B 79 B8 40 5D 1F 1F A6 D9 A4 2F 82 7A FC 75 66 34 0D C2 DE 27 01 2B 94 BB 4A 27 B3 CB 1C 21 9A 3C B2 C1 42 03 F3 44 51 BD 62 65 20 ED D4 DB CC 41 4F 59 3F 2A CB C4 84 79 F7 14 3C BE 13 9C FD 12 9C 91 3E 53 03 DC 20 F9 4C 44 35 89 01 B6 9A 84 8D 7E A0 2E 30 8A 31 15 60 AC 00 AE 00 9A 29 10 9A EE D9 71 3D D8 91 9B 97 ED 59 80 58 E1 7F 07 26 C7 A0 20 F7 10 AB C0 62 91 DF AA F1 81 C6 BE 6A 76 C8 9C B6 8E B0 B0 EC 1C D9 5F 32 6C 7E 55 58 8B FD 76 C5 19 02 03 01 00 01 A3 28 30 26 30 13 06 03 55 1D 25 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 30 0F 06 03 55 1D 13 01 01 FF 04 05 30 03 01 01 FF 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 03 82 01 01 00 70 85 12 93 D7 57 E9 82 79 7D C5 F7 F2 7D A8 94 EF 0C DB 32 9F 06 A6 09 6E 0C F6 04 B0 E5 47 11 56 0E F4 0F 52 82 08 2E 21 0F 55 A3 DB 41 F3 12 54 8B 76 11 F5 F0 DA CE A3 C7 8B 13 F6 FC 24 3C 02 B1 06 66 5B E6 9E 18 40 88 41 5B 27 39 99 B8 77 BE E3 53 A2 48 CE C7 EE B5 A0 95 C2 17 4B C9 52 6C AF E3 37 2C 59 DB FB E7 58 13 4E D3 51 E5 14 72 73 FE C6 85 77 AE 45 52 A6 F9 9A C8 0C A8 D0 EE 42 2A F5 28 85 8C 6B E8 1C B0 A8 03 1A B0 AE 83 C0 EB 55 64 F4 E8 7A 5C 06 29 5D 39 03 EE E2 FD F9 2D 62 A7 F4 D4 05 4D EA A7 9B CA EB DA 4E 8B 1A 6E FD 42 AE F9 D0 1C 70 75 72 8C B1 3A A8 55 7C 85 A7 25 32 B5 E2 D6 C3 E5 50 41 C9 86 7C A8 F5 62 BB D2 AB 0C 37 10 D8 31 73 EC 37 81 D1 DC AA C5 C6 E0 7E E7 26 62 4D FD C5 81 4C FF D3 36 E1 79 32 F8 9B EB 9C F7 FD BE E9 BE BF 61

Signature Hits	Behavior Group	Mitre Attack
Installs new ROOT certificates	Persistence and Installation Behavior	Install Root Certificate

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Owner

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

SessionHash

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Sequence

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFiles0000

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

RegFilesHash

Memdumps

Base Address

Regiontype

Protect

Malicious

3A2000

unkown

page execute and read and write

5881000

trusted library allocation

page read and write

9710000

trusted library allocation

page read and write

6CA2000

trusted library allocation

page read and write

25A3000

heap

page read and write

A8F0000

heap

page read and write

7C30000

heap

page read and write

7A80000

trusted library allocation

page read and write

6A93000

trusted library allocation

page read and write

A560000

heap

page read and write

18F0000

unkown

page execute and write copy

2480000

heap

page read and write

4D5C000

stack

page read and write

801E000

stack

page read and write

4490000

direct allocation

page execute and read and write

96CB000

trusted library allocation

page read and write

9C00000

trusted library allocation

page read and write

68B1000

trusted library allocation

page read and write

5AF4000

trusted library allocation

page read and write

6AE0000

trusted library allocation

page read and write

6A9A000

trusted library allocation

page read and write

5B45000

trusted library allocation

page read and write

9647000

trusted library allocation

page read and write

5E70000

trusted library allocation

page read and write

5C3F000

trusted library allocation

page read and write

5C2A000

trusted library allocation

page read and write

5CCF000

trusted library allocation

page read and write

6A35000

trusted library allocation

page read and write

11CD000

unkown

page execute and read and write

6AC3000

trusted library allocation

page read and write

A690000

trusted library allocation

page read and write

4960000

direct allocation

page execute and read and write

298E000

stack

page read and write

5670000

heap

page read and write

68E9000

trusted library allocation

page read and write

5BEB000

trusted library allocation

page read and write

A630000

trusted library allocation

page read and write

4C96000

trusted library allocation

page execute and read and write

7C9E000

stack

page read and write

ABBE000

stack

page read and write

96C5000

trusted library allocation

page read and write

A652000

trusted library allocation

page read and write

6C4F000

trusted library allocation

page read and write

A910000

heap

page read and write

90C0000

trusted library allocation

page execute and read and write

7A90000

trusted library allocation

page read and write

6D58000

trusted library allocation

page read and write

A640000

trusted library allocation

page read and write

45F0000

heap

page read and write

1F50000

heap

page read and write

A6CB000

trusted library allocation

page read and write

26B6000

heap

page read and write

6D0C000

trusted library allocation

page read and write

9635000

trusted library allocation

page read and write

6AAA000

trusted library allocation

page read and write

AB00000

trusted library allocation

page execute and read and write

598A000

trusted library allocation

page read and write

6CC2000

trusted library allocation

page read and write

4130000

direct allocation

page execute and read and write

A4CB000

heap

page read and write

5BD8000

trusted library allocation

page read and write

6ABE000

trusted library allocation

page read and write

5EEA000

trusted library allocation

page read and write

5DBD000

trusted library allocation

page read and write

7AD0000

trusted library allocation

page execute and read and write

59F7000

trusted library allocation

page read and write

9BDE000

stack

page read and write

5B2E000

trusted library allocation

page read and write

4D10000

heap

page read and write

59D1000

trusted library allocation

page read and write

8028000

trusted library allocation

page read and write

962F000

stack

page read and write

5BE1000

trusted library allocation

page read and write

6D77000

trusted library allocation

page read and write

5A50000

trusted library allocation

page read and write

4D0E000

stack

page read and write

425D000

trusted library allocation

page execute and read and write

68F9000

trusted library allocation

page read and write

5DDC000

trusted library allocation

page read and write

6CBE000

trusted library allocation

page read and write

AC3E000

stack

page read and write

5600000

trusted library allocation

page read and write

6881000

trusted library allocation

page read and write

A548000

heap

page read and write

7A85000

trusted library allocation

page read and write

5D95000

trusted library allocation

page read and write

1FFE000

stack

page read and write

A4B0000

heap

page read and write

A527000

heap

page read and write

5DE0000

trusted library allocation

page read and write

5AAB000

trusted library allocation

page read and write

AB10000

heap

page read and write

5610000

heap

page execute and read and write

688F000

trusted library allocation

page read and write

A8E0000

heap

page read and write

5ACB000

trusted library allocation

page read and write

3DA000

unkown

page execute and write copy

5B39000

trusted library allocation

page read and write

5ABA000

trusted library allocation

page read and write

5EAF000

trusted library allocation

page read and write

96B0000

trusted library allocation

page read and write

6CAF000

trusted library allocation

page read and write

68E4000

trusted library allocation

page read and write

4AAB000

direct allocation

page execute and read and write

6C98000

trusted library allocation

page read and write

6D25000

trusted library allocation

page read and write

7C50000

heap

page execute and read and write

7F840000

trusted library allocation

page execute and read and write

24CE000

heap

page read and write

23F7000

stack

page read and write

A67A000

trusted library allocation

page read and write

4280000

heap

page read and write

5C18000

trusted library allocation

page read and write

26AD000

heap

page read and write

6CEE000

trusted library allocation

page read and write

59C4000

trusted library allocation

page read and write

A64B000

trusted library allocation

page read and write

5AB3000

trusted library allocation

page read and write

5EDD000

trusted library allocation

page read and write

967B000

trusted library allocation

page read and write

1FAE000

stack

page read and write

6A41000

trusted library allocation

page read and write

6993000

trusted library allocation

page read and write

4CA5000

trusted library allocation

page execute and read and write

A58F000

heap

page read and write

6CC7000

trusted library allocation

page read and write

5AA8000

trusted library allocation

page read and write

999C000

stack

page read and write

4A60000

direct allocation

page execute and read and write

A680000

trusted library allocation

page read and write

B41E000

stack

page read and write

1EE9000

stack

page read and write

6A62000

trusted library allocation

page read and write

6AB3000

trusted library allocation

page read and write

6AB0000

trusted library allocation

page read and write

6B04000

trusted library allocation

page read and write

55E0000

trusted library allocation

page read and write

6AE6000

trusted library allocation

page read and write

AC7E000

stack

page read and write

9900000

trusted library allocation

page read and write

5B4A000

trusted library allocation

page read and write

6963000

trusted library allocation

page read and write

68B3000

trusted library allocation

page read and write

98F0000

trusted library allocation

page read and write

5D84000

trusted library allocation

page read and write

50A000

unkown

page execute and read and write

4860000

direct allocation

page execute and read and write

6910000

trusted library allocation

page read and write

ABFE000

stack

page read and write

4CA2000

trusted library allocation

page read and write

6C88000

trusted library allocation

page read and write

A6A0000

trusted library allocation

page read and write

6C7B000

trusted library allocation

page read and write

1F55000

heap

page read and write

5CE9000

trusted library allocation

page read and write

690A000

trusted library allocation

page read and write

AB20000

trusted library allocation

page execute and read and write

9760000

trusted library allocation

page execute and read and write

24E5000

heap

page read and write

5CB9000

trusted library allocation

page read and write

5CDC000

trusted library allocation

page read and write

6D51000

trusted library allocation

page read and write

6C8D000

trusted library allocation

page read and write

6AA7000

trusted library allocation

page read and write

6928000

trusted library allocation

page read and write

9920000

trusted library allocation

page read and write

5EB9000

trusted library allocation

page read and write

7FDE000

stack

page read and write

3D6000

unkown

page readonly

AB30000

trusted library allocation

page read and write

5E7C000

trusted library allocation

page read and write

9692000

trusted library allocation

page read and write

A66A000

trusted library allocation

page read and write

6D19000

trusted library allocation

page read and write

5D23000

trusted library allocation

page read and write

2440000

heap

page read and write

59F0000

trusted library allocation

page read and write

4C9A000

trusted library allocation

page execute and read and write

4AA8000

direct allocation

page execute and read and write

9940000

trusted library allocation

page read and write

5646000

trusted library allocation

page read and write

5D0D000

trusted library allocation

page read and write

96E0000

trusted library allocation

page read and write

24B0000

heap

page read and write

7AC0000

trusted library allocation

page read and write

4760000

direct allocation

page execute and read and write

533F000

stack

page read and write

5E89000

trusted library allocation

page read and write

7EC8000

heap

page read and write

91CE000

stack

page read and write

5D02000

trusted library allocation

page read and write

1F60000

heap

page read and write

26A2000

heap

page read and write

6CB5000

trusted library allocation

page read and write

5B3000

unkown

page execute and read and write

A650000

trusted library allocation

page read and write

553E000

stack

page read and write

AC90000

trusted library allocation

page read and write

5ED0000

trusted library allocation

page read and write

5C34000

trusted library allocation

page read and write

901F000

stack

page read and write

969E000

trusted library allocation

page read and write

6A6D000

trusted library allocation

page read and write

6C69000

trusted library allocation

page read and write

6D46000

trusted library allocation

page read and write

5620000

trusted library allocation

page read and write

9770000

trusted library allocation

page execute and read and write

96C0000

trusted library allocation

page read and write

6D07000

trusted library allocation

page read and write

B07E000

stack

page read and write

68EE000

trusted library allocation

page read and write

6C5C000

trusted library allocation

page read and write

69A8000

trusted library allocation

page read and write

9B9C000

stack

page read and write

59E5000

trusted library allocation

page read and write

A698000

trusted library allocation

page read and write

5DEC000

trusted library allocation

page read and write

9030000

trusted library allocation

page read and write

A4B7000

heap

page read and write

5BA1000

trusted library allocation

page read and write

4C90000

trusted library allocation

page read and write

6917000

trusted library allocation

page read and write

5CB0000

trusted library allocation

page read and write

5E26000

trusted library allocation

page read and write

59DE000

trusted library allocation

page read and write

6D5D000

trusted library allocation

page read and write

5927000

trusted library allocation

page read and write

6CFE000

trusted library allocation

page read and write

55F0000

trusted library allocation

page read and write

6AED000

trusted library allocation

page read and write

26A7000

heap

page read and write

45E0000

heap

page read and write

6926000

trusted library allocation

page read and write

5EB4000

trusted library allocation

page read and write

5A2B000

trusted library allocation

page read and write

6CA8000

trusted library allocation

page read and write

6AA0000

trusted library allocation

page read and write

6D04000

trusted library allocation

page read and write

5B27000

trusted library allocation

page read and write

6D3F000

trusted library allocation

page read and write

A926000

heap

page read and write

4270000

trusted library allocation

page read and write

5C2F000

trusted library allocation

page read and write

A4F3000

heap

page read and write

6A7E000

trusted library allocation

page read and write

68DD000

trusted library allocation

page read and write

6D12000

trusted library allocation

page read and write

5AD8000

trusted library allocation

page read and write

5ADD000

trusted library allocation

page read and write

6903000

trusted library allocation

page read and write

6A89000

trusted library allocation

page read and write

4C8E000

stack

page read and write

8E1F000

stack

page read and write

2586000

heap

page read and write

9740000

trusted library allocation

page read and write

6D62000

trusted library allocation

page read and write

3DA000

unkown

page execute and read and write

694A000

trusted library allocation

page read and write

698E000

trusted library allocation

page read and write

24C0000

heap

page read and write

6977000

trusted library allocation

page read and write

6CD1000

trusted library allocation

page read and write

A589000

heap

page read and write

5C79000

trusted library allocation

page read and write

5AE8000

trusted library allocation

page read and write

5E66000

trusted library allocation

page read and write

5C4B000

trusted library allocation

page read and write

A668000

trusted library allocation

page read and write

A67F000

trusted library allocation

page read and write

A6D0000

heap

page read and write

5E96000

trusted library allocation

page read and write

6933000

trusted library allocation

page read and write

9BF0000

trusted library allocation

page read and write

6A79000

trusted library allocation

page read and write

7F8A0000

direct allocation

page execute and read and write

A648000

trusted library allocation

page read and write

4CC0000

trusted library allocation

page read and write

2450000

direct allocation

page execute and read and write

A6C0000

trusted library allocation

page read and write

A66F000

trusted library allocation

page read and write

5C04000

trusted library allocation

page read and write

9950000

trusted library allocation

page execute and read and write

5E9D000

trusted library allocation

page read and write

9700000

trusted library allocation

page read and write

881E000

stack

page read and write

18F3000

unkown

page execute and write copy

A4AC000

stack

page read and write

6D0A000

trusted library allocation

page read and write

4C92000

trusted library allocation

page read and write

5DD6000

trusted library allocation

page read and write

5EE8000

trusted library allocation

page read and write

3A0000

unkown

page readonly

5D8E000

trusted library allocation

page read and write

5E5D000

trusted library allocation

page read and write

699F000

trusted library allocation

page read and write

9020000

trusted library allocation

page read and write

1F40000

heap

page read and write

5DA3000

trusted library allocation

page read and write

7C40000

trusted library allocation

page execute and read and write

6A5B000

trusted library allocation

page read and write

692E000

trusted library allocation

page read and write

4285000

heap

page read and write

5AB7000

trusted library allocation

page read and write

93CE000

stack

page read and write

4240000

trusted library allocation

page read and write

5AC0000

trusted library allocation

page read and write

96F0000

trusted library allocation

page read and write

4660000

direct allocation

page execute and read and write

4254000

trusted library allocation

page read and write

5C11000

trusted library allocation

page read and write

6989000

trusted library allocation

page read and write

9649000

trusted library allocation

page read and write

9686000

trusted library allocation

page read and write

2668000

heap

page read and write

5EA8000

trusted library allocation

page read and write

A684000

trusted library allocation

page read and write

587E000

stack

page read and write

2691000

heap

page read and write

6956000

trusted library allocation

page read and write

4250000

trusted library allocation

page read and write

5B61000

trusted library allocation

page read and write

A6B0000

trusted library allocation

page read and write

4A93000

direct allocation

page execute and read and write

6AF9000

trusted library allocation

page read and write

4260000

heap

page read and write

97D0000

trusted library allocation

page execute and read and write

6D6D000

trusted library allocation

page read and write

A4E2000

heap

page read and write

9930000

trusted library allocation

page execute and read and write

3A0000

unkown

page readonly

A59F000

heap

page read and write

691A000

trusted library allocation

page read and write

59FD000

trusted library allocation

page read and write

428E000

heap

page read and write

9BF5000

trusted library allocation

page read and write

942E000

stack

page read and write

6C70000

trusted library allocation

page read and write

6A4E000

trusted library allocation

page read and write

5CFB000

trusted library allocation

page read and write

B2E0000

heap

page read and write

269B000

heap

page read and write

5BE9000

trusted library allocation

page read and write

4CA7000

trusted library allocation

page execute and read and write

A675000

trusted library allocation

page read and write

5DCF000

trusted library allocation

page read and write

5CF0000

trusted library allocation

page read and write

7EC3000

heap

page read and write

260E000

heap

page read and write

5BF7000

trusted library allocation

page read and write

564D000

trusted library allocation

page read and write

4CAB000

trusted library allocation

page execute and read and write

68A2000

trusted library allocation

page read and write

6CF4000

trusted library allocation

page read and write

6A13000

trusted library allocation

page read and write

A655000

trusted library allocation

page read and write

A57D000

heap

page read and write

9C5B000

stack

page read and write

6982000

trusted library allocation

page read and write

68D2000

trusted library allocation

page read and write

3A2000

unkown

page execute and write copy

4D13000

heap

page read and write

97C0000

trusted library allocation

page execute and read and write

8020000

trusted library allocation

page read and write

9640000

trusted library allocation

page read and write

9C60000

trusted library allocation

page execute and read and write

A4D1000

heap

page read and write

7E9E000

stack

page read and write

8C1E000

stack

page read and write

9681000

trusted library allocation

page read and write

A5AC000

heap

page read and write

6D32000

trusted library allocation

page read and write

6B10000

trusted library allocation

page read and write

87DE000

stack

page read and write

6AFC000

trusted library allocation

page read and write

427D000

trusted library allocation

page execute and read and write

A558000

heap

page read and write

6A33000

trusted library allocation

page read and write

5D97000

trusted library allocation

page read and write

5D29000

trusted library allocation

page read and write

5624000

trusted library allocation

page read and write

5B40000

trusted library allocation

page read and write

5DB0000

trusted library allocation

page read and write

6C82000

trusted library allocation

page read and write

68CB000

trusted library allocation

page read and write

6B23000

trusted library allocation

page read and write

5EEE000

trusted library allocation

page read and write

5548000

trusted library allocation

page read and write

B2BE000

stack

page read and write

524000

unkown

page execute and read and write

45D0000

heap

page read and write

5D19000

trusted library allocation

page read and write

5AA5000

trusted library allocation

page read and write

45CE000

stack

page read and write

6923000

trusted library allocation

page read and write

6AFE000

trusted library allocation

page read and write

562B000

trusted library allocation

page read and write

6AF6000

trusted library allocation

page read and write

25BD000

heap

page read and write

7AB0000

trusted library allocation

page read and write

68A5000

trusted library allocation

page read and write

25AF000

heap

page read and write

7AC2000

trusted library allocation

page read and write

5641000

trusted library allocation

page read and write

9750000

trusted library allocation

page read and write

885E000

stack

page read and write

6C2C000

trusted library allocation

page read and write

96A1000

trusted library allocation

page read and write

6C43000

trusted library allocation

page read and write

5E6E000

trusted library allocation

page read and write

5660000

trusted library allocation

page read and write

18F3000

unkown

page execute and read and write

A900000

heap

page read and write

6AB6000

trusted library allocation

page read and write

5EC4000

trusted library allocation

page read and write

6CFB000

trusted library allocation

page read and write

5DF7000

trusted library allocation

page read and write

4253000

trusted library allocation

page execute and read and write

59B7000

trusted library allocation

page read and write

5AD2000

trusted library allocation

page read and write

5D1E000

trusted library allocation

page read and write

4D60000

trusted library allocation

page execute and read and write

B61E000

stack

page read and write

9638000

trusted library allocation

page read and write

4CA0000

trusted library allocation

page read and write

5B56000

trusted library allocation

page read and write

5D07000

trusted library allocation

page read and write

6AB9000

trusted library allocation

page read and write

9645000

trusted library allocation

page read and write

9630000

trusted library allocation

page read and write

448E000

stack

page read and write

AB7D000

stack

page read and write

563E000

trusted library allocation

page read and write

9C70000

trusted library allocation

page read and write

5B1A000

trusted library allocation

page read and write

4D70000

heap

page read and write

6A74000

trusted library allocation

page read and write

7A7C000

stack

page read and write

4267000

heap

page read and write

25E0000

heap

page read and write

6920000

trusted library allocation

page read and write

9910000

trusted library allocation

page read and write

A659000

trusted library allocation

page read and write

6CB9000

trusted library allocation

page read and write

5DC4000

trusted library allocation

page read and write

96CE000

trusted library allocation

page read and write

A8DD000

stack

page read and write

5D4D000

trusted library allocation

page read and write

6CC4000

trusted library allocation

page read and write

69C3000

trusted library allocation

page read and write

96D0000

trusted library allocation

page read and write

2518000

heap

page read and write

B27E000

stack

page read and write

963A000

trusted library allocation

page read and write

68BE000

trusted library allocation

page read and write

9670000

trusted library allocation

page read and write

A517000

heap

page read and write

7EB2000

heap

page read and write

90E0000

trusted library allocation

page execute and read and write

6AF0000

trusted library allocation

page read and write

6CCD000

trusted library allocation

page read and write

4AA0000

direct allocation

page execute and read and write

5C23000

trusted library allocation

page read and write

There are 452 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
e5oMWYWLig.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporte5oMWYWLig.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
e5oMWYWLig.exe